test: Add test for nspawn's handling of cap_net_bind_service

(cherry picked from commit cadeaef67cb0f11bd968cfd6a183bcbfc73b0c70)

.github/labeler.yml

@@ -195,7 +195,7 @@ run:
     - any-glob-to-any-file: ['src/run/*', 'man/systemd-run*']
 sd-boot/sd-stub/bootctl:
   - changed-files:
-    - any-glob-to-any-file: ['src/boot/**/*', 'man/bootctl*', 'man/systemd-boot.xml']
+    - any-glob-to-any-file: ['src/boot/**/*', 'src/bootctl/*', 'man/bootctl*', 'man/systemd-boot.xml']
 sd-bus:
   - changed-files:
     - any-glob-to-any-file: '**/sd-bus*/**'

man/loader.conf.xml

@@ -70,7 +70,8 @@
       <varlistentry>
         <term>default</term>
 
-        <listitem><para>A glob pattern to select the default entry. The default entry
+        <listitem><para>A glob pattern to select the default entry by id, which is the
+        file name including literal suffix <literal>.conf</literal>. The default entry
         may be changed in the boot menu itself, in which case the name of the
         selected entry will be stored as an EFI variable, overriding this option.
         </para>

man/org.freedesktop.machine1.xml

@@ -341,7 +341,8 @@ node /org/freedesktop/machine1 {
       be either <literal>container</literal> or <literal>vm</literal> indicating whether the machine to
       register is of the respective class. The leader PID should be the host PID of the init process of the
       container or the encapsulating process of the VM. If the root directory of the container is known and
-      available in the host's hierarchy, it should be passed. Otherwise, pass the empty string instead. Finally, the
+      available in the host's hierarchy, it should be passed (note that this is for informational purposes
+      only, and will not be used otherwise). Otherwise, pass the empty string instead. Finally, the
       scope properties are passed as array in the same way as to PID1's
       <function>StartTransientUnit()</function> method. Calling this method will internally register a transient scope
       unit for the calling client (utilizing the passed scope_properties) and move the leader PID into

man/repart.d.xml

@@ -807,8 +807,10 @@
         partition should be mounted. The second field specifies extra mount options to append to the default
         mount options. These fields correspond to the second and fourth column of the
         <citerefentry project='man-pages'><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-        format. This setting may be specified multiple times to mount the partition multiple times. This can
+        format. As a colon is used for separating fields, each field needs to be quoted when it contains
-        be used to add mounts for different
+        colons. E.g. <programlisting>MountPoint="/path/with:colon":"zstd:1,noatime,lazytime"</programlisting>
+        This setting may be specified multiple times to mount the partition multiple times. This can be used
+        to add mounts for different
         <citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
         subvolumes located on the same btrfs partition.</para>
 

man/sd_bus_message_read.xml

@@ -221,8 +221,8 @@ int16_t n;
 uint16_t q;
 int32_t i;
 uint32_t u;
-int32_t x;
+int64_t x;
-uint32_t t;
+uint64_t t;
 double d;
 
 sd_bus_message_read(m, "ynqiuxtd", &amp;y, &amp;n, &amp;q, &amp;i, &amp;u, &amp;x, &amp;t, &amp;d);</programlisting>

man/systemd-nspawn.xml

@@ -1866,8 +1866,7 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
 
       <para><command>debootstrap</command> supports
       <ulink url="https://www.debian.org">Debian</ulink>,
-      <ulink url="https://www.ubuntu.com">Ubuntu</ulink>,
+      and <ulink url="https://www.ubuntu.com">Ubuntu</ulink>
-      and <ulink url="https://www.tanglu.org">Tanglu</ulink>
       out of the box, so the same command can be used to install any of those. For other
       distributions from the Debian family, a mirror has to be specified, see
       <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

man/systemd-ssh-generator.xml

@@ -129,6 +129,22 @@
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>ssh.ephemeral-authorized_keys-all</varname></term>
+
+        <listitem>
+          <para>Provides additional public keys, given in the customary <filename>authorized_keys</filename>
+            format, for all users, for incoming connections via the generated <constant>AF_VSOCK</constant>
+            and <constant>AF_UNIX</constant> socket units.</para>
+
+          <para>The intended use of this is for a host system (in either VM or container configurations) to
+            generate a keypair and inject the public key into the guest, using the private key to connect to
+            any user account on the guest via ssh, without further authentication.</para>
+
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

man/systemd-userdbd.service.xml

@@ -35,7 +35,7 @@
     compatibility. It may also pick up statically defined JSON user/group records from files in
     <filename>/etc/userdb/</filename>, <filename>/run/userdb/</filename>,
     <filename>/run/host/userdb/</filename> and <filename>/usr/lib/userdb/</filename> with the
-    <literal>.user</literal> extension.</para>
+    <literal>.user</literal> or <literal>.group</literal> extension.</para>
 
     <para>Most of <command>systemd-userdbd</command>'s functionality is accessible through the
     <citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>

man/systemd.system-credentials.xml

@@ -205,6 +205,25 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>ssh.ephemeral-authorized_keys-all</varname></term>
+
+        <listitem>
+          <para>Provides additional public keys, given in the customary <filename>authorized_keys</filename>
+            format, for all users, for incoming connections via the generated <constant>AF_VSOCK</constant>
+            and <constant>AF_UNIX</constant> socket units.</para>
+
+          <para>The intended use of this is for a host system (in either VM or container configurations) to
+            generate a keypair and inject the public key into the guest, using the private key to connect to
+            any user account on the guest via ssh, without further authentication.</para>
+
+          <para>Consumed by
+            <citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+          <xi:include href="version-info.xml" xpointer="v256"/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>ssh.authorized_keys.root</varname></term>
         <listitem>

man/ukify.xml

@@ -490,7 +490,8 @@
           <varname>SigningEngine=</varname>/<option>--signing-engine=</option> or
           <varname>SigningProvider=</varname>/<option>--signing-provider=</option> option is used, this may
           also be an engine or provider specific designation. This option is required by
-          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para>
+          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option> and
+          <varname>SecureBootSigningTool=systemd-sbsign</varname>/<option>--signtool=systemd-sbsign</option>. </para>
 
           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
         </varlistentry>
@@ -503,7 +504,8 @@
           <varname>SigningEngine=</varname>/<option>--signing-engine=</option> or
           <varname>SigningProvider=</varname>/<option>--signing-provider=</option> option is used, this may
           also be an engine or provider specific designation. This option is required by
-          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option>. </para>
+          <varname>SecureBootSigningTool=sbsign</varname>/<option>--signtool=sbsign</option> and
+          <varname>SecureBootSigningTool=systemd-sbsign</varname>/<option>--signtool=systemd-sbsign</option>. </para>
 
           <xi:include href="version-info.xml" xpointer="v253"/></listitem>
         </varlistentry>

meson.build

@@ -455,6 +455,7 @@ possible_link_flags = [
         '-Wl,--fatal-warnings',
         '-Wl,-z,now',
         '-Wl,-z,relro',
+        '-Wl,-z,gcs-report-dynamic=none',
 ]
 
 if get_option('b_sanitize') == 'none'

mkosi/mkosi.conf.d/opensuse/mkosi.conf

@@ -21,6 +21,7 @@ VolatilePackages=
         systemd-doc
         systemd-experimental
         systemd-homed
+        systemd-journal-remote
         systemd-lang
         systemd-network
         systemd-portable
@@ -53,6 +54,8 @@ Packages=
         kernel-default
         kmod
         knot
+        libtss2-tcti-device0
+        libcap-progs
         multipath-tools
         ncat
         open-iscsi

mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf

@@ -10,6 +10,7 @@ Packages=
         grep
         hostname
         iproute2
+        libcap-progs
         ncat
         patterns-base-minimal_base
         sed

src/bootctl/bootctl.c

@@ -291,7 +291,7 @@ static int help(int argc, char *argv[], void *userdata) {
                "     --efi-boot-option-description=DESCRIPTION\n"
                "                       Description of the entry in the boot option list\n"
                "     --dry-run         Dry run (unlink and cleanup)\n"
-               "     --secure-boot-auto-enroll\n"
+               "     --secure-boot-auto-enroll=yes|no\n"
                "                       Set up secure boot auto-enrollment\n"
                "     --private-key=PATH|URI\n"
                "                       Private key to use when setting up secure boot\n"
@@ -594,7 +594,7 @@ static int parse_argv(int argc, char *argv[]) {
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--install-from-host is only supported with --root= or --image=.");
 
         if (arg_dry_run && argv[optind] && !STR_IN_SET(argv[optind], "unlink", "cleanup"))
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--dry is only supported with --unlink or --cleanup");
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--dry-run is only supported with --unlink or --cleanup");
 
         if (arg_secure_boot_auto_enroll && !arg_certificate)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Secure boot auto-enrollment requested but no certificate provided");

src/core/core-varlink.c

@@ -97,16 +97,18 @@ static int build_managed_oom_json_array_element(Unit *u, const char *property, s
                               SD_JSON_BUILD_PAIR_CONDITION(use_duration, "duration", SD_JSON_BUILD_UNSIGNED(c->moom_mem_pressure_duration_usec)));
 }
 
-static int build_managed_oom_cgroups_json(Manager *m, sd_json_variant **ret) {
+static int build_managed_oom_cgroups_json(Manager *m, bool allow_empty, sd_json_variant **ret) {
-        _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL, *arr = NULL;
+        _cleanup_(sd_json_variant_unrefp) sd_json_variant *arr = NULL;
         int r;
 
         assert(m);
         assert(ret);
 
-        r = sd_json_build(&arr, SD_JSON_BUILD_EMPTY_ARRAY);
+        if (allow_empty) {
-        if (r < 0)
+                r = sd_json_build(&arr, SD_JSON_BUILD_EMPTY_ARRAY);
-                return r;
+                if (r < 0)
+                        return r;
+        }
 
         for (UnitType t = 0; t < _UNIT_TYPE_MAX; t++) {
 
@@ -143,12 +145,17 @@ static int build_managed_oom_cgroups_json(Manager *m, sd_json_variant **ret) {
                 }
         }
 
-        r = sd_json_buildo(&v, SD_JSON_BUILD_PAIR("cgroups", SD_JSON_BUILD_VARIANT(arr)));
+        if (!arr) {
+                assert(!allow_empty);
+                *ret = NULL;
+                return 0;
+        }
+
+        r = sd_json_buildo(ret, SD_JSON_BUILD_PAIR("cgroups", SD_JSON_BUILD_VARIANT(arr)));
         if (r < 0)
                 return r;
 
-        *ret = TAKE_PTR(v);
+        return 1;
-        return 0;
 }
 
 static int manager_varlink_send_managed_oom_initial(Manager *m) {
@@ -165,8 +172,8 @@ static int manager_varlink_send_managed_oom_initial(Manager *m) {
 
         assert(m->managed_oom_varlink);
 
-        r = build_managed_oom_cgroups_json(m, &v);
+        r = build_managed_oom_cgroups_json(m, /* allow_empty = */ false, &v);
-        if (r < 0)
+        if (r <= 0)
                 return r;
 
         return sd_varlink_send(m->managed_oom_varlink, "io.systemd.oom.ReportManagedOOMCGroups", v);
@@ -275,9 +282,11 @@ int manager_varlink_send_managed_oom_update(Unit *u) {
         if (!c)
                 return 0;
 
-        r = sd_json_build(&arr, SD_JSON_BUILD_EMPTY_ARRAY);
+        if (MANAGER_IS_SYSTEM(u->manager)) {
-        if (r < 0)
+                r = sd_json_build(&arr, SD_JSON_BUILD_EMPTY_ARRAY);
-                return r;
+                if (r < 0)
+                        return r;
+        }
 
         FOREACH_ELEMENT(i, managed_oom_mode_properties) {
                 _cleanup_(sd_json_variant_unrefp) sd_json_variant *e = NULL;
@@ -291,6 +300,12 @@ int manager_varlink_send_managed_oom_update(Unit *u) {
                         return r;
         }
 
+        if (!arr) {
+                /* There is nothing updated. Skip calling method. */
+                assert(!MANAGER_IS_SYSTEM(u->manager));
+                return 0;
+        }
+
         r = sd_json_buildo(&v, SD_JSON_BUILD_PAIR("cgroups", SD_JSON_BUILD_VARIANT(arr)));
         if (r < 0)
                 return r;
@@ -343,7 +358,7 @@ static int vl_method_subscribe_managed_oom_cgroups(
 
         _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
 
-        r = build_managed_oom_cgroups_json(m, &v);
+        r = build_managed_oom_cgroups_json(m, /* allow_empty = */ true, &v);
         if (r < 0)
                 return r;
 

src/core/unit.c

@@ -1386,6 +1386,9 @@ int unit_load_fragment_and_dropin(Unit *u, bool fragment_required) {
         if (r < 0)
                 return r;
 
+        if (u->load_state == UNIT_MASKED)
+                return 0;
+
         if (u->load_state == UNIT_STUB) {
                 if (fragment_required)
                         return -ENOENT;

src/machine/machine-varlink.c

@@ -133,7 +133,7 @@ int vl_method_register(sd_varlink *link, sd_json_variant *parameters, sd_varlink
                 { "class",             SD_JSON_VARIANT_STRING,        dispatch_machine_class,   offsetof(Machine, class),                SD_JSON_MANDATORY },
                 { "leader",            _SD_JSON_VARIANT_TYPE_INVALID, machine_leader,           offsetof(Machine, leader),               SD_JSON_STRICT    },
                 { "leaderProcessId",   SD_JSON_VARIANT_OBJECT,        machine_leader,           offsetof(Machine, leader),               SD_JSON_STRICT    },
-                { "rootDirectory",     SD_JSON_VARIANT_STRING,        json_dispatch_path,       offsetof(Machine, root_directory),       0                 },
+                { "rootDirectory",     SD_JSON_VARIANT_STRING,        json_dispatch_path,       offsetof(Machine, root_directory),       SD_JSON_STRICT    },
                 { "ifIndices",         SD_JSON_VARIANT_ARRAY,         machine_ifindices,        0,                                       0                 },
                 { "vSockCid",          _SD_JSON_VARIANT_TYPE_INVALID, machine_cid,              offsetof(Machine, vsock_cid),            0                 },
                 { "sshAddress",        SD_JSON_VARIANT_STRING,        sd_json_dispatch_string,  offsetof(Machine, ssh_address),          SD_JSON_STRICT    },

src/machine/machine.h

@@ -43,6 +43,8 @@ struct Machine {
 
         char *state_file;
         char *service;
+        /* Note that the root directory is accepted as-is from the caller, including unprivileged users, so
+         * do not use it for anything but informational purposes. */
         char *root_directory;
 
         char *unit;

src/network/networkd-serialize.c

@@ -60,6 +60,7 @@ int manager_serialize(Manager *manager) {
 
         if (!v) {
                 log_debug("There is nothing to serialize.");
+                (void) notify_remove_fd_warn("manager-serialization");
                 return 0;
         }
 

src/nspawn/nspawn.c

@@ -5981,7 +5981,7 @@ static int run(int argc, char *argv[]) {
         /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
          * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
          * indicate that. */
-        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
+        if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO)
                 arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
 
         r = cg_unified(); /* initialize cache early */

src/pcrlock/pcrlock.c

@@ -31,6 +31,7 @@
 #include "hexdecoct.h"
 #include "initrd-util.h"
 #include "json-util.h"
+#include "label-util.h"
 #include "main-func.h"
 #include "mkdir-label.h"
 #include "openssl-util.h"
@@ -4407,7 +4408,7 @@ static int write_boot_policy_file(const char *json_text) {
                         AT_FDCWD,
                         boot_policy_file,
                         &encoded,
-                        WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_SYNC|WRITE_STRING_FILE_MKDIR_0755);
+                        WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_SYNC|WRITE_STRING_FILE_MKDIR_0755|WRITE_STRING_FILE_LABEL);
         if (r < 0)
                 return log_error_errno(r, "Failed to write boot policy file to '%s': %m", boot_policy_file);
 
@@ -4820,7 +4821,7 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
                 return log_error_errno(r, "Failed to format new configuration to JSON: %m");
 
         const char *path = arg_policy_path ?: (in_initrd() ? "/run/systemd/pcrlock.json" : "/var/lib/systemd/pcrlock.json");
-        r = write_string_file(path, text, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_SYNC|WRITE_STRING_FILE_MKDIR_0755);
+        r = write_string_file(path, text, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_SYNC|WRITE_STRING_FILE_MKDIR_0755|WRITE_STRING_FILE_LABEL);
         if (r < 0)
                 return log_error_errno(r, "Failed to write new configuration to '%s': %m", path);
 
@@ -5347,6 +5348,10 @@ static int run(int argc, char *argv[]) {
 
         log_setup();
 
+        r = mac_init();
+        if (r < 0)
+                return r;
+
         r = parse_argv(argc, argv);
         if (r <= 0)
                 return r;

src/repart/repart.c

@@ -7356,7 +7356,7 @@ static int context_fstab(Context *context) {
         fprintf(f, "# Automatically generated by systemd-repart\n\n");
 
         LIST_FOREACH(partitions, p, context->partitions) {
-                _cleanup_free_ char *what = NULL, *options = NULL;
+                _cleanup_free_ char *what = NULL;
 
                 if (!need_fstab_one(p))
                         continue;
@@ -7366,6 +7366,8 @@ static int context_fstab(Context *context) {
                         return r;
 
                 FOREACH_ARRAY(mountpoint, p->mountpoints, p->n_mountpoints) {
+                        _cleanup_free_ char *options = NULL;
+
                         r = partition_pick_mount_options(
                                         p->type.designator,
                                         p->format,

src/shared/daemon-util.c

@@ -6,7 +6,7 @@
 #include "string-util.h"
 #include "time-util.h"
 
-static int notify_remove_fd_warn(const char *name) {
+int notify_remove_fd_warn(const char *name) {
         int r;
 
         assert(name);

src/shared/daemon-util.h

@@ -23,6 +23,7 @@ static inline void notify_on_cleanup(const char **p) {
                 (void) sd_notify(false, *p);
 }
 
+int notify_remove_fd_warn(const char *name);
 int notify_remove_fd_warnf(const char *format, ...) _printf_(1, 2);
 int close_and_notify_warn(int fd, const char *name);
 int notify_push_fd(int fd, const char *name);

src/shared/generator.c

@@ -26,6 +26,14 @@
 #include "tmpfile-util.h"
 #include "unit-name.h"
 
+static int symlink_unless_exists(const char *to, const char *from) {
+        (void) mkdir_parents(from, 0755);
+
+        if (symlink(to, from) < 0 && errno != EEXIST)
+                return log_error_errno(errno, "Failed to create symlink %s: %m", from);
+        return 0;
+}
+
 int generator_open_unit_file_full(
                 const char *dir,
                 const char *source,
@@ -134,12 +142,7 @@ int generator_add_symlink_full(
         if (!to)
                 return log_oom();
 
-        (void) mkdir_parents_label(to, 0755);
+        return symlink_unless_exists(from, to);
-
-        if (symlink(from, to) < 0 && errno != EEXIST)
-                return log_error_errno(errno, "Failed to create symlink \"%s\": %m", to);
-
-        return 0;
 }
 
 static int generator_add_ordering(
@@ -312,19 +315,16 @@ int generator_write_fsck_deps(
         }
 
         if (path_equal(where, "/")) {
-                const char *lnk;
-
                 /* We support running the fsck instance for the root fs while it is already mounted, for
                  * compatibility with non-initrd boots. It's ugly, but it is how it is. Since – unlike for
                  * regular file systems – this means the ordering is reversed (i.e. mount *before* fsck) we
                  * have a separate fsck unit for this, independent of systemd-fsck@.service. */
 
-                lnk = strjoina(dir, "/" SPECIAL_LOCAL_FS_TARGET ".wants/" SPECIAL_FSCK_ROOT_SERVICE);
+                const char *lnk = strjoina(dir, "/" SPECIAL_LOCAL_FS_TARGET ".wants/" SPECIAL_FSCK_ROOT_SERVICE);
-
-                (void) mkdir_parents(lnk, 0755);
-                if (symlink(SYSTEM_DATA_UNIT_DIR "/" SPECIAL_FSCK_ROOT_SERVICE, lnk) < 0)
-                        return log_error_errno(errno, "Failed to create symlink %s: %m", lnk);
 
+                r = symlink_unless_exists(SYSTEM_DATA_UNIT_DIR "/" SPECIAL_FSCK_ROOT_SERVICE, lnk);
+                if (r < 0)
+                        return r;
         } else {
                 _cleanup_free_ char *_fsck = NULL;
                 const char *fsck, *dep;

src/shared/varlink-io.systemd.BootControl.c

@@ -13,9 +13,27 @@ static SD_VARLINK_DEFINE_ENUM_TYPE(
                 SD_VARLINK_FIELD_COMMENT("Automatically generated entries"),
                 SD_VARLINK_DEFINE_ENUM_VALUE(auto));
 
+static SD_VARLINK_DEFINE_ENUM_TYPE(
+                BootEntrySource,
+                SD_VARLINK_FIELD_COMMENT("Boot entry found in EFI system partition (ESP)"),
+                SD_VARLINK_DEFINE_ENUM_VALUE(esp),
+                SD_VARLINK_FIELD_COMMENT("Boot entry found in XBOOTLDR partition"),
+                SD_VARLINK_DEFINE_ENUM_VALUE(xbootldr));
+
+static SD_VARLINK_DEFINE_STRUCT_TYPE(
+                BootEntryAddon,
+                SD_VARLINK_FIELD_COMMENT("The location of the global addon."),
+                SD_VARLINK_DEFINE_FIELD(globalAddon, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
+                SD_VARLINK_FIELD_COMMENT("The location of the local addon."),
+                SD_VARLINK_DEFINE_FIELD(localAddon, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
+                SD_VARLINK_FIELD_COMMENT("The command line options by the addon."),
+                SD_VARLINK_DEFINE_FIELD(options, SD_VARLINK_STRING, 0));
+
 static SD_VARLINK_DEFINE_STRUCT_TYPE(
                 BootEntry,
                 SD_VARLINK_DEFINE_FIELD_BY_TYPE(type, BootEntryType, 0),
+                SD_VARLINK_FIELD_COMMENT("The source of the entry"),
+                SD_VARLINK_DEFINE_FIELD_BY_TYPE(source, BootEntrySource, 0),
                 SD_VARLINK_FIELD_COMMENT("The string identifier of the entry"),
                 SD_VARLINK_DEFINE_FIELD(id, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
                 SD_VARLINK_DEFINE_FIELD(path, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
@@ -41,7 +59,11 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
                 SD_VARLINK_FIELD_COMMENT("Indicates whether this entry is the default entry."),
                 SD_VARLINK_DEFINE_FIELD(isDefault, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
                 SD_VARLINK_FIELD_COMMENT("Indicates whether this entry has been booted."),
-                SD_VARLINK_DEFINE_FIELD(isSelected, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
+                SD_VARLINK_DEFINE_FIELD(isSelected, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
+                SD_VARLINK_FIELD_COMMENT("Addon images of the entry."),
+                SD_VARLINK_DEFINE_FIELD_BY_TYPE(addons, BootEntryAddon, SD_VARLINK_NULLABLE|SD_VARLINK_ARRAY),
+                SD_VARLINK_FIELD_COMMENT("Command line options of the entry."),
+                SD_VARLINK_DEFINE_FIELD(cmdline, SD_VARLINK_STRING, SD_VARLINK_NULLABLE));
 
 static SD_VARLINK_DEFINE_METHOD_FULL(
                 ListBootEntries,
@@ -71,6 +93,10 @@ SD_VARLINK_DEFINE_INTERFACE(
                 SD_VARLINK_INTERFACE_COMMENT("Boot Loader control APIs"),
                 SD_VARLINK_SYMBOL_COMMENT("The type of a boot entry"),
                 &vl_type_BootEntryType,
+                SD_VARLINK_SYMBOL_COMMENT("The source of a boot entry"),
+                &vl_type_BootEntrySource,
+                SD_VARLINK_SYMBOL_COMMENT("A structure encapsulating an addon of a boot entry"),
+                &vl_type_BootEntryAddon,
                 SD_VARLINK_SYMBOL_COMMENT("A structure encapsulating a boot entry"),
                 &vl_type_BootEntry,
                 SD_VARLINK_SYMBOL_COMMENT("Enumerates boot entries. Method call must be called with 'more' flag set. Each response returns one entry. If no entries are defined returns the NoSuchBootEntry error."),

test/units/TEST-07-PID1.mask.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+at_exit() {
+    set +e
+
+    systemctl stop mask-test.service
+    rm -rf /run/systemd/system/mask-test.service*
+    systemctl daemon-reload
+
+    rm -f /tmp/should-not-exist-by-*
+}
+
+trap at_exit EXIT
+
+rm -f /tmp/should-not-exist-by-*
+
+mkdir -p /run/systemd/system/mask-test.service.d
+
+cat >/run/systemd/system/mask-test.service <<EOF
+[Service]
+Type=exec
+ExecStart=sleep infinity
+ExecStop=touch /tmp/should-not-exist-by-main
+EOF
+
+# Check if ExecStop= and friends in a masked unit are not executed even defined
+# in drop-in. See issue #38802.
+cat >/run/systemd/system/mask-test.service.d/10-stop.conf <<EOF
+[Service]
+ExecStop=touch /tmp/should-not-exist-by-dropin
+EOF
+
+systemctl daemon-reload
+[[ "$(systemctl is-enabled mask-test.service || :)" == static ]]
+
+systemctl start mask-test.service
+[[ "$(systemctl is-active mask-test.service || :)" == active ]]
+
+# When not masked, of course ExecStop= are executed.
+systemctl stop mask-test.service
+[[ "$(systemctl is-active mask-test.service || :)" == inactive ]]
+[[ -f /tmp/should-not-exist-by-main ]]
+[[ -f /tmp/should-not-exist-by-dropin ]]
+rm -f /tmp/should-not-exist-by-*
+
+systemctl start mask-test.service
+[[ "$(systemctl is-active mask-test.service || :)" == active ]]
+
+# Check if mask --now works and ExecStop= are not executed.
+systemctl mask --now mask-test.service
+[[ "$(systemctl is-enabled mask-test.service || :)" == masked ]]
+[[ "$(systemctl is-active mask-test.service || :)" == inactive ]]
+[[ ! -f /tmp/should-not-exist-by-main ]]
+[[ ! -f /tmp/should-not-exist-by-dropin ]]
+
+systemctl unmask mask-test.service
+[[ "$(systemctl is-enabled mask-test.service || :)" == static ]]
+
+systemctl start mask-test.service
+[[ "$(systemctl is-active mask-test.service || :)" == active ]]
+
+systemctl mask mask-test.service
+[[ "$(systemctl is-enabled mask-test.service || :)" == masked ]]
+[[ "$(systemctl is-active mask-test.service || :)" == active ]]
+
+# Check if mask --now for already masked unit stops the service.
+systemctl mask --now mask-test.service
+[[ "$(systemctl is-enabled mask-test.service || :)" == masked ]]
+[[ "$(systemctl is-active mask-test.service || :)" == inactive ]]
+[[ ! -f /tmp/should-not-exist-by-main ]]
+[[ ! -f /tmp/should-not-exist-by-dropin ]]
+
+systemctl unmask mask-test.service
+[[ "$(systemctl is-enabled mask-test.service || :)" == static ]]
+
+systemctl start mask-test.service
+[[ "$(systemctl is-active mask-test.service || :)" == active ]]
+
+systemctl mask mask-test.service
+[[ "$(systemctl is-enabled mask-test.service || :)" == masked ]]
+[[ "$(systemctl is-active mask-test.service || :)" == active ]]
+
+# Check if already masked unit can be stopped.
+systemctl stop mask-test.service
+[[ "$(systemctl is-active mask-test.service || :)" == inactive ]]
+[[ ! -f /tmp/should-not-exist-by-main ]]
+[[ ! -f /tmp/should-not-exist-by-dropin ]]

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -1293,4 +1293,22 @@ testcase_link_journa_hostl() {
     rm -fr "$root"
 }
 
+testcase_cap_net_bind_service() {
+    local root
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.cap-net-bind-service.XXX)"
+    create_dummy_container "$root"
+
+    # Check that CAP_NET_BIND_SERVICE is available without --private-users
+    systemd-nspawn --register=no --directory="$root" capsh --has-p=cap_net_bind_service
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=identity
+    (! systemd-nspawn --register=no --directory="$root" --private-users=identity capsh --has-p=cap_net_bind_service)
+
+    # Check that CAP_NET_BIND_SERVICE is not available with --private-users=pick
+    (! systemd-nspawn --register=no --directory="$root" --private-users=pick capsh --has-p=cap_net_bind_service)
+
+    rm -fr "$root"
+}
+
 run_testcases

test/units/TEST-50-DISSECT.sysext.sh

@@ -1106,5 +1106,6 @@ systemd-sysext unmerge
 test ! -f /usr/lib/systemd/system/some_file
 mountpoint /usr/share
 umount /usr/share
+rm -f /var/lib/extensions/app0.raw
 
 exit 0

test/units/TEST-64-UDEV-STORAGE.sh

@@ -1295,7 +1295,7 @@ testcase_mdadm_lvm() {
     printf 'y\ny\n' | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/scsi-0systemd_foobar_deadbeefmdadmlvm{0..3} -v -f --level=10 --raid-devices=4
     udevadm wait --settle --timeout=30 "$raid_dev"
     # Create an LVM on the MD
-    lvm pvcreate -y "$raid_dev"
+    lvm pvcreate -y -ff "$raid_dev"
     lvm pvs
     lvm vgcreate "$vgroup" -y "$raid_dev"
     lvm vgs

test/units/TEST-74-AUX-UTILS.varlinkctl.sh

@@ -153,7 +153,7 @@ done
 (! varlinkctl call "")
 (! varlinkctl call "" "")
 (! varlinkctl call "" "" "")
-(! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord </dev/null)
+(! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{ "service" : "io.systemd.ShouldNotExist" }')
 (! varlinkctl validate-idl "")
 (! varlinkctl validate-idl </dev/null)
 

test/units/autorelabel.service

@@ -1,4 +1,15 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
+
+# We use a custom autorelabel service instead of the SELinux provided set of
+# units & a generator, since the generator overrides the default target to the
+# SELinux one when it detects /.autorelabel. However, we use systemd.unit= on
+# the kernel command cmdline which always takes precedence, rendering all
+# SELinux efforts useless. Also, pulling in selinux-autorelabel.service
+# explicitly doesn't work either, as it doesn't check for the presence of
+# /.autorelabel and does the relabeling unconditionally which always ends with
+# a reboot, so we end up in a reboot loop (and it also spews quite a lot of
+# errors as it wants /etc/fstab and dracut-initramfs-restore).
+
 [Unit]
 Description=Relabel all filesystems
 DefaultDependencies=no