nss-systemd: don't synthesize root/nobody when iterating

Fixes: #15160

NEWS

@@ -280,7 +280,7 @@ CHANGES WITH 245:
           such files in version 243.
 
         * systemd-logind will now validate access to the operation of changing
-          the virtual terminal via a PolicyKit action. By default, only users
+          the virtual terminal via a polkit action. By default, only users
           with at least one session on a local VT are granted permission.
 
         * When systemd sets up PAM sessions that invoked service processes

docs/PORTABILITY_AND_STABILITY.md

@@ -87,7 +87,7 @@ And now, here's the list of (hopefully) all APIs that we have introduced with sy
 | [Boot Loader interface](https://systemd.io/BOOT_LOADER_INTERFACE) | EFI variables | yes | yes | gummiboot | yes | - | no |
 | [Service bus API](https://www.freedesktop.org/wiki/Software/systemd/dbus) | D-Bus | yes | yes | system-config-services | no | - | no |
 | [logind](https://www.freedesktop.org/wiki/Software/systemd/logind) | D-Bus | yes | yes | GNOME | no | - | no |
-| [sd-login.h API](https://www.freedesktop.org/software/systemd/man/sd-login.html) | C Library | yes | yes | GNOME, PolicyKit, ... | no | - | no |
+| [sd-login.h API](https://www.freedesktop.org/software/systemd/man/sd-login.html) | C Library | yes | yes | GNOME, polkit, ... | no | - | no |
 | [sd-daemon.h API](https://www.freedesktop.org/software/systemd/man/sd-daemon.html) | C Library or Drop-in | yes | yes | numerous | yes | - | yes |
 | [sd-id128.h API](https://www.freedesktop.org/software/systemd/man/sd-id128.html) | C Library | yes | yes | - | yes | - | no |
 | [sd-journal.h API](https://www.freedesktop.org/software/systemd/man/sd-journal.html) | C Library | yes | yes | - | maybe | - | no |

docs/USERDB_AND_DESKTOPS.md

@@ -77,7 +77,8 @@ supports is directly available in these JSON records. Hence it makes sense for
 any user management UI to expose them directly.
 
 `systemd-homed` exposes APIs to add, remove and make changes to local users via
-D-Bus, with full PolicyKit hook-up. On the command line this is exposed via the
+D-Bus, with full [polkit](https://www.freedesktop.org/software/polkit/docs/latest/)
+hook-up. On the command line this is exposed via the
 `homectl` command. A graphical UI that exposes similar functionality would be
 very useful, exposing the various new account settings, and in particular
 providing a stream-lined UI for enrolling new-style authentication tokens such

man/org.freedesktop.hostname1.xml

@@ -89,38 +89,6 @@ node /org/freedesktop/hostname1 {
 };
     </programlisting>
 
-    <!--method SetDeployment is not documented!-->
-
-    <!--method SetLocation is not documented!-->
-
-    <!--method GetProductUUID is not documented!-->
-
-    <!--property Hostname is not documented!-->
-
-    <!--property StaticHostname is not documented!-->
-
-    <!--property PrettyHostname is not documented!-->
-
-    <!--property IconName is not documented!-->
-
-    <!--property Chassis is not documented!-->
-
-    <!--property Deployment is not documented!-->
-
-    <!--property Location is not documented!-->
-
-    <!--property KernelName is not documented!-->
-
-    <!--property KernelRelease is not documented!-->
-
-    <!--property KernelVersion is not documented!-->
-
-    <!--property OperatingSystemPrettyName is not documented!-->
-
-    <!--property OperatingSystemCPEName is not documented!-->
-
-    <!--property HomeURL is not documented!-->
-
     <!--Autogenerated cross-references for systemd.directives, do not edit-->
 
     <variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.hostname1"/>
@@ -173,7 +141,8 @@ node /org/freedesktop/hostname1 {
 
     <para>Whenever the hostname or other metadata is changed via the daemon,
     <function>PropertyChanged</function> signals are sent out to subscribed clients. Changing a hostname
-    using this interface is authenticated via PolicyKit.</para>
+    using this interface is authenticated via
+    <ulink url="https://www.freedesktop.org/software/polkit/docs/latest/">polkit</ulink>.</para>
   </refsect1>
 
   <refsect1>
@@ -219,10 +188,6 @@ node /org/freedesktop/hostname1 {
     it could not be auto-detected. Set this property to the empty string to reenable the automatic detection of
     the chassis type from firmware information.</para>
 
-    <para>A client that wants to change the local hostname for DHCP/mDNS should invoke
-    <code>SetHostname("newname", false)</code> as soon as the name is available and afterwards reset it via
-    <code>SetHostname("")</code>.</para>
-
     <para>Note that <filename>systemd-hostnamed</filename> starts only on request and terminates after a
     short idle period. This effectively means that <function>PropertyChanged</function> messages are not sent
     out for changes made directly on the files (as in: administrator edits the files with vi). This is
@@ -244,33 +209,91 @@ node /org/freedesktop/hostname1 {
     <citerefentry><refentrytitle>machine-info</refentrytitle><manvolnum>3</manvolnum></citerefentry>
     for that. For more information on these files and syscalls see the respective man pages.</para>
 
-    <para>The <varname>user_interaction</varname> boolean parameters can be used to control whether PolicyKit
+    <refsect2>
+      <title>Methods and Properties</title>
+
+      <para><function>SetHostname()</function> sets the transient (dynamic) hostname which is exposed by the
+      <varname>Hostname</varname> property. If empty, the transient hostname is set to the static hostname.
+      </para>
+
+      <para><function>SetStaticHostname()</function> sets the static hostname which is exposed by the
+      <varname>StaticHostname</varname> property. If empty, the built-in default of
+      <literal>&FALLBACK_HOSTNAME;</literal> is used.</para>
+
+      <para><function>SetPrettyHostname()</function> sets the pretty hostname which is exposed by the
+      <varname>PrettyHostname</varname> property.</para>
+
+      <para><function>SetIconName()</function>, <function>SetChassis()</function>,
+      <function>SetDeployment()</function>, and <function>SetLocation()</function> set the properties
+      <varname>IconName</varname> (the name of the icon representing for the machine),
+      <varname>Chassis</varname> (the machine form factor), <varname>Deployment</varname> (the system
+      deployment environment), and <varname>Location</varname> (physical system location), respectively.
+      </para>
+
+      <para><varname>PrettyHostname</varname>, <varname>IconName</varname>, <varname>Chassis</varname>,
+      <varname>Deployment</varname>, and <varname>Location</varname> are stored in
+      <filename>/etc/machine-info</filename>. See
+      <citerefentry><refentrytitle>machine-info</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+      the semantics of those settings.</para>
+
+      <para><function>GetProductUUID()</function> returns the "product uuid" as exposed by the kernel based
+      on DMI information in <filename>/sys/class/dmi/id/product_uuid</filename>. Reading the file directly
+      requires root privileges, and this method allows access to unprivileged clients through the polkit
+      framework.</para>
+
+      <para><varname>KernelName</varname>, <varname>KernelRelease</varname>, and
+      <varname>KernelVersion</varname> expose the kernel name (e.g. <literal>Linux</literal>), release
+      (e.g. <literal>5.0.0-11</literal>, and version (i.e. the build number, e.g. <literal>#11</literal>) as
+      reported by
+      <citerefentry project="man-pages"><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>.
+      <varname>OperatingSystemPrettyName</varname>, <varname>OperatingSystemCPEName</varname>, and
+      <varname>HomeURL</varname> expose the <varname>PRETTY_NAME=</varname>, <varname>CPE_NAME=</varname> and
+      <varname>HOME_URL=</varname> fields from
+      <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
+      purpose of those properties is to allow remote clients to access this information over D-Bus. Local
+      clients can access the information directly.</para>
+    </refsect2>
+
+    <refsect2>
+      <title>Security</title>
+
+      <para>The <varname>interactive</varname> boolean parameters can be used to control whether polkit
       should interactively ask the user for authentication credentials if required.</para>
 
-    <para>The PolicyKit action for <function>SetHostname()</function> is
+      <para>The polkit action for <function>SetHostname()</function> is
       <interfacename>org.freedesktop.hostname1.set-hostname</interfacename>. For
       <function>SetStaticHostname()</function> and <function>SetPrettyHostname()</function> it is
       <interfacename>org.freedesktop.hostname1.set-static-hostname</interfacename>. For
       <function>SetIconName()</function> and <function>SetChassis()</function> it is
       <interfacename>org.freedesktop.hostname1.set-machine-info</interfacename>.</para>
+    </refsect2>
+  </refsect1>
 
-    <para>Here are three examples show how the pretty hostname and the icon name should be used:
+  <refsect1>
+    <title>Recommendations</title>
+
+    <para>Here are three examples that show how the pretty hostname and the icon name should be used:
     <itemizedlist>
-      <listitem><para>When registering DNS-SD services: use the pretty hostname in the service name, and
-      pass the icon name in the TXT data, if there is an icon name. Browsing clients can then show the server
-      icon on each service. This is especially useful for WebDAV applications or UPnP media sharing.
+      <listitem><para>When registering DNS-SD services: use the pretty hostname in the service name, and pass
+      the icon name in the TXT data, if there is an icon name. Browsing clients can then show the server icon
+      on each service. This is especially useful for WebDAV applications or UPnP media sharing.
       </para></listitem>
 
       <listitem><para>Set the bluetooth name to the pretty hostname.</para></listitem>
 
-      <listitem><para>When your file browser has a "Computer" icon, replace the name with the pretty hostname if set, and the icon with the icon name, if it is set.</para></listitem>
+      <listitem><para>When your file browser has a "Computer" icon, replace the name with the pretty hostname
+      if set, and the icon with the icon name, if it is set.</para></listitem>
     </itemizedlist></para>
 
     <para>To properly handle name lookups with changing local hostnames without having to edit
-    <filename>/etc/hosts</filename>, we recommend using <filename>systemd-hostnamed</filename> in
-    combination with <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+    <filename>/etc/hosts</filename>, we recommend using <filename>systemd-hostnamed</filename> in combination
+    with <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
     </para>
 
+    <para>A client that wants to change the local hostname for DHCP/mDNS should invoke
+    <code>SetHostname("newname", false)</code> as soon as the name is available and afterwards reset it via
+    <code>SetHostname("")</code>.</para>
+
     <para>Here are some recommendations to follow when generating a static (internet) hostname from a pretty
     name:
     <itemizedlist>
@@ -314,7 +337,7 @@ node /org/freedesktop/hostname1 {
     </itemizedlist></para>
 
     <para>Of course, an already valid internet hostname label you enter and pass through this
-    conversion should stay unmodified, so that users have direct control of it, if they want -- by simply
+    conversion should stay unmodified, so that users have direct control of it, if they want — by simply
     ignoring the fact that the pretty hostname is pretty and just edit it as if it was the normal internet
     name.</para>
   </refsect1>

man/org.freedesktop.locale1.xml

@@ -126,7 +126,8 @@ node /org/freedesktop/locale1 {
 
       <para>Use the empty string for the keymap parameters you wish not to set.</para>
 
-      <para>The <varname>interactive</varname> boolean parameters can be used to control whether PolicyKit
+      <para>The <varname>interactive</varname> boolean parameters can be used to control whether
+      <ulink url="https://www.freedesktop.org/software/polkit/docs/latest/">polkit</ulink>
       should interactively ask the user for authentication credentials if required.</para>
     </refsect2>
 
@@ -160,9 +161,9 @@ node /org/freedesktop/locale1 {
     <refsect2>
       <title>Security</title>
 
-      <para>Changing the system locale or keymap using this interface is authenticated via PolicyKit. The
-      PolicyKit action for <function>SetLocale()</function> is
-      <constant>org.freedesktop.locale1.set-locale</constant>. The PolicyKit action for
+      <para>Changing the system locale or keymap using this interface is authenticated via polkit. The
+      polkit action for <function>SetLocale()</function> is
+      <constant>org.freedesktop.locale1.set-locale</constant>. The polkit action for
       <function>SetX11Keyboard()</function> and <function>SetVConsoleKeyboard()</function> is
       <constant>org.freedesktop.locale1.set-keyboard</constant>.</para>
     </refsect2>

man/org.freedesktop.login1.xml

@@ -496,22 +496,24 @@ node /org/freedesktop/login1 {
       and seat are identified by their respective IDs.</para>
 
       <para><function>SetUserLinger()</function> enables or disables user lingering. If enabled, the runtime
-      directory of a user is kept around and he may continue to run processes while he is logged out. If
+      directory of a user is kept around and they may continue to run processes while logged out. If
       disabled, the runtime directory goes away as soon as they log out. <function>SetUserLinger()</function>
       expects three arguments: the UID, a boolean whether to enable/disable and a boolean controlling the
-      PolicyKit authorization interactivity (see below). Note that the user linger state is persistently
+      <ulink url="https://www.freedesktop.org/software/polkit/docs/latest/">polkit</ulink>
+      authorization interactivity (see below). Note that the user linger state is persistently
       stored on disk.</para>
 
       <para><function>AttachDevice()</function> may be used to assign a specific device to a specific
-      seat. The device is identified by its /sys path and must be eligible for seat assignments. <function>AttachDevice()</function> takes three
-      arguments: the seat id, the sysfs path, and a boolean for controlling PolicyKit interactivity (see
-      below). Device assignments are persistently stored on disk. To create a new seat, simply specify a
-      previously unused seat id. For more information about the seat assignment logic see
+      seat. The device is identified by its <filename>/sys</filename> path and must be eligible for seat
+      assignments. <function>AttachDevice()</function> takes three arguments: the seat id, the sysfs path,
+      and a boolean for controlling polkit interactivity (see below). Device assignments are persistently
+      stored on disk. To create a new seat, simply specify a previously unused seat id. For more information
+      about the seat assignment logic see
       <ulink url="https://www.freedesktop.org/wiki/Software/systemd/multiseat">Multi-Seat for Linux</ulink>.
       </para>
 
       <para><function>FlushDevices()</function> removes all explicit seat assignments for devices, resetting
-      all assignments to the automatic defaults. The only argument it takes is the PolicyKit interactivity
+      all assignments to the automatic defaults. The only argument it takes is the polkit interactivity
       boolean (see below).</para>
 
       <para><function>PowerOff()</function>, <function>Reboot()</function>, <function>Halt()</function>,
@@ -521,9 +523,9 @@ node /org/freedesktop/login1 {
       the machine is powered down). <function>HybridSleep()</function> results in the system entering a
       hybrid-sleep mode, i.e. the system is both hibernated and suspended.
       <function>SuspendThenHibernate()</function> results in the system being suspended, then later woken
-      using an RTC timer and hibernated. The only argument is the PolicyKit interactivity boolean
+      using an RTC timer and hibernated. The only argument is the polkit interactivity boolean
       <varname>interactive</varname> (see below). The main purpose of these calls is that they enforce
-      PolicyKit policy and hence allow powering off/rebooting/suspending/hibernating even by unprivileged
+      polkit policy and hence allow powering off/rebooting/suspending/hibernating even by unprivileged
       users. They also enforce inhibition locks. UIs should expose these calls as the primary mechanism to
       poweroff/reboot/suspend/hibernate the machine.</para>
 
@@ -678,7 +680,7 @@ node /org/freedesktop/login1 {
     <refsect2>
       <title>Security</title>
 
-      <para>A number of operations are protected via the PolicyKit privilege
+      <para>A number of operations are protected via the polkit privilege
       system. <function>SetUserLinger()</function> requires the
       <interfacename>org.freedesktop.login1.set-user-linger</interfacename>
       privilege. <function>AttachDevice()</function> requires
@@ -731,7 +733,7 @@ node /org/freedesktop/login1 {
       <interfacename>org.freedesktop.login1.inhibit-handle-lid-switch</interfacename> depending on the lock
       type and mode taken.</para>
 
-      <para>The <varname>interactive</varname> boolean parameters can be used to control whether PolicyKit
+      <para>The <varname>interactive</varname> boolean parameters can be used to control whether polkit
       should interactively ask the user for authentication credentials if required.</para>
     </refsect2>
   </refsect1>
@@ -846,8 +848,8 @@ node /org/freedesktop/login1/seat/seat0 {
       encoded in a structure consisting of the ID and the object path.</para>
 
       <para>The <varname>IdleHint</varname>, <varname>IdleSinceHint</varname>, and
-      <varname>IdleSinceHint</varname> properties encode the idle state, similar to the one exposed on the
-      Manager object, but specific for this seat.</para>
+      <varname>IdleSinceHintMonotonic</varname> properties encode the idle state, similar to the ones exposed
+      on the <interfacename>Manager</interfacename> object, but specific for this seat.</para>
     </refsect2>
   </refsect1>
 

man/org.freedesktop.systemd1.xml

@@ -40,9 +40,10 @@
     <para>Properties exposing time values are usually encoded in microseconds (usec) on the bus, even if
     their corresponding settings in the unit files are in seconds.</para>
 
-    <para>In contrast to most of the other services of the systemd suite, PID 1 does not use PolicyKit for
-    controlling access to privileged operations, but relies exclusively on the low-level D-Bus policy
-    language. (This is done in order to avoid a cyclic dependency between PolicyKit and systemd/PID 1.) This
+    <para>In contrast to most of the other services of the systemd suite, PID 1 does not use
+    <ulink url="https://www.freedesktop.org/software/polkit/docs/latest/">polkit</ulink>
+    for controlling access to privileged operations, but relies exclusively on the low-level D-Bus policy
+    language. (This is done in order to avoid a cyclic dependency between polkit and systemd/PID 1.) This
     means that sensitive operations exposed by PID 1 on the bus are generally not available to unprivileged
     processes directly. However, some operations (such as shutdown/reboot/suspend) are made available through the D-Bus
     API of logind, see
@@ -1463,7 +1464,7 @@ node /org/freedesktop/systemd1 {
       <title>Security</title>
 
       <para>Read access is generally granted to all clients. Additionally, for unprivileged clients, some
-      operations are allowed through the PolicyKit privilege system. Operations which modify unit state
+      operations are allowed through the polkit privilege system. Operations which modify unit state
       (<function>StartUnit()</function>, <function>StopUnit()</function>, <function>KillUnit()</function>,
       <function>RestartUnit()</function> and similar, <function>SetProperty</function>) require
       <interfacename>org.freedesktop.systemd1.manage-units</interfacename>. Operations which modify unit file
@@ -2127,7 +2128,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       allowed for everyone. All operations are allowed for clients with the
       <constant>CAP_SYS_ADMIN</constant> capability or when the
       <interfacename>org.freedesktop.systemd1.manage-units</interfacename> privilege is granted by
-      PolicyKit.</para>
+      polkit.</para>
     </refsect2>
   </refsect1>
 

man/org.freedesktop.timedate1.xml

@@ -72,22 +72,6 @@ node /org/freedesktop/timedate1 {
 };
     </programlisting>
 
-    <!--method ListTimezones is not documented!-->
-
-    <!--property Timezone is not documented!-->
-
-    <!--property LocalRTC is not documented!-->
-
-    <!--property CanNTP is not documented!-->
-
-    <!--property NTP is not documented!-->
-
-    <!--property NTPSynchronized is not documented!-->
-
-    <!--property TimeUSec is not documented!-->
-
-    <!--property RTCTimeUSec is not documented!-->
-
     <!--Autogenerated cross-references for systemd.directives, do not edit-->
 
     <variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.timedate1"/>
@@ -148,25 +132,51 @@ node /org/freedesktop/timedate1 {
       network using <filename>systemd-timesyncd</filename>. This will enable and start or disable and stop
       the chosen time synchronization service.</para>
 
-      <para>Whenever the timezone and local_rtc settings are changed via the daemon,
-      <function>PropertyChanged</function> signals are sent out to which clients can subscribe. Changing the
-      time settings using this interface is authenticated via PolicyKit.</para>
+      <para><function>ListTimezones()</function> returns a list of time zones known on the local system as an
+      array of names (<literal>["Africa/Abidjan", "Africa/Accra", ..., "UTC"]</literal>).</para>
+    </refsect2>
+
+    <refsect2>
+      <title>Properties</title>
+
+      <para><varname>Timezone</varname> shows the currently configured time zone.
+      <varname>LocalRTC</varname> shows whether the RTC is configured to use UTC (false), or the local time
+      zone (true). <varname>CanNTP</varname> shows whether a service to perform time synchronization over the
+      network is available, and <varname>NTP</varname> shows whether such a service is enabled.</para>
+
+      <para><varname>NTPSynchronized</varname> shows whether the kernel reports the time as synchronized
+      (c.f.
+      <citerefentry project="man-pages"><refentrytitle>adjtimex</refentrytitle><manvolnum>3</manvolnum></citerefentry>).
+      <varname>TimeUSec</varname> and <varname>RTCTimeUSec</varname> show the current time on the system and
+      in the RTC. The purpose of those three properties is to allow remote clients to access this information
+      over D-Bus. Local clients can access the information directly.</para>
+
+      <para>Whenever the <varname>Timezone</varname> and <varname>LocalRTC</varname> settings are changed via
+      the daemon, <function>PropertyChanged</function> signals are sent out to which clients can subscribe.
+      </para>
 
       <para>Note that this service will not inform you about system time changes. Use
       <citerefentry project="man-pages"><refentrytitle>timerfd</refentrytitle><manvolnum>3</manvolnum></citerefentry>
       with <constant>CLOCK_REALTIME</constant> and <constant>TFD_TIMER_CANCEL_ON_SET</constant> for that.
       </para>
+    </refsect2>
 
-      <para>The <varname>user_interaction</varname> boolean parameters can be used to control whether
-      PolicyKit should interactively ask the user for authentication credentials if required.</para>
+    <refsect2>
+      <title>Security</title>
 
-      <para>The PolicyKit action for <function>SetTimezone()</function> is
+      <para>The <varname>interactive</varname> boolean parameters can be used to control whether
+      <ulink url="https://www.freedesktop.org/software/polkit/docs/latest/">polkit</ulink>
+      should interactively ask the user for authentication credentials if required.</para>
+
+      <para>The polkit action for <function>SetTimezone()</function> is
       <interfacename>org.freedesktop.timedate1.set-timezone</interfacename>. For
       <function>SetLocalRTC()</function> it is
       <interfacename>org.freedesktop.timedate1.set-local-rtc</interfacename>, for
       <function>SetTime()</function> it is <interfacename>org.freedesktop.timedate1.set-time</interfacename>
       and for <function>SetNTP()</function> it is
-      <interfacename>org.freedesktop.timedate1.set-ntp</interfacename>.</para>
+      <interfacename>org.freedesktop.timedate1.set-ntp</interfacename>.
+      <function>ListTimezones()</function> does not require any privileges.
+      </para>
     </refsect2>
   </refsect1>
 

man/rules/meson.build

@@ -262,6 +262,7 @@ manpages = [
   ['sd_bus_get_events', 'sd_bus_get_timeout', 'sd_bus_set_fd'],
   ''],
  ['sd_bus_get_n_queued_read', '3', ['sd_bus_get_n_queued_write'], ''],
+ ['sd_bus_get_name_machine_id', '3', [], ''],
  ['sd_bus_is_open', '3', ['sd_bus_is_ready'], ''],
  ['sd_bus_list_names', '3', [], ''],
  ['sd_bus_message_append', '3', ['sd_bus_message_appendv'], ''],
@@ -291,7 +292,8 @@ manpages = [
   ''],
  ['sd_bus_message_get_type',
   '3',
-  ['sd_bus_message_get_errno',
+  ['sd_bus_message_get_creds',
+   'sd_bus_message_get_errno',
    'sd_bus_message_get_error',
    'sd_bus_message_is_method_call',
    'sd_bus_message_is_method_error',
@@ -319,7 +321,16 @@ manpages = [
    'sd_bus_message_new_method_errorf'],
   ''],
  ['sd_bus_message_new_signal', '3', [], ''],
- ['sd_bus_message_read', '3', ['sd_bus_message_readv'], ''],
+ ['sd_bus_message_open_container',
+  '3',
+  ['sd_bus_message_close_container',
+   'sd_bus_message_enter_container',
+   'sd_bus_message_exit_container'],
+  ''],
+ ['sd_bus_message_read',
+  '3',
+  ['sd_bus_message_peek_type', 'sd_bus_message_readv'],
+  ''],
  ['sd_bus_message_read_array', '3', [], ''],
  ['sd_bus_message_read_basic', '3', [], ''],
  ['sd_bus_message_read_strv', '3', [], ''],
@@ -379,7 +390,7 @@ manpages = [
    'sd_bus_release_name_async',
    'sd_bus_request_name_async'],
   ''],
- ['sd_bus_send', '3', [], ''],
+ ['sd_bus_send', '3', ['sd_bus_send_to'], ''],
  ['sd_bus_set_address', '3', ['sd_bus_get_address', 'sd_bus_set_exec'], ''],
  ['sd_bus_set_close_on_exit', '3', ['sd_bus_get_close_on_exit'], ''],
  ['sd_bus_set_connected_signal', '3', ['sd_bus_get_connected_signal'], ''],

man/sd-bus-container-append.c

@@ -0,0 +1,17 @@
+#include <systemd/sd-bus.h>
+
+int append_strings_to_message(sd_bus_message *m, const char *const *arr) {
+  int r;
+
+  r = sd_bus_message_open_container(m, 'a', "s");
+  if (r < 0)
+    return r;
+
+  for (const char *s = *arr; *s; s++) {
+    r = sd_bus_message_append(m, "s", s);
+    if (r < 0)
+      return r;
+  }
+
+  return sd_bus_message_close_container(m);
+}

man/sd-bus-container-read.c

@@ -0,0 +1,25 @@
+#include <stdio.h>
+
+#include <systemd/sd-bus.h>
+
+int read_strings_from_message(sd_bus_message *m) {
+  int r;
+
+  r = sd_bus_message_enter_container(m, 'a', "s");
+  if (r < 0)
+    return r;
+
+  for (;;) {
+    const char *s;
+
+    r = sd_bus_message_read(m, "s", &s);
+    if (r < 0)
+      return r;
+    if (r == 0)
+      break;
+
+    printf("%s\n", s);
+  }
+
+  return sd_bus_message_exit_container(m);
+}

man/sd-bus.xml

@@ -82,6 +82,7 @@
 <citerefentry><refentrytitle>sd_bus_get_fd</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_get_method_call_timeout</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_get_n_queued_read</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_get_name_machine_id</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_get_scope</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_get_tid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_get_unique_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
@@ -95,10 +96,14 @@
 <citerefentry><refentrytitle>sd_bus_message_append_string_memfd</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_append_strv</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_at_end</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_message_close_container</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_copy</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_dump</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_message_enter_container</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_message_exit_container</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_get_allow_interactive_authorization</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_get_cookie</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_message_get_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_get_errno</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_get_error</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_get_monotonic_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
@@ -113,6 +118,8 @@
 <citerefentry><refentrytitle>sd_bus_message_new_method_call</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_new_method_error</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_new_signal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_message_open_container</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_message_peek_type</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_read</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_read_array</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_message_read_basic</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
@@ -133,6 +140,7 @@
 <citerefentry><refentrytitle>sd_bus_reply_method_error</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_request_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+<citerefentry><refentrytitle>sd_bus_send_to</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_set_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_set_allow_interactive_authorization</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
 <citerefentry><refentrytitle>sd_bus_set_bus_client</refentrytitle><manvolnum>3</manvolnum></citerefentry>,

man/sd_bus_get_name_machine_id.xml

@@ -0,0 +1,98 @@
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
+
+<refentry id="sd_bus_get_name_machine_id" xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>sd_bus_get_name_machine_id</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>sd_bus_get_name_machine_id</refentrytitle>
+    <manvolnum>3</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sd_bus_get_name_machine_id</refname>
+
+    <refpurpose>Retrieve a bus client's machine identity</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;systemd/sd-bus.h&gt;</funcsynopsisinfo>
+
+      <funcprototype>
+        <funcdef>int <function>sd_bus_get_name_machine_id</function></funcdef>
+        <paramdef>sd_bus *<parameter>bus</parameter></paramdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>sd_id128_t *<parameter>machine</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><function>sd_bus_get_name_machine_id()</function> retrieves the D-Bus machine identity of the
+    machine that the bus client identified by <parameter>name</parameter> is running on. Internally, it calls
+    the <function>GetMachineId</function> method of the <constant>org.freedesktop.DBus.Peer</constant>
+    interface. The D-Bus machine identity is a 128-bit UUID. On Linux systems running systemd, this
+    corresponds to the contents of <filename>/etc/machine-id</filename>. On success, the machine identity is
+    stored in <parameter>machine</parameter>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Return Value</title>
+
+    <para>On success, this function returns a non-negative integer. On failure, it returns a negative
+    errno-style error code.</para>
+
+    <refsect2>
+      <title>Errors</title>
+
+      <para>Returned errors may indicate the following problems:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>-EINVAL</constant></term>
+
+          <listitem><para>An argument is invalid.</para></listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>-ENOPKG</constant></term>
+
+          <listitem><para>The bus cannot be resolved.</para></listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>-ECHILD</constant></term>
+
+          <listitem><para>The bus was created in a different process.</para></listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>-ENOMEM</constant></term>
+
+          <listitem><para>Memory allocation failed.</para></listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+  </refsect1>
+
+  <xi:include href="libsystemd-pkgconfig.xml" />
+
+  <refsect1>
+    <title>See Also</title>
+
+    <para>
+      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>

man/sd_bus_message_append.xml

@@ -229,7 +229,8 @@ sd_bus_message_append(m, "ynqiuxtd", y, n, q, i, u, x, t, d);</programlisting>
       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>sd_bus_message_append_basic</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>sd_bus_message_append_array</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>sd_bus_message_append_array</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>sd_bus_message_open_container</refentrytitle><manvolnum>3</manvolnum></citerefentry>
     </para>
   </refsect1>
 

man/sd_bus_message_append_array.xml

@@ -34,7 +34,7 @@
         <funcdef>int sd_bus_message_append_array</funcdef>
         <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
         <paramdef>char <parameter>type</parameter></paramdef>
-        <paramdef>char void *<parameter>ptr</parameter></paramdef>
+        <paramdef>void *<parameter>ptr</parameter></paramdef>
         <paramdef>size_t <parameter>size</parameter></paramdef>
       </funcprototype>
 

man/sd_bus_message_get_type.xml

@@ -19,11 +19,12 @@
     <refname>sd_bus_message_get_type</refname>
     <refname>sd_bus_message_get_error</refname>
     <refname>sd_bus_message_get_errno</refname>
+    <refname>sd_bus_message_get_creds</refname>
     <refname>sd_bus_message_is_signal</refname>
     <refname>sd_bus_message_is_method_call</refname>
     <refname>sd_bus_message_is_method_error</refname>
 
-    <refpurpose>Query bus message addressing metadata</refpurpose>
+    <refpurpose>Query bus message addressing/credentials metadata</refpurpose>
   </refnamediv>
 
   <refsynopsisdiv>
@@ -46,6 +47,11 @@
         <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
       </funcprototype>
 
+      <funcprototype>
+        <funcdef>sd_bus_creds* <function>sd_bus_message_get_creds</function></funcdef>
+        <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
+      </funcprototype>
+
       <funcprototype>
         <funcdef>int <function>sd_bus_message_is_signal</function></funcdef>
         <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
@@ -93,6 +99,11 @@
     <citerefentry><refentrytitle>sd_bus_error_add_map</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
     </para>
 
+    <para><function>sd_bus_message_get_creds()</function> returns the message credentials attached to the
+    message <parameter>m</parameter>. If no credentials are attached to the message, it returns
+    <constant>NULL</constant>. Ownership of the credentials instance is not transferred to the caller and
+    hence should not be freed.</para>
+
     <para><function>sd_bus_message_is_signal()</function> checks if message <parameter>m</parameter> is a
     signal message. If <parameter>interface</parameter> is non-null, it also checks if the message has the
     same interface set. If <parameter>member</parameter> is non-null, it also checks if the message has the
@@ -117,9 +128,10 @@
   <refsect1>
     <title>Return Value</title>
 
-    <para>On success, these functions return a non-negative integer. On failure, they return a negative
-    errno-style error code. <function>sd_bus_message_get_errno()</function> always returns a non-negative
-    integer, even on failure.</para>
+    <para>On success, these functions (except <function>sd_bus_message_get_error()</function> and
+    <function>sd_bus_message_get_creds()</function>) return a non-negative integer. On failure, they return a
+    negative errno-style error code. <function>sd_bus_message_get_errno()</function> always returns a
+    non-negative integer, even on failure.</para>
 
     <refsect2>
       <title>Errors</title>

man/sd_bus_message_open_container.xml

@@ -0,0 +1,165 @@
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
+
+<refentry id="sd_bus_message_open_container"
+          xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>sd_bus_message_open_container</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>sd_bus_message_open_container</refentrytitle>
+    <manvolnum>3</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sd_bus_message_open_container</refname>
+    <refname>sd_bus_message_close_container</refname>
+    <refname>sd_bus_message_enter_container</refname>
+    <refname>sd_bus_message_exit_container</refname>
+
+    <refpurpose>Create and move between containers in D-Bus messages</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+      <funcsynopsisinfo>#include &lt;systemd/sd-bus.h&gt;</funcsynopsisinfo>
+
+      <funcprototype>
+        <funcdef>int sd_bus_message_open_container</funcdef>
+        <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
+        <paramdef>char <parameter>type</parameter></paramdef>
+        <paramdef>const char *<parameter>contents</parameter></paramdef>
+      </funcprototype>
+
+      <funcprototype>
+        <funcdef>int sd_bus_message_close_container</funcdef>
+        <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
+      </funcprototype>
+
+      <funcprototype>
+        <funcdef>int sd_bus_message_enter_container</funcdef>
+        <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
+        <paramdef>char <parameter>type</parameter></paramdef>
+        <paramdef>const char *<parameter>contents</parameter></paramdef>
+      </funcprototype>
+
+      <funcprototype>
+        <funcdef>int sd_bus_message_exit_container</funcdef>
+        <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
+      </funcprototype>
+    </funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><function>sd_bus_message_open_container()</function> appends a new container to the message
+    <parameter>m</parameter>. After opening a new container, it can be filled with content using
+    <citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+    and similar functions. Containers behave like a stack. To nest containers inside each other, call
+    <function>sd_bus_message_open_container()</function> multiple times without calling
+    <function>sd_bus_message_close_container()</function> inbetween. Each container will be nested inside the
+    previous container. <parameter>type</parameter> represents the container type and should be one of
+    <literal>r</literal>, <literal>a</literal>, <literal>v</literal> or <literal>e</literal> as described in
+    <citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+    Instead of literals, the corresponding constants <constant>SD_BUS_TYPE_STRUCT</constant>,
+    <constant>SD_BUS_TYPE_ARRAY</constant>, <constant>SD_BUS_TYPE_VARIANT</constant> or
+    <constant>SD_BUS_TYPE_DICT_ENTRY</constant> can also be used. <parameter>contents</parameter> describes
+    the type of the container's elements and should be a D-Bus type string following the rules described in
+    <citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+    </para>
+
+    <para><function>sd_bus_message_close_container()</function> closes the last container opened with
+    <function>sd_bus_message_open_container()</function>. On success, the write pointer of the message
+    <parameter>m</parameter> is positioned after the closed container in its parent container or in
+    <parameter>m</parameter> itself if there is no parent container.</para>
+
+    <para><function>sd_bus_message_enter_container()</function> enters the next container of the message
+    <parameter>m</parameter>. It behaves mostly the same as
+    <function>sd_bus_message_open_container()</function>. Entering a container allows reading its contents
+    with
+    <citerefentry><refentrytitle>sd_bus_message_read</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+    and similar functions. <parameter>type</parameter> and <parameter>contents</parameter> are the same as in
+    <function>sd_bus_message_open_container()</function>.</para>
+
+    <para><function>sd_bus_message_exit_container()</function> exits the scope of the last container entered
+    with <function>sd_bus_message_enter_container()</function>. It behaves mostly the same as
+    <function>sd_bus_message_close_container()</function>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Return Value</title>
+
+    <para>On success, these functions return a non-negative integer. On failure, they return a negative
+    errno-style error code.</para>
+
+    <refsect2>
+      <title>Errors</title>
+
+      <para>Returned errors may indicate the following problems:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>-EINVAL</constant></term>
+
+          <listitem><para><parameter>m</parameter> or <parameter>contents</parameter> are
+          <constant>NULL</constant> or <parameter>type</parameter> is invalid.</para></listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>-EPERM</constant></term>
+
+          <listitem><para>The message <parameter>m</parameter> is already sealed.</para></listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>-ESTALE</constant></term>
+
+          <listitem><para>The message <parameter>m</parameter> is in an invalid state.</para></listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>-ENOMEM</constant></term>
+
+          <listitem><para>Memory allocation failed.</para></listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+  </refsect1>
+
+  <xi:include href="libsystemd-pkgconfig.xml" />
+
+  <refsect1>
+    <title>Examples</title>
+
+    <example>
+      <title>Append an array of strings to a message</title>
+
+      <programlisting><xi:include href="sd-bus-container-append.c" parse="text" /></programlisting>
+    </example>
+
+    <example>
+      <title>Read an array of strings from a message</title>
+
+      <programlisting><xi:include href="sd-bus-container-read.c" parse="text" /></programlisting>
+    </example>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+
+    <para>
+      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>sd_bus_message_read</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+      <ulink url="https://dbus.freedesktop.org/doc/dbus-specification.html">The D-Bus specification</ulink>
+    </para>
+  </refsect1>
+
+</refentry>

man/sd_bus_message_read.xml

@@ -19,6 +19,7 @@
   <refnamediv>
     <refname>sd_bus_message_read</refname>
     <refname>sd_bus_message_readv</refname>
+    <refname>sd_bus_message_peek_type</refname>
 
     <refpurpose>Read a sequence of values from a message</refpurpose>
   </refnamediv>
@@ -40,38 +41,42 @@
         <paramdef>const char *<parameter>types</parameter></paramdef>
         <paramdef>va_list <parameter>ap</parameter></paramdef>
       </funcprototype>
+
+      <funcprototype>
+        <funcdef>int <function>sd_bus_message_peek_type</function></funcdef>
+        <paramdef>char *<parameter>type</parameter></paramdef>
+        <paramdef>const char **<parameter>contents</parameter></paramdef>
+      </funcprototype>
     </funcsynopsis>
   </refsynopsisdiv>
 
   <refsect1>
     <title>Description</title>
 
-    <para><function>sd_bus_message_read()</function> reads a sequence of fields from
-    the D-Bus message object <parameter>m</parameter> and advances the read position
-    in the message. The type string <parameter>types</parameter> describes the types
-    of items expected in the message and the field arguments that follow. The type
-    string may be <constant>NULL</constant> or empty, in which case nothing is
-    read.</para>
+    <para><function>sd_bus_message_read()</function> reads a sequence of fields from the D-Bus message object
+    <parameter>m</parameter> and advances the read position in the message. The type string
+    <parameter>types</parameter> describes the types of items expected in the message and the field arguments
+    that follow. The type string may be <constant>NULL</constant> or empty, in which case nothing is read.
+    </para>
 
     <para>The type string is composed of the elements described in
     <citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-    i.e. basic and container types. It must contain zero or more single "complete
-    types". The type string is <constant>NUL</constant>-terminated.</para>
+    i.e. basic and container types. It must contain zero or more single "complete types". The type string is
+    <constant>NUL</constant>-terminated.</para>
 
-    <para>For each type specified in the type string, one or more arguments need to be specified
-    after the <parameter>types</parameter> parameter, in the same order. The arguments must be
-    pointers to appropriate types (a pointer to <type>int8_t</type> for a <literal>y</literal> in
-    the type string, a pointer to <type>int32_t</type> for an <literal>i</literal>, a pointer to
-    <type>const char*</type> for an <literal>s</literal>, ...)  which are set based on the values in
-    the message. As an exception, in case of array and variant types, the first argument is an
-    "input" argument that further specifies how the message should be read. See the table below for
-    a complete list of allowed arguments and their types. Note that, if the basic type is a pointer
-    (e.g., <type>const char *</type> in the case of a string), the argument is a pointer to a
-    pointer, and also the pointer value that is written is only borrowed and the contents must be
-    copied if they are to be used after the end of the messages lifetime.</para>
+    <para>For each type specified in the type string, one or more arguments need to be specified after the
+    <parameter>types</parameter> parameter, in the same order. The arguments must be pointers to appropriate
+    types (a pointer to <type>int8_t</type> for a <literal>y</literal> in the type string, a pointer to
+    <type>int32_t</type> for an <literal>i</literal>, a pointer to <type>const char*</type> for an
+    <literal>s</literal>, ...)  which are set based on the values in the message. As an exception, in case of
+    array and variant types, the first argument is an "input" argument that further specifies how the message
+    should be read. See the table below for a complete list of allowed arguments and their types. Note that,
+    if the basic type is a pointer (e.g., <type>const char *</type> in the case of a string), the argument is
+    a pointer to a pointer, and also the pointer value that is written is only borrowed and the contents must
+    be copied if they are to be used after the end of the messages lifetime.</para>
 
-    <para>Each argument may also be <constant>NULL</constant>, in which case the value is read and
-    ignored.</para>
+    <para>Each argument may also be <constant>NULL</constant>, in which case the value is read and ignored.
+    </para>
 
     <table>
       <title>Item type specifiers</title>
@@ -139,24 +144,29 @@
       </tgroup>
     </table>
 
-    <para>If objects of the specified types are not present at the current position
-    in the message, an error is returned.
-    </para>
+    <para>If objects of the specified types are not present at the current position in the message, an error
+    is returned.</para>
 
     <para>The <function>sd_bus_message_readv()</function> is equivalent to the
-    <function>sd_bus_message_read()</function>, except that it is called with a
-    <literal>va_list</literal> instead of a variable number of arguments. This
-    function does not call the <function>va_end()</function> macro. Because it
-    invokes the <function>va_arg()</function> macro, the value of
-    <parameter>ap</parameter> is undefined after the call.</para>
+    <function>sd_bus_message_read()</function>, except that it is called with a <literal>va_list</literal>
+    instead of a variable number of arguments. This function does not call the <function>va_end()</function>
+    macro. Because it invokes the <function>va_arg()</function> macro, the value of <parameter>ap</parameter>
+    is undefined after the call.</para>
+
+    <para><function>sd_bus_message_peek_type()</function> determines the type of the next element in
+    <parameter>m</parameter> to be read by <function>sd_bus_message_read()</function> or similar functions.
+    On success, the type is stored in <parameter>type</parameter>, if it is not <constant>NULL</constant>.
+    If the type is a container type, the type of its elements is stored in <parameter>contents</parameter>,
+    if it is not <constant>NULL</constant>. If this function successfully determines the type of the next
+    element in <parameter>m</parameter>, it returns a positive integer. If there are no more elements to be
+    read, it returns zero.</para>
   </refsect1>
 
   <refsect1>
     <title>Return Value</title>
 
-    <para>On success, <function>sd_bus_message_read()</function> and
-    <function>sd_bus_message_readv()</function> return 0 or a positive integer. On failure, they return a
-    negative errno-style error code.</para>
+    <para>On success, these functions return a non-negative integer. On failure, they return a negative
+    errno-style error code.</para>
 
     <xi:include href="sd_bus_message_read_basic.xml" xpointer="errors" />
   </refsect1>
@@ -228,7 +238,8 @@ sd_bus_message_read(m, "a{is}", 3, &amp;i, &amp;s, &amp;j, &amp;t, &amp;k, &amp;
       <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>sd_bus_message_read_basic</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>sd_bus_message_skip</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>sd_bus_message_append</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>sd_bus_message_enter_container</refentrytitle><manvolnum>3</manvolnum></citerefentry>
     </para>
   </refsect1>
 

man/sd_bus_send.xml

@@ -18,6 +18,7 @@
 
   <refnamediv>
     <refname>sd_bus_send</refname>
+    <refname>sd_bus_send_to</refname>
 
     <refpurpose>Queue a D-Bus message for transfer</refpurpose>
   </refnamediv>
@@ -32,35 +33,48 @@
         <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
         <paramdef>uint64_t *<parameter>cookie</parameter></paramdef>
       </funcprototype>
+
+      <funcprototype>
+        <funcdef>int <function>sd_bus_send_to</function></funcdef>
+        <paramdef>sd_bus *<parameter>bus</parameter></paramdef>
+        <paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
+        <paramdef>const char *<parameter>destination</parameter></paramdef>
+        <paramdef>uint64_t *<parameter>cookie</parameter></paramdef>
+      </funcprototype>
     </funcsynopsis>
   </refsynopsisdiv>
 
   <refsect1>
     <title>Description</title>
 
-    <para><function>sd_bus_send()</function> queues the bus message object <parameter>m</parameter>
-    for transfer. If <parameter>bus</parameter> is <constant>NULL</constant>, the bus that
-    <parameter>m</parameter> is attached to is used. <parameter>bus</parameter> only needs to be set
-    when the message is sent to a different bus than the one it's attached to, for example when
-    forwarding messages. If the output parameter <parameter>cookie</parameter> is not
-    <constant>NULL</constant>, it is set to the message identifier. This value can later be used to
-    match incoming replies to their corresponding messages. If <parameter>cookie</parameter> is set
-    to <constant>NULL</constant> and the message is not sealed, <function>sd_bus_send()</function>
-    assumes the message <parameter>m</parameter> doesn't expect a reply and adds the necessary
-    headers to indicate this.</para>
+    <para><function>sd_bus_send()</function> queues the bus message object <parameter>m</parameter> for
+    transfer. If <parameter>bus</parameter> is <constant>NULL</constant>, the bus that
+    <parameter>m</parameter> is attached to is used. <parameter>bus</parameter> only needs to be set when the
+    message is sent to a different bus than the one it's attached to, for example when forwarding messages.
+    If the output parameter <parameter>cookie</parameter> is not <constant>NULL</constant>, it is set to the
+    message identifier. This value can later be used to match incoming replies to their corresponding
+    messages. If <parameter>cookie</parameter> is set to <constant>NULL</constant> and the message is not
+    sealed, <function>sd_bus_send()</function> assumes the message <parameter>m</parameter> doesn't expect a
+    reply and adds the necessary headers to indicate this.</para>
 
     <para>Note that in most scenarios, <function>sd_bus_send()</function> should not be called
     directly. Instead, use higher level functions such as
     <citerefentry><refentrytitle>sd_bus_call_method</refentrytitle><manvolnum>3</manvolnum></citerefentry> and
     <citerefentry><refentrytitle>sd_bus_reply_method_return</refentrytitle><manvolnum>3</manvolnum></citerefentry>
     which call <function>sd_bus_send()</function> internally.</para>
+
+    <para><function>sd_bus_send_to()</function> is a shorthand for sending a message to a specific
+    destination. It's main use case is to simplify sending unicast signal messages (signals that only have a
+    single receiver). It's behavior is similar to calling
+    <citerefentry><refentrytitle>sd_bus_message_set_destination</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+    followed by calling <function>sd_bus_send()</function>.</para>
   </refsect1>
 
   <refsect1>
     <title>Return Value</title>
 
-    <para>On success, this function returns a non-negative integer. On failure, it returns a
-    negative errno-style error code.</para>
+    <para>On success, these functions return a non-negative integer. On failure, they return a negative
+    errno-style error code.</para>
 
     <refsect2 id='errors'>
       <title>Errors</title>
@@ -85,8 +99,8 @@
         <varlistentry>
           <term><constant>-ECHILD</constant></term>
 
-          <listitem><para>The bus connection was allocated in a parent process and is being reused
-          in a child process after <function>fork()</function>.</para></listitem>
+          <listitem><para>The bus connection was allocated in a parent process and is being reused in a child
+          process after <function>fork()</function>.</para></listitem>
         </varlistentry>
 
         <varlistentry>
@@ -128,8 +142,7 @@
       <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>sd_bus_call_method</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>sd_bus_message_set_destination</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>sd_bus_reply_method_return</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>sd_bus_send_to</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>sd_bus_reply_method_return</refentrytitle><manvolnum>3</manvolnum></citerefentry>
     </para>
   </refsect1>
 

man/systemd-binfmt.service.xml

@@ -41,6 +41,14 @@
 
   <refsect1><title>Options</title>
     <variablelist>
+
+      <varlistentry>
+        <term><option>--unregister</option></term>
+        <listitem><para>If passed, instead of registering configured binary formats in the kernel, the
+        reverse operation is executed: all currently registered binary formats are unregistered from the
+        kernel.</para></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="cat-config" />
       <xi:include href="standard-options.xml" xpointer="no-pager" />
       <xi:include href="standard-options.xml" xpointer="help" />

man/systemd-resolved.service.xml

@@ -69,7 +69,7 @@
     <filename>/etc/systemd/resolved.conf</filename>, the per-link static settings in
     <filename>/etc/systemd/network/*.network</filename> files (in case
     <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-    is used), the per-link dynamic settings received over DHCP, user request made via
+    is used), the per-link dynamic settings received over DHCP, information provided via
     <citerefentry><refentrytitle>resolvectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, and any
     DNS server information made available by other system services. See
     <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
@@ -104,6 +104,8 @@
 
       <listitem><para>The mappings defined in <filename>/etc/hosts</filename> are resolved to their
       configured addresses and back, but they will not affect lookups for non-address types (like MX).
+      Support for <filename>/etc/hosts</filename> may be disabled with <varname>ReadEtcHosts=no</varname>,
+      see <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
       </para></listitem>
     </itemizedlist>
   </refsect1>
@@ -111,32 +113,48 @@
   <refsect1>
     <title>Protocols and Routing</title>
 
-    <para>Lookup requests are routed to the available DNS servers, LLMNR and MulticastDNS interfaces
+    <para>Lookup requests are routed to the available DNS servers, LLMNR, and MulticastDNS interfaces
     according to the following rules:</para>
 
     <itemizedlist>
-      <listitem><para>Lookups for the special hostname <literal>localhost</literal> are never routed to the
-      network. (A few other, special domains are handled the same way.)</para></listitem>
+      <listitem><para>Names for which synthetic records are generated (as listed in the previous section) are
+      never routed to the network and a reply is sent immediately. In particular this means that lookups for
+      <literal>localhost</literal> are never routed to the network.</para></listitem>
 
-      <listitem><para>Single-label names are routed to all local interfaces capable of IP multicasting, using
-      the LLMNR protocol. Lookups for IPv4 addresses are only sent via LLMNR on IPv4, and lookups for IPv6
-      addresses are only sent via LLMNR on IPv6. Lookups for the locally configured host name and the
-      <literal>_gateway</literal> host name are never routed to LLMNR.</para></listitem>
+      <listitem><para>Single-label names are routed to all local interfaces capable of IP multicasting, where
+      LLMNR is not disabled, using the LLMNR protocol. Lookups for IPv4 addresses are only sent via LLMNR on
+      IPv4, and lookups for IPv6 addresses are only sent via LLMNR on IPv6. Lookups for the locally
+      configured hostname and the <literal>_gateway</literal> hostname are never routed to LLMNR.
+      </para></listitem>
 
       <listitem><para>Multi-label names with the domain suffix <literal>.local</literal> are routed to all
-      local interfaces capable of IP multicasting, using the MulticastDNS protocol. As with LLMNR IPv4
-      address lookups are sent via IPv4 and IPv6 address lookups are sent via IPv6.</para></listitem>
+      local interfaces capable of IP multicasting, where MulticastDNS is not disabled, using the MulticastDNS
+      protocol. As with LLMNR, IPv4 address lookups are sent via IPv4 and IPv6 address lookups are sent via
+      IPv6.</para></listitem>
+
+      <listitem><para>Resolution of address records (A and AAAA) via unicast DNS (i.e. not LLMNR or
+      MulticastDNS) for non-synthesized single-label names is only allowed for non-top-level domains. This
+      means that such records can only be resolved when search domains are defined. For any interface which
+      defines search domains, such look-ups are routed to that interface, suffixed with each of the search
+      domains defined on that interface in turn. When global search domains are defined, such look-ups are
+      routed to all interfaces, suffixed by each of the global search domains in turn. The details of which
+      servers are queried and how the final reply is chosen are described below. Note that this means that
+      address queries for single-label names are never sent out to remote DNS servers, and if no search
+      domains are defined, resolution will fail.</para></listitem>
 
       <listitem><para>Other multi-label names are routed to all local interfaces that have a DNS server
-      configured, plus the globally configured DNS server if there is one. Address lookups from the
-      link-local address range are never routed to DNS. Note that by default lookups for domains with the
-      <literal>.local</literal> suffix are not routed to DNS servers, unless the domain is specified
-      explicitly as routing or search domain for the DNS server and interface. This means that on networks
-      where the <literal>.local</literal> domain is defined in a site-specific DNS server, explicit search or
-      routing domains need to be configured to make lookups within this DNS domain work. Note that today it's
-      generally recommended to avoid defining <literal>.local</literal> in a DNS server, as <ulink
-      url="https://tools.ietf.org/html/rfc6762">RFC6762</ulink> reserves this domain for exclusive
+      configured, plus the globally configured DNS servers if there are any. Note that by default, lookups for
+      domains with the <literal>.local</literal> suffix are not routed to DNS servers, unless the domain is
+      specified explicitly as routing or search domain for the DNS server and interface. This means that on
+      networks where the <literal>.local</literal> domain is defined in a site-specific DNS server, explicit
+      search or routing domains need to be configured to make lookups within this DNS domain work. Note that
+      these days, it's generally recommended to avoid defining <literal>.local</literal> in a DNS server, as
+      <ulink url="https://tools.ietf.org/html/rfc6762">RFC6762</ulink> reserves this domain for exclusive
       MulticastDNS use.</para></listitem>
+
+      <listitem><para>Address lookups are routed similarly to multi-label names, with the exception that
+      addresses from the link-local address range are never routed to unicast DNS and are only resolved using
+      LLMNR and MulticastDNS (when enabled).</para></listitem>
     </itemizedlist>
 
     <para>If lookups are routed to multiple interfaces, the first successful response is returned (thus
@@ -151,12 +169,18 @@
 
     <itemizedlist>
       <listitem><para>If a name to look up matches (that is: is equal to or has as suffix) any of the
-      configured search or route-only domains of any link (or the globally configured DNS settings), the
+      configured search or route-only domains of any link (see
+      <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>),
+      or the globally configured DNS settings (see the discussion of <varname>Domains=</varname> in
+      <citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>),
       "best matching" search/route-only domain is determined: the matching one with the most labels. The
       query is then sent to all DNS servers of any links or the globally configured DNS servers associated
       with this "best matching" search/route-only domain. (Note that more than one link might have this same
       "best matching" search/route-only domain configured, in which case the query is sent to all of them in
-      parallel).</para></listitem>
+      parallel).</para>
+
+      <para>In case of single-label names, when search domains are defined, the same logic applies, except
+      that the name is first suffixed by the search domain.</para></listitem>
 
       <listitem><para>If a query does not match any configured search/route-only domain (neither per-link nor
       global), it is sent to all DNS servers that are configured on links with the "DNS default route" option
@@ -174,14 +198,15 @@
     configured DNS domains for a link: if there's any route-only domain (not matching <literal>~.</literal>)
     it defaults to false, otherwise to true.</para>
 
-    <para>Effectively this means: in order to preferably route all DNS queries not explicitly matched by
-    search/route-only domain configuration to a specific link, configure a <literal>~.</literal> route-only
-    domain on it. This will ensure that other links will not be considered for the queries (unless they too
-    carry such a route-only domain). In order to route all such DNS queries to a specific link only in case
-    no other link is preferable, then set the "DNS default route" option for the link to true, and do not
-    configure a <literal>~.</literal> route-only domain on it. Finally, in order to ensure that a specific
-    link never receives any DNS traffic not matching any of its configured search/route-only domains, set the
-    "DNS default route" option for it to false.</para>
+    <para>Effectively this means: in order to support single-label non-synthetized names, define appropriate
+    search domains. In order to preferably route all DNS queries not explicitly matched by search/route-only
+    domain configuration to a specific link, configure a <literal>~.</literal> route-only domain on it. This
+    will ensure that other links will not be considered for these queries (unless they too carry such a
+    route-only domain). In order to route all such DNS queries to a specific link only if no other link
+    is preferable, set the "DNS default route" option for the link to true and do not configure a
+    <literal>~.</literal> route-only domain on it. Finally, in order to ensure that a specific link never
+    receives any DNS traffic not matching any of its configured search/route-only domains, set the "DNS
+    default route" option for it to false.</para>
 
     <para>See the <ulink url="https://www.freedesktop.org/wiki/Software/systemd/resolved">resolved D-Bus API
     Documentation</ulink> for information about the APIs <filename>systemd-resolved</filename> provides.

src/basic/socket-util.c

@@ -901,9 +901,9 @@ ssize_t receive_one_fd_iov(
          * combination with send_one_fd().
          */
 
-        k = recvmsg(transport_fd, &mh, MSG_CMSG_CLOEXEC | flags);
+        k = recvmsg_safe(transport_fd, &mh, MSG_CMSG_CLOEXEC | flags);
         if (k < 0)
-                return (ssize_t) -errno;
+                return k;
 
         CMSG_FOREACH(cmsg, &mh) {
                 if (cmsg->cmsg_level == SOL_SOCKET &&
@@ -915,12 +915,13 @@ ssize_t receive_one_fd_iov(
                 }
         }
 
-        if (!found)
+        if (!found) {
                 cmsg_close_all(&mh);
 
                 /* If didn't receive an FD or any data, return an error. */
-        if (k == 0 && !found)
+                if (k == 0)
                         return -EIO;
+        }
 
         if (found)
                 *ret_fd = *(int*) CMSG_DATA(found);
@@ -1171,3 +1172,24 @@ int socket_bind_to_ifindex(int fd, int ifindex) {
 
         return socket_bind_to_ifname(fd, ifname);
 }
+
+ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags) {
+        ssize_t n;
+
+        /* A wrapper around recvmsg() that checks for MSG_CTRUNC, and turns it into an error, in a reasonably
+         * safe way, closing any SCM_RIGHTS fds in the error path.
+         *
+         * Note that unlike our usual coding style this might modify *msg on failure. */
+
+        n = recvmsg(sockfd, msg, flags);
+        if (n < 0)
+                return -errno;
+
+        if (FLAGS_SET(msg->msg_flags, MSG_CTRUNC)) {
+                cmsg_close_all(msg);
+                return -EXFULL; /* a recognizable error code */
+        }
+
+        return n;
+
+}

src/basic/socket-util.h

@@ -199,3 +199,5 @@ static inline int setsockopt_int(int fd, int level, int optname, int value) {
 
 int socket_bind_to_ifname(int fd, const char *ifname);
 int socket_bind_to_ifindex(int fd, int ifindex);
+
+ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags);

src/binfmt/binfmt.c

@@ -10,6 +10,7 @@
 #include <sys/types.h>
 
 #include "alloc-util.h"
+#include "binfmt-util.h"
 #include "conf-files.h"
 #include "def.h"
 #include "fd-util.h"
@@ -24,6 +25,7 @@
 
 static bool arg_cat_config = false;
 static PagerFlags arg_pager_flags = 0;
+static bool arg_unregister = false;
 
 static int delete_rule(const char *rule) {
         _cleanup_free_ char *x = NULL, *fn = NULL;
@@ -32,18 +34,17 @@ static int delete_rule(const char *rule) {
         assert(rule);
         assert(rule[0]);
 
-        x = strdup(rule);
+        e = strchrnul(rule + 1, rule[0]);
+        x = strndup(rule + 1, e - rule - 1);
         if (!x)
                 return log_oom();
 
-        e = strchrnul(x+1, x[0]);
-        *e = 0;
-
-        if (!filename_is_valid(x + 1))
+        if (!filename_is_valid(x) ||
+            STR_IN_SET(x, "register", "status"))
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "Rule file name '%s' is not valid, refusing.", x + 1);
+                                       "Rule file name '%s' is not valid, refusing.", x);
 
-        fn = path_join("/proc/sys/fs/binfmt_misc", x+1);
+        fn = path_join("/proc/sys/fs/binfmt_misc", x);
         if (!fn)
                 return log_oom();
 
@@ -116,6 +117,7 @@ static int help(void) {
                "     --version          Show package version\n"
                "     --cat-config       Show configuration files\n"
                "     --no-pager         Do not pipe output into a pager\n"
+               "     --unregister       Unregister all existing entries\n"
                "\nSee the %s for details.\n"
                , program_invocation_short_name
                , link
@@ -129,6 +131,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_VERSION = 0x100,
                 ARG_CAT_CONFIG,
                 ARG_NO_PAGER,
+                ARG_UNREGISTER,
         };
 
         static const struct option options[] = {
@@ -136,6 +139,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "version",    no_argument, NULL, ARG_VERSION    },
                 { "cat-config", no_argument, NULL, ARG_CAT_CONFIG },
                 { "no-pager",   no_argument, NULL, ARG_NO_PAGER   },
+                { "unregister", no_argument, NULL, ARG_UNREGISTER },
                 {}
         };
 
@@ -162,6 +166,10 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_pager_flags |= PAGER_DISABLE;
                         break;
 
+                case ARG_UNREGISTER:
+                        arg_unregister = true;
+                        break;
+
                 case '?':
                         return -EINVAL;
 
@@ -169,9 +177,9 @@ static int parse_argv(int argc, char *argv[]) {
                         assert_not_reached("Unhandled option");
                 }
 
-        if (arg_cat_config && argc > optind)
+        if ((arg_unregister || arg_cat_config) && argc > optind)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                       "Positional arguments are not allowed with --cat-config");
+                                       "Positional arguments are not allowed with --cat-config or --unregister");
 
         return 1;
 }
@@ -189,6 +197,9 @@ static int run(int argc, char *argv[]) {
 
         r = 0;
 
+        if (arg_unregister)
+                return disable_binfmt();
+
         if (argc > optind) {
                 int i;
 

src/core/execute.c

@@ -1647,8 +1647,6 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) {
 #endif
 
 static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) {
-        int r;
-
         assert(u);
         assert(c);
 
@@ -1668,6 +1666,8 @@ static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_
                 log_unit_warning(u, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
 
 #if HAVE_SECCOMP
+        int r;
+
         if (skip_seccomp_unavailable(u, "ProtectHostname="))
                 return 0;
 

src/core/manager.c

@@ -2360,20 +2360,20 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
                 return 0;
         }
 
-        n = recvmsg(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC|MSG_TRUNC);
-        if (n < 0) {
-                if (IN_SET(errno, EAGAIN, EINTR))
+        n = recvmsg_safe(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC|MSG_TRUNC);
+        if (IN_SET(n, -EAGAIN, -EINTR))
                 return 0; /* Spurious wakeup, try again */
-
-                /* If this is any other, real error, then let's stop processing this socket. This of course means we
-                 * won't take notification messages anymore, but that's still better than busy looping around this:
-                 * being woken up over and over again but being unable to actually read the message off the socket. */
-                return log_error_errno(errno, "Failed to receive notification message: %m");
-        }
+        if (n < 0)
+                /* If this is any other, real error, then let's stop processing this socket. This of course
+                 * means we won't take notification messages anymore, but that's still better than busy
+                 * looping around this: being woken up over and over again but being unable to actually read
+                 * the message off the socket. */
+                return log_error_errno(n, "Failed to receive notification message: %m");
 
         CMSG_FOREACH(cmsg, &msghdr) {
                 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
 
+                        assert(!fd_array);
                         fd_array = (int*) CMSG_DATA(cmsg);
                         n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
 
@@ -2381,6 +2381,7 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t
                            cmsg->cmsg_type == SCM_CREDENTIALS &&
                            cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred))) {
 
+                        assert(!ucred);
                         ucred = (struct ucred*) CMSG_DATA(cmsg);
                 }
         }

src/coredump/coredump.c

@@ -911,10 +911,10 @@ static int process_socket(int fd) {
 
                 mh.msg_iov = &iovec;
 
-                n = recvmsg(fd, &mh, MSG_CMSG_CLOEXEC);
+                n = recvmsg_safe(fd, &mh, MSG_CMSG_CLOEXEC);
                 if (n < 0)  {
                         free(iovec.iov_base);
-                        r = log_error_errno(errno, "Failed to receive datagram: %m");
+                        r = log_error_errno(n, "Failed to receive datagram: %m");
                         goto finish;
                 }
 
@@ -935,15 +935,17 @@ static int process_socket(int fd) {
                         }
 
                         if (!found) {
-                                log_error("Coredump file descriptor missing.");
-                                r = -EBADMSG;
+                                cmsg_close_all(&mh);
+                                r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
+                                                    "Coredump file descriptor missing.");
                                 goto finish;
                         }
 
                         assert(input_fd < 0);
                         input_fd = *(int*) CMSG_DATA(found);
                         break;
-                }
+                } else
+                        cmsg_close_all(&mh);
 
                 /* Add trailing NUL byte, in case these are strings */
                 ((char*) iovec.iov_base)[n] = 0;
@@ -952,8 +954,6 @@ static int process_socket(int fd) {
                 r = iovw_put(&iovw, iovec.iov_base, iovec.iov_len);
                 if (r < 0)
                         goto finish;
-
-                cmsg_close_all(&mh);
         }
 
         /* Make sure we got all data we really need */

src/home/homed-manager.c

@@ -981,9 +981,9 @@ static ssize_t read_datagram(int fd, struct ucred *ret_sender, void **ret) {
                         .msg_controllen = sizeof(control),
                 };
 
-                m = recvmsg(fd, &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
+                m = recvmsg_safe(fd, &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
                 if (m < 0)
-                        return -errno;
+                        return m;
 
                 cmsg_close_all(&mh);
 

src/home/pwquality-util.c

@@ -148,7 +148,7 @@ int suggest_passwords(void) {
 
         pwquality_maybe_disable_dictionary(pwq);
 
-        suggestions = new0(char*, N_SUGGESTIONS);
+        suggestions = new0(char*, N_SUGGESTIONS+1);
         if (!suggestions)
                 return log_oom();
 

src/import/importd.c

@@ -566,13 +566,11 @@ static int manager_on_notify(sd_event_source *s, int fd, uint32_t revents, void
         ssize_t n;
         int r;
 
-        n = recvmsg(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
-        if (n < 0) {
-                if (IN_SET(errno, EAGAIN, EINTR))
+        n = recvmsg_safe(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
+        if (IN_SET(n, -EAGAIN, -EINTR))
                 return 0;
-
-                return -errno;
-        }
+        if (n < 0)
+                return (int) n;
 
         cmsg_close_all(&msghdr);
 

src/journal/journald-server.c

@@ -1317,29 +1317,35 @@ int server_process_datagram(
 
         iovec = IOVEC_MAKE(s->buffer, s->buffer_size - 1); /* Leave room for trailing NUL we add later */
 
-        n = recvmsg(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
-        if (n < 0) {
-                if (IN_SET(errno, EINTR, EAGAIN))
+        n = recvmsg_safe(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
+        if (IN_SET(n, -EINTR, -EAGAIN))
+                return 0;
+        if (n == -EXFULL) {
+                log_warning("Got message with truncated control data (too many fds sent?), ignoring.");
                 return 0;
-
-                return log_error_errno(errno, "recvmsg() failed: %m");
         }
+        if (n < 0)
+                return log_error_errno(n, "recvmsg() failed: %m");
 
         CMSG_FOREACH(cmsg, &msghdr)
                 if (cmsg->cmsg_level == SOL_SOCKET &&
                     cmsg->cmsg_type == SCM_CREDENTIALS &&
-                    cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred)))
+                    cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred))) {
+                        assert(!ucred);
                         ucred = (struct ucred*) CMSG_DATA(cmsg);
-                else if (cmsg->cmsg_level == SOL_SOCKET &&
+                } else if (cmsg->cmsg_level == SOL_SOCKET &&
                          cmsg->cmsg_type == SCM_SECURITY) {
+                        assert(!label);
                         label = (char*) CMSG_DATA(cmsg);
                         label_len = cmsg->cmsg_len - CMSG_LEN(0);
                 } else if (cmsg->cmsg_level == SOL_SOCKET &&
                            cmsg->cmsg_type == SO_TIMESTAMP &&
-                           cmsg->cmsg_len == CMSG_LEN(sizeof(struct timeval)))
+                           cmsg->cmsg_len == CMSG_LEN(sizeof(struct timeval))) {
+                        assert(!tv);
                         tv = (struct timeval*) CMSG_DATA(cmsg);
-                else if (cmsg->cmsg_level == SOL_SOCKET &&
+                } else if (cmsg->cmsg_level == SOL_SOCKET &&
                          cmsg->cmsg_type == SCM_RIGHTS) {
+                        assert(!fds);
                         fds = (int*) CMSG_DATA(cmsg);
                         n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
                 }

src/journal/journald-stream.c

@@ -545,6 +545,7 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents,
                 if (cmsg->cmsg_level == SOL_SOCKET &&
                     cmsg->cmsg_type == SCM_CREDENTIALS &&
                     cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred))) {
+                        assert(!ucred);
                         ucred = (struct ucred *)CMSG_DATA(cmsg);
                         break;
                 }

src/libsystemd/sd-bus/bus-socket.c

@@ -557,17 +557,24 @@ static int bus_socket_read_auth(sd_bus *b) {
                 mh.msg_control = &control;
                 mh.msg_controllen = sizeof(control);
 
-                k = recvmsg(b->input_fd, &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
-                if (k < 0 && errno == ENOTSOCK) {
+                k = recvmsg_safe(b->input_fd, &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
+                if (k == -ENOTSOCK) {
                         b->prefer_readv = true;
                         k = readv(b->input_fd, &iov, 1);
+                        if (k < 0)
+                                k = -errno;
                 } else
                         handle_cmsg = true;
         }
+        if (k == -EAGAIN)
+                return 0;
         if (k < 0)
-                return errno == EAGAIN ? 0 : -errno;
-        if (k == 0)
+                return (int) k;
+        if (k == 0) {
+                if (handle_cmsg)
+                        cmsg_close_all(&mh); /* paranoia, we shouldn't have gotten any fds on EOF */
                 return -ECONNRESET;
+        }
 
         b->rbuffer_size += k;
 
@@ -1193,17 +1200,24 @@ int bus_socket_read_message(sd_bus *bus) {
                 mh.msg_control = &control;
                 mh.msg_controllen = sizeof(control);
 
-                k = recvmsg(bus->input_fd, &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
-                if (k < 0 && errno == ENOTSOCK) {
+                k = recvmsg_safe(bus->input_fd, &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
+                if (k == -ENOTSOCK) {
                         bus->prefer_readv = true;
                         k = readv(bus->input_fd, &iov, 1);
+                        if (k < 0)
+                                k = -errno;
                 } else
                         handle_cmsg = true;
         }
+        if (k == -EAGAIN)
+                return 0;
         if (k < 0)
-                return errno == EAGAIN ? 0 : -errno;
-        if (k == 0)
+                return (int) k;
+        if (k == 0) {
+                if (handle_cmsg)
+                        cmsg_close_all(&mh); /* On EOF we shouldn't have gotten an fd, but let's make sure */
                 return -ECONNRESET;
+        }
 
         bus->rbuffer_size += k;
 

src/network/networkd-lldp-rx.c

@@ -12,6 +12,7 @@
 #include "networkd-network.h"
 #include "string-table.h"
 #include "string-util.h"
+#include "strv.h"
 #include "tmpfile-util.h"
 
 DEFINE_CONFIG_PARSE_ENUM(config_parse_lldp_mode, lldp_mode, LLDPMode, "Failed to parse LLDP= setting.");
@@ -36,10 +37,10 @@ bool link_lldp_rx_enabled(Link *link) {
         if (!link->network)
                 return false;
 
-        /* LLDP should be handled on bridge slaves as those have a direct
-         * connection to their peers not on the bridge master. Linux doesn't
-         * even (by default) forward lldp packets to the bridge master.*/
-        if (streq_ptr("bridge", link->kind))
+        /* LLDP should be handled on bridge and bond slaves as those have a direct connection to their peers,
+         * not on the bridge/bond master. Linux doesn't even (by default) forward lldp packets to the bridge
+         * master.*/
+        if (link->kind && STR_IN_SET(link->kind, "bridge", "bond"))
                 return false;
 
         return link->network->lldp_mode != LLDP_MODE_NO;

src/network/networkd-lldp-tx.c

@@ -6,8 +6,8 @@
 #include <net/if_arp.h>
 
 #include "alloc-util.h"
-#include "escape.h"
 #include "env-file.h"
+#include "escape.h"
 #include "fd-util.h"
 #include "hostname-util.h"
 #include "missing_network.h"
@@ -18,6 +18,7 @@
 #include "random-util.h"
 #include "socket-util.h"
 #include "string-util.h"
+#include "strv.h"
 #include "unaligned.h"
 #include "web-util.h"
 
@@ -54,6 +55,9 @@ bool link_lldp_emit_enabled(Link *link) {
         if (!link->network)
                 return false;
 
+        if (link->kind && STR_IN_SET(link->kind, "bridge", "bond"))
+                return false;
+
         return link->network->lldp_emit != LLDP_EMIT_NO;
 }
 

src/nspawn/nspawn.c

@@ -3713,13 +3713,12 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r
                 return 0;
         }
 
-        n = recvmsg(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
-        if (n < 0) {
-                if (IN_SET(errno, EAGAIN, EINTR))
+        n = recvmsg_safe(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
+        if (IN_SET(n, -EAGAIN, -EINTR))
                 return 0;
+        if (n < 0)
+                return log_warning_errno(n, "Couldn't read notification socket: %m");
 
-                return log_warning_errno(errno, "Couldn't read notification socket: %m");
-        }
         cmsg_close_all(&msghdr);
 
         CMSG_FOREACH(cmsg, &msghdr) {

src/nss-systemd/nss-systemd.c

@@ -310,7 +310,12 @@ enum nss_status _nss_systemd_setpwent(int stayopen) {
         getpwent_data.iterator = userdb_iterator_free(getpwent_data.iterator);
         getpwent_data.by_membership = false;
 
-        r = userdb_all(nss_glue_userdb_flags(), &getpwent_data.iterator);
+        /* Don't synthesize root/nobody when iterating. Let nss-files take care of that. If the two records
+         * are missing there, then that's fine, after all getpwent() is known to be possibly incomplete
+         * (think: LDAP/NIS type situations), and our synthesizing of root/nobody is a robustness fallback
+         * only, which matters for getpwnam()/getpwuid() primarily, which are the main NSS entrypoints to the
+         * user database. */
+        r = userdb_all(nss_glue_userdb_flags() | USERDB_DONT_SYNTHESIZE, &getpwent_data.iterator);
         return r < 0 ? NSS_STATUS_UNAVAIL : NSS_STATUS_SUCCESS;
 }
 
@@ -329,7 +334,8 @@ enum nss_status _nss_systemd_setgrent(int stayopen) {
         getgrent_data.iterator = userdb_iterator_free(getgrent_data.iterator);
         getpwent_data.by_membership = false;
 
-        r = groupdb_all(nss_glue_userdb_flags(), &getgrent_data.iterator);
+        /* See _nss_systemd_setpwent() for an explanation why we use USERDB_DONT_SYNTHESIZE here */
+        r = groupdb_all(nss_glue_userdb_flags() | USERDB_DONT_SYNTHESIZE, &getgrent_data.iterator);
         return r < 0 ? NSS_STATUS_UNAVAIL : NSS_STATUS_SUCCESS;
 }
 

src/portable/portable.c

@@ -190,9 +190,9 @@ static int recv_item(
         assert(ret_name);
         assert(ret_fd);
 
-        n = recvmsg(socket_fd, &mh, MSG_CMSG_CLOEXEC);
+        n = recvmsg_safe(socket_fd, &mh, MSG_CMSG_CLOEXEC);
         if (n < 0)
-                return -errno;
+                return (int) n;
 
         CMSG_FOREACH(cmsg, &mh) {
                 if (cmsg->cmsg_level == SOL_SOCKET &&

src/resolve/resolved-manager.c

@@ -775,17 +775,14 @@ int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret) {
 
         iov = IOVEC_MAKE(DNS_PACKET_DATA(p), p->allocated);
 
-        l = recvmsg(fd, &mh, 0);
-        if (l < 0) {
-                if (IN_SET(errno, EAGAIN, EINTR))
+        l = recvmsg_safe(fd, &mh, 0);
+        if (IN_SET(l, -EAGAIN, -EINTR))
                 return 0;
-
-                return -errno;
-        }
+        if (l < 0)
+                return l;
         if (l == 0)
                 return 0;
 
-        assert(!(mh.msg_flags & MSG_CTRUNC));
         assert(!(mh.msg_flags & MSG_TRUNC));
 
         p->size = (size_t) l;

src/shared/ask-password-api.c

@@ -925,12 +925,11 @@ int ask_password_agent(
                 msghdr.msg_control = &control;
                 msghdr.msg_controllen = sizeof(control);
 
-                n = recvmsg(socket_fd, &msghdr, 0);
-                if (n < 0) {
-                        if (IN_SET(errno, EAGAIN, EINTR))
+                n = recvmsg_safe(socket_fd, &msghdr, 0);
+                if (IN_SET(n, -EAGAIN, -EINTR))
                         continue;
-
-                        r = -errno;
+                if (n < 0) {
+                        r = (int) n;
                         goto finish;
                 }
 

src/shared/binfmt-util.c

@@ -0,0 +1,33 @@
+#include <sys/stat.h>
+#include <sys/statvfs.h>
+#include <sys/vfs.h>
+
+#include "binfmt-util.h"
+#include "fileio.h"
+#include "missing_magic.h"
+#include "stat-util.h"
+
+int disable_binfmt(void) {
+        int r;
+
+        /* Flush out all rules. This is important during shutdown to cover for rules using "F", since those
+         * might pin a file and thus block us from unmounting stuff cleanly.
+         *
+         * We are a bit careful here, since binfmt_misc might still be an autofs which we don't want to
+         * trigger. */
+
+        r = path_is_fs_type("/proc/sys/fs/binfmt_misc", BINFMTFS_MAGIC);
+        if (r == 0 || r == -ENOENT) {
+                log_debug("binfmt_misc is not mounted, not detaching entries.");
+                return 0;
+        }
+        if (r < 0)
+                return log_warning_errno(r, "Failed to determine whether binfmt_misc is mounted: %m");
+
+        r = write_string_file("/proc/sys/fs/binfmt_misc/status", "-1", WRITE_STRING_FILE_DISABLE_BUFFER);
+        if (r < 0)
+                return log_warning_errno(r, "Failed to unregister binfmt_misc entries: %m");
+
+        log_debug("Unregistered all remaining binfmt_misc entries.");
+        return 0;
+}

src/shared/binfmt-util.h

@@ -0,0 +1,4 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+int disable_binfmt(void);

src/shared/bus-wait-for-units.c

@@ -80,6 +80,15 @@ static WaitForItem *wait_for_item_free(WaitForItem *item) {
 
 DEFINE_TRIVIAL_CLEANUP_FUNC(WaitForItem*, wait_for_item_free);
 
+static void call_unit_callback_and_wait(BusWaitForUnits *d, WaitForItem *item, bool good) {
+        d->current = item;
+
+        if (item->unit_callback)
+                item->unit_callback(d, item->bus_path, good, item->userdata);
+
+        wait_for_item_free(item);
+}
+
 static void bus_wait_for_units_clear(BusWaitForUnits *d) {
         WaitForItem *item;
 
@@ -88,13 +97,8 @@ static void bus_wait_for_units_clear(BusWaitForUnits *d) {
         d->slot_disconnected = sd_bus_slot_unref(d->slot_disconnected);
         d->bus = sd_bus_unref(d->bus);
 
-        while ((item = hashmap_first(d->items))) {
-                d->current = item;
-
-                if (item->unit_callback)
-                        item->unit_callback(d, item->bus_path, false, item->userdata);
-                wait_for_item_free(item);
-        }
+        while ((item = hashmap_first(d->items)))
+                call_unit_callback_and_wait(d, item, false);
 
         d->items = hashmap_free(d->items);
 }
@@ -213,13 +217,7 @@ static void wait_for_item_check_ready(WaitForItem *item) {
                         return;
         }
 
-        if (item->unit_callback) {
-                d->current = item;
-                item->unit_callback(d, item->bus_path, true, item->userdata);
-        }
-
-        wait_for_item_free(item);
-
+        call_unit_callback_and_wait(d, item, true);
         bus_wait_for_units_check_ready(d);
 }
 
@@ -304,10 +302,7 @@ static int on_get_all_properties(sd_bus_message *m, void *userdata, sd_bus_error
                 log_debug_errno(sd_bus_error_get_errno(error), "GetAll() failed for %s: %s",
                                 item->bus_path, error->message);
 
-                d->current = item;
-                item->unit_callback(d, item->bus_path, false, item->userdata);
-                wait_for_item_free(item);
-
+                call_unit_callback_and_wait(d, item, false);
                 bus_wait_for_units_check_ready(d);
                 return 0;
         }

src/shared/meson.build

@@ -12,6 +12,8 @@ shared_sources = files('''
         barrier.h
         base-filesystem.c
         base-filesystem.h
+        binfmt-util.c
+        binfmt-util.h
         bitmap.c
         bitmap.h
         blkid-util.h

src/shutdown/shutdown.c

@@ -16,6 +16,7 @@
 
 #include "alloc-util.h"
 #include "async.h"
+#include "binfmt-util.h"
 #include "cgroup-setup.h"
 #include "cgroup-util.h"
 #include "def.h"
@@ -386,6 +387,7 @@ int main(int argc, char *argv[]) {
                 sync_with_progress();
 
         disable_coredumps();
+        disable_binfmt();
 
         log_info("Sending SIGTERM to remaining processes...");
         broadcast_signal(SIGTERM, true, true, arg_timeout);

src/timesync/timesyncd-manager.c

@@ -438,12 +438,11 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re
                 return manager_connect(m);
         }
 
-        len = recvmsg(fd, &msghdr, MSG_DONTWAIT);
-        if (len < 0) {
-                if (errno == EAGAIN)
+        len = recvmsg_safe(fd, &msghdr, MSG_DONTWAIT);
+        if (len == -EAGAIN)
                 return 0;
-
-                log_warning("Error receiving message. Disconnecting.");
+        if (len < 0) {
+                log_warning_errno(len, "Error receiving message, disconnecting: %m");
                 return manager_connect(m);
         }
 

src/udev/udev-ctrl.c

@@ -212,13 +212,11 @@ static int udev_ctrl_connection_event_handler(sd_event_source *s, int fd, uint32
         if (size == 0)
                 return 0; /* Client disconnects? */
 
-        size = recvmsg(fd, &smsg, 0);
-        if (size < 0) {
-                if (errno != EINTR)
-                        return log_error_errno(errno, "Failed to receive ctrl message: %m");
-
+        size = recvmsg_safe(fd, &smsg, 0);
+        if (size == -EINTR)
                 return 0;
-        }
+        if (size < 0)
+                return log_error_errno(size, "Failed to receive ctrl message: %m");
 
         cmsg_close_all(&smsg);
 

src/udev/udev-rules.c

@@ -1092,7 +1092,9 @@ static int rule_add_line(UdevRules *rules, const char *line_str, unsigned line_n
         if (isempty(line_str))
                 return 0;
 
-        line = strdup(line_str);
+        /* We use memdup_suffix0() here, since we want to add a second NUL byte to the end, since possibly
+         * some parsers might turn this into a "nulstr", which requires an extra NUL at the end. */
+        line = memdup_suffix0(line_str, strlen(line_str) + 1);
         if (!line)
                 return log_oom();
 
@@ -1328,11 +1330,7 @@ static bool token_match_string(UdevRuleToken *token, const char *str) {
                 match = isempty(str);
                 break;
         case MATCH_TYPE_SUBSYSTEM:
-                NULSTR_FOREACH(i, "subsystem\0class\0bus\0")
-                        if (streq(i, str)) {
-                                match = true;
-                                break;
-                        }
+                match = STR_IN_SET(str, "subsystem", "class", "bus");
                 break;
         case MATCH_TYPE_PLAIN_WITH_EMPTY:
                 if (isempty(str)) {

src/udev/udevd.c

@@ -921,16 +921,18 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat
                 struct ucred *ucred = NULL;
                 struct worker *worker;
 
-                size = recvmsg(fd, &msghdr, MSG_DONTWAIT);
-                if (size < 0) {
-                        if (errno == EINTR)
+                size = recvmsg_safe(fd, &msghdr, MSG_DONTWAIT);
+                if (size == -EINTR)
                         continue;
-                        else if (errno == EAGAIN)
+                if (size == -EAGAIN)
                         /* nothing more to read */
                         break;
+                if (size < 0)
+                        return log_error_errno(size, "Failed to receive message: %m");
 
-                        return log_error_errno(errno, "Failed to receive message: %m");
-                } else if (size != sizeof(struct worker_message)) {
+                cmsg_close_all(&msghdr);
+
+                if (size != sizeof(struct worker_message)) {
                         log_warning("Ignoring worker message with invalid size %zi bytes", size);
                         continue;
                 }

units/systemd-binfmt.service.in

@@ -28,4 +28,5 @@ ConditionDirectoryNotEmpty=|/run/binfmt.d
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=@rootlibexecdir@/systemd-binfmt
+ExecStop=@rootlibexecdir@/systemd-binfmt --unregister
 TimeoutSec=90s