test-network: add test case for [IPv6RoutePrefix] Preference=

Alternative to https://github.com/systemd/systemd/pull/34789
Closes #34789

TODO

@@ -129,6 +129,20 @@ Deprecations and removals:
 
 Features:
 
+* Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling
+  users how to connect to the system via the AF_VSOCK, as per:
+  https://github.com/systemd/systemd/issues/35071#issuecomment-2462803142
+
+* maybe introduce an OSC sequence that signals when we ask for a password, so
+  that terminal emulators can maybe connect a password manager or so, and
+  highlight things specially.
+
+* Port pidref_namespace_open() to use PIDFD_GET_MNT_NAMESPACE and related
+  ioctls to get nsfds directly from pidfds.
+
+* start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it
+  generically, so that image discovery recognizes bcachefs subvols too.
+
 * format-table: introduce new cell type for strings with ansi sequences in
   them. display them in regular output mode (via strip_tab_ansi()), but
   suppress them in json mode.

hwdb.d/60-sensor.hwdb

@@ -376,11 +376,12 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svncube:pni1-TF:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svncube:pni7:*
  ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
 
-# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B)
+# Cube i7 Stylus, i7 Stylus I8L Model, i7 Book (i16) and Mix Plus (i18B/i18D)
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni7Stylus:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni8-L:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni16:*
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnCube:pni18B:*
+sensor:modalias:acpi:KIOX000A*:dmi:*:svnALLDOCUBE:pni18D:*
  ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
 
 # Cube iWork 10 Flagship

man/kernel-command-line.xml

@@ -421,7 +421,7 @@
         <term><varname>rd.systemd.verity=</varname></term>
         <term><varname>systemd.verity_root_data=</varname></term>
         <term><varname>systemd.verity_root_hash=</varname></term>
-        <term><varname>systemd.verity.root_options=</varname></term>
+        <term><varname>systemd.verity_root_options=</varname></term>
         <term><varname>usrhash=</varname></term>
         <term><varname>systemd.verity_usr_data=</varname></term>
         <term><varname>systemd.verity_usr_hash=</varname></term>

mkosi.images/build/mkosi.build.chroot

@@ -0,0 +1,7 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+if [[ "$1" == "clangd" ]]; then
+    exec "$@"
+fi

mkosi.images/build/mkosi.conf.d/arch/mkosi.build.chroot

@@ -2,10 +2,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
-if [[ "$1" == "clangd" ]]; then
-    exec "$@"
-fi
-
 if [[ ! -f "pkg/$PKG_SUBDIR/PKGBUILD" ]]; then
     echo "PKGBUILD not found at pkg/$PKG_SUBDIR/PKGBUILD, run mkosi once with -ff to make sure the PKGBUILD is cloned" >&2
     exit 1

po/he.po

@@ -6,7 +6,7 @@ msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-17 15:48+0000\n"
+"PO-Revision-Date: 2024-11-19 07:38+0000\n"
 "Last-Translator: Yaron Shahrabani <sh.yaron@gmail.com>\n"
 "Language-Team: Hebrew <https://translate.fedoraproject.org/projects/systemd/"
 "main/he/>\n"
@@ -375,10 +375,9 @@ msgid "Cancel transfer of a disk image"
 msgstr "ביטול העברה של דמות כונן"
 
 #: src/import/org.freedesktop.import1.policy:53
-#, fuzzy
 msgid ""
 "Authentication is required to cancel the ongoing transfer of a disk image."
-msgstr "נדרש אימות כדי להחליף סיסמה של אזור בית למשתמש."
+msgstr "נדרש אימות כדי לבטל העברה של דמות כונן שמתבצעת בזמן אמת."
 
 #: src/locale/org.freedesktop.locale1.policy:22
 msgid "Set system locale"
@@ -720,9 +719,8 @@ msgid "Set a wall message"
 msgstr "הגדרת הודעת קיר"
 
 #: src/login/org.freedesktop.login1.policy:397
-#, fuzzy
 msgid "Authentication is required to set a wall message."
-msgstr "נדרש אימות כדי להגדיר הודעת קיר"
+msgstr "נדרש אימות כדי להגדיר הודעת קיר."
 
 #: src/login/org.freedesktop.login1.policy:406
 msgid "Change Session"
@@ -792,16 +790,14 @@ msgstr ""
 "נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."
 
 #: src/machine/org.freedesktop.machine1.policy:95
-#, fuzzy
 msgid "Create a local virtual machine or container"
-msgstr "ניהול מכונות וירטואליות ומכולות מקומיות"
+msgstr "יצירת מכונה וירטואלית או מכולה מקומיות"
 
 #: src/machine/org.freedesktop.machine1.policy:96
-#, fuzzy
 msgid ""
 "Authentication is required to create a local virtual machine or container."
 msgstr ""
-"נדרש אימות כדי לנהל מכונות וירטואליות (VM) ומכולות (container) מקומיות."
+"נדרש אימות כדי ליצור מכונות וירטואליות (VM) או מכולות (container) מקומיות."
 
 #: src/machine/org.freedesktop.machine1.policy:106
 msgid "Manage local virtual machine and container images"
@@ -953,13 +949,13 @@ msgstr "נדרש אימות כדי להגדיר כרטיס רשת מחדש."
 
 #: src/network/org.freedesktop.network1.policy:187
 msgid "Specify whether persistent storage for systemd-networkd is available"
-msgstr ""
+msgstr "נא לציין האם יש אחסון קבוע זמין ל־systemd-networkd"
 
 #: src/network/org.freedesktop.network1.policy:188
 msgid ""
 "Authentication is required to specify whether persistent storage for systemd-"
 "networkd is available."
-msgstr ""
+msgstr "נדרש אימות כדי לציין האם אחסון קבוע זמין ל־systemd-networkd."
 
 #: src/portable/org.freedesktop.portable1.policy:13
 msgid "Inspect a portable service image"
@@ -992,18 +988,16 @@ msgid "Register a DNS-SD service"
 msgstr "רישום שירות DNS-SD"
 
 #: src/resolve/org.freedesktop.resolve1.policy:23
-#, fuzzy
 msgid "Authentication is required to register a DNS-SD service."
-msgstr "נדרש אימות כדי לרשום שירות DNS-SD"
+msgstr "נדרש אימות כדי לרשום שירות DNS-SD."
 
 #: src/resolve/org.freedesktop.resolve1.policy:33
 msgid "Unregister a DNS-SD service"
 msgstr "ביטול רישום שירות DNS-SD"
 
 #: src/resolve/org.freedesktop.resolve1.policy:34
-#, fuzzy
 msgid "Authentication is required to unregister a DNS-SD service."
-msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD"
+msgstr "נדרש אימות כדי לבטל רישום של שירות DNS-SD."
 
 #: src/resolve/org.freedesktop.resolve1.policy:132
 msgid "Revert name resolution settings"
@@ -1015,95 +1009,85 @@ msgstr "נדרש אימות כדי לאפס את הגדרות פתרון השמ
 
 #: src/resolve/org.freedesktop.resolve1.policy:143
 msgid "Subscribe query results"
-msgstr ""
+msgstr "רישום לתוצאות שאילתה"
 
 #: src/resolve/org.freedesktop.resolve1.policy:144
-#, fuzzy
 msgid "Authentication is required to subscribe query results."
-msgstr "נדרש אימות כדי להשהות את המערכת."
+msgstr "נדרש אימות כדי להירשם לתוצאות שאילתה."
 
 #: src/resolve/org.freedesktop.resolve1.policy:154
 msgid "Dump cache"
-msgstr ""
+msgstr "היטל המטמון"
 
 #: src/resolve/org.freedesktop.resolve1.policy:155
-#, fuzzy
 msgid "Authentication is required to dump cache."
-msgstr "נדרש אימות כדי להגדיר שמות תחום."
+msgstr "נדרש אימות כדי להטיל את המטמון."
 
 #: src/resolve/org.freedesktop.resolve1.policy:165
 msgid "Dump server state"
-msgstr ""
+msgstr "היטל מצב השרת"
 
 #: src/resolve/org.freedesktop.resolve1.policy:166
-#, fuzzy
 msgid "Authentication is required to dump server state."
-msgstr "נדרש אימות כדי להגדיר שרתי NTP."
+msgstr "נדרש אימות כדי להטיל את מצב השרת."
 
 #: src/resolve/org.freedesktop.resolve1.policy:176
 msgid "Dump statistics"
-msgstr ""
+msgstr "היטל סטטיסטיקה"
 
 #: src/resolve/org.freedesktop.resolve1.policy:177
-#, fuzzy
 msgid "Authentication is required to dump statistics."
-msgstr "נדרש אימות כדי להגדיר שמות תחום."
+msgstr "נדרש אימות כדי להטיל סטטיסטיקה."
 
 #: src/resolve/org.freedesktop.resolve1.policy:187
 msgid "Reset statistics"
-msgstr ""
+msgstr "איפוס סטטיסטיקה"
 
 #: src/resolve/org.freedesktop.resolve1.policy:188
-#, fuzzy
 msgid "Authentication is required to reset statistics."
-msgstr "נדרש אימות כדי לאפס הגדרות NTP."
+msgstr "נדרש אימות כדי לאפס סטטיסטיקה."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:35
 msgid "Check for system updates"
-msgstr ""
+msgstr "חיפוש עדכוני מערכת"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:36
-#, fuzzy
 msgid "Authentication is required to check for system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי לחפש עדכוני מערכת."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:45
 msgid "Install system updates"
-msgstr ""
+msgstr "התקנת עדכוני מערכת"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:46
-#, fuzzy
 msgid "Authentication is required to install system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי להתקין עדכוני מערכת."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:55
 msgid "Install specific system version"
-msgstr ""
+msgstr "התקנת גרסת מערכת מסוימת"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:56
-#, fuzzy
 msgid ""
 "Authentication is required to update the system to a specific (possibly old) "
 "version."
-msgstr "נדרש אימות כדי להגדיר את אזור הזמן של המערכת."
+msgstr "נדרש אימות כדי לעדכן את המערכת לגרסה מסוימת (כנראה ישנה)."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:65
 msgid "Cleanup old system updates"
-msgstr ""
+msgstr "ניקוי עדכוני מערכת ישנים"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:66
-#, fuzzy
 msgid "Authentication is required to cleanup old system updates."
-msgstr "נדרש אימות כדי להגדיר את שעון המערכת."
+msgstr "נדרש אימות כדי לנקות עדכוני מערכת ישנים."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "ניהול יכולות רשות"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr "נדרש אימות כדי לנהל הפעלות, משתמשים ומושבים פעילים."
+msgstr "נדרש אימות כדי לנהל יכולות רשות"
 
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"

src/basic/user-util.c

@@ -220,9 +220,9 @@ static int synthesize_user_creds(
                 if (ret_gid)
                         *ret_gid = GID_NOBODY;
                 if (ret_home)
-                        *ret_home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
+                        *ret_home = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : "/";
                 if (ret_shell)
-                        *ret_shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
+                        *ret_shell = FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) ? NULL : NOLOGIN;
 
                 return 0;
         }
@@ -244,6 +244,7 @@ int get_user_creds(
 
         assert(username);
         assert(*username);
+        assert((ret_home || ret_shell) || !(flags & (USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_CLEAN)));
 
         if (!FLAGS_SET(flags, USER_CREDS_PREFER_NSS) ||
             (!ret_home && !ret_shell)) {
@@ -315,17 +316,14 @@ int get_user_creds(
 
         if (ret_home)
                 /* Note: we don't insist on normalized paths, since there are setups that have /./ in the path */
-                *ret_home = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
-                             (empty_or_root(p->pw_dir) ||
-                              !path_is_valid(p->pw_dir) ||
-                              !path_is_absolute(p->pw_dir))) ? NULL : p->pw_dir;
+                *ret_home = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && empty_or_root(p->pw_dir)) ||
+                            (FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_dir) || !path_is_absolute(p->pw_dir)))
+                            ? NULL : p->pw_dir;
 
         if (ret_shell)
-                *ret_shell = (FLAGS_SET(flags, USER_CREDS_CLEAN) &&
-                              (isempty(p->pw_shell) ||
-                               !path_is_valid(p->pw_shell) ||
-                               !path_is_absolute(p->pw_shell) ||
-                               is_nologin_shell(p->pw_shell))) ? NULL : p->pw_shell;
+                *ret_shell = (FLAGS_SET(flags, USER_CREDS_SUPPRESS_PLACEHOLDER) && shell_is_placeholder(p->pw_shell)) ||
+                             (FLAGS_SET(flags, USER_CREDS_CLEAN) && (!path_is_valid(p->pw_shell) || !path_is_absolute(p->pw_shell)))
+                             ? NULL : p->pw_shell;
 
         if (patch_username)
                 *username = p->pw_name;

src/basic/user-util.h

@@ -12,6 +12,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include "string-util.h"
+
 /* Users managed by systemd-homed. See https://systemd.io/UIDS-GIDS for details how this range fits into the rest of the world */
 #define HOME_UID_MIN ((uid_t) 60001)
 #define HOME_UID_MAX ((uid_t) 60513)
@@ -36,10 +38,20 @@ static inline int parse_gid(const char *s, gid_t *ret_gid) {
 char* getlogname_malloc(void);
 char* getusername_malloc(void);
 
+const char* default_root_shell_at(int rfd);
+const char* default_root_shell(const char *root);
+
+bool is_nologin_shell(const char *shell);
+
+static inline bool shell_is_placeholder(const char *shell) {
+        return isempty(shell) || is_nologin_shell(shell);
+}
+
 typedef enum UserCredsFlags {
-        USER_CREDS_PREFER_NSS    = 1 << 0,  /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
-        USER_CREDS_ALLOW_MISSING = 1 << 1,  /* if a numeric UID string is resolved, be OK if there's no record for it */
-        USER_CREDS_CLEAN         = 1 << 2,  /* try to clean up shell and home fields with invalid data */
+        USER_CREDS_PREFER_NSS           = 1 << 0,  /* if set, only synthesize user records if database lacks them. Normally we bypass the userdb entirely for the records we can synthesize */
+        USER_CREDS_ALLOW_MISSING        = 1 << 1,  /* if a numeric UID string is resolved, be OK if there's no record for it */
+        USER_CREDS_CLEAN                = 1 << 2,  /* try to clean up shell and home fields with invalid data */
+        USER_CREDS_SUPPRESS_PLACEHOLDER = 1 << 3,  /* suppress home and/or shell fields if value is placeholder (root/empty/nologin) */
 } UserCredsFlags;
 
 int get_user_creds(const char **username, uid_t *ret_uid, gid_t *ret_gid, const char **ret_home, const char **ret_shell, UserCredsFlags flags);
@@ -125,10 +137,6 @@ int fgetsgent_sane(FILE *stream, struct sgrp **sg);
 int putsgent_sane(const struct sgrp *sg, FILE *stream);
 #endif
 
-bool is_nologin_shell(const char *shell);
-const char* default_root_shell_at(int rfd);
-const char* default_root_shell(const char *root);
-
 int is_this_me(const char *username);
 
 const char* get_home_root(void);

src/core/exec-invoke.c

@@ -855,9 +855,6 @@ static int get_fixed_user(
         assert(user_or_uid);
         assert(ret_username);
 
-        /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
-         * (i.e. are "/" or "/bin/nologin"). */
-
         r = get_user_creds(&user_or_uid, ret_uid, ret_gid, ret_home, ret_shell, USER_CREDS_CLEAN);
         if (r < 0)
                 return r;
@@ -1883,7 +1880,10 @@ static int build_environment(
                 }
         }
 
-        if (home && set_user_login_env) {
+        /* Note that we don't set $HOME or $SHELL if they are not particularly enlightening anyway
+         * (i.e. are "/" or "/bin/nologin"). */
+
+        if (home && set_user_login_env && !empty_or_root(home)) {
                 x = strjoin("HOME=", home);
                 if (!x)
                         return -ENOMEM;
@@ -1892,7 +1892,7 @@ static int build_environment(
                 our_env[n_env++] = x;
         }
 
-        if (shell && set_user_login_env) {
+        if (shell && set_user_login_env && !shell_is_placeholder(shell)) {
                 x = strjoin("SHELL=", shell);
                 if (!x)
                         return -ENOMEM;
@@ -3471,20 +3471,16 @@ static int apply_working_directory(
                 const ExecContext *context,
                 const ExecParameters *params,
                 ExecRuntime *runtime,
-                const char *home,
-                int *exit_status) {
+                const char *home) {
 
         const char *wd;
         int r;
 
         assert(context);
-        assert(exit_status);
 
         if (context->working_directory_home) {
-                if (!home) {
-                        *exit_status = EXIT_CHDIR;
+                if (!home)
                         return -ENXIO;
-                }
 
                 wd = home;
         } else
@@ -3503,13 +3499,7 @@ static int apply_working_directory(
                 if (r >= 0)
                         r = RET_NERRNO(fchdir(dfd));
         }
-
-        if (r < 0 && !context->working_directory_missing_ok) {
-                *exit_status = EXIT_CHDIR;
-                return r;
-        }
-
-        return 0;
+        return context->working_directory_missing_ok ? 0 : r;
 }
 
 static int apply_root_directory(
@@ -3785,7 +3775,7 @@ static int acquire_home(const ExecContext *c, const char **home, char **ret_buf)
         if (!c->working_directory_home)
                 return 0;
 
-        if (c->dynamic_user)
+        if (c->dynamic_user || (c->user && is_this_me(c->user) <= 0))
                 return -EADDRNOTAVAIL;
 
         r = get_home_dir(ret_buf);
@@ -4543,7 +4533,7 @@ int exec_invoke(
         r = acquire_home(context, &home, &home_buffer);
         if (r < 0) {
                 *exit_status = EXIT_CHDIR;
-                return log_exec_error_errno(context, params, r, "Failed to determine $HOME for user: %m");
+                return log_exec_error_errno(context, params, r, "Failed to determine $HOME for the invoking user: %m");
         }
 
         /* If a socket is connected to STDIN/STDOUT/STDERR, we must drop O_NONBLOCK */
@@ -5382,9 +5372,11 @@ int exec_invoke(
          * running this service might have the correct privilege to change to the working directory. Also, it
          * is absolutely 💣 crucial 💣 we applied all mount namespacing rearrangements before this, so that
          * the cwd cannot be used to pin directories outside of the sandbox. */
-        r = apply_working_directory(context, params, runtime, home, exit_status);
-        if (r < 0)
+        r = apply_working_directory(context, params, runtime, home);
+        if (r < 0) {
+                *exit_status = EXIT_CHDIR;
                 return log_exec_error_errno(context, params, r, "Changing to the requested working directory failed: %m");
+        }
 
         if (needs_sandboxing) {
                 /* Apply other MAC contexts late, but before seccomp syscall filtering, as those should really be last to

src/cryptenroll/cryptenroll-wipe.c

@@ -427,7 +427,10 @@ int wipe_slots(struct crypt_device *cd,
         for (size_t i = n_ordered_slots; i > 0; i--) {
                 r = crypt_keyslot_destroy(cd, ordered_slots[i - 1]);
                 if (r < 0) {
-                        log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]);
+                        if (r == -ENOENT)
+                                log_warning_errno(r, "Failed to wipe non-existent slot %i, continuing.", ordered_slots[i - 1]);
+                        else
+                                log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]);
                         if (ret == 0)
                                 ret = r;
                 } else

src/libsystemd/libsystemd.sym

@@ -1033,12 +1033,14 @@ global:
         sd_varlink_server_listen_fd;
         sd_varlink_server_loop_auto;
         sd_varlink_server_new;
+        sd_varlink_server_ref;
         sd_varlink_server_set_connections_max;
         sd_varlink_server_set_connections_per_uid_max;
         sd_varlink_server_set_description;
         sd_varlink_server_set_exit_on_idle;
         sd_varlink_server_set_userdata;
         sd_varlink_server_shutdown;
+        sd_varlink_server_unref;
         sd_varlink_set_allow_fd_passing_input;
         sd_varlink_set_allow_fd_passing_output;
         sd_varlink_set_description;

src/libsystemd/sd-varlink/sd-varlink.c

@@ -3265,7 +3265,7 @@ static sd_varlink_server* varlink_server_destroy(sd_varlink_server *s) {
         return mfree(s);
 }
 
-DEFINE_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy);
+DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(sd_varlink_server, sd_varlink_server, varlink_server_destroy);
 
 static int validate_connection(sd_varlink_server *server, const struct ucred *ucred) {
         int allowed = -1;

src/run/run.c

@@ -2297,7 +2297,8 @@ static int start_transient_scope(sd_bus *bus) {
                 uid_t uid;
                 gid_t gid;
 
-                r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell, USER_CREDS_CLEAN|USER_CREDS_PREFER_NSS);
+                r = get_user_creds(&arg_exec_user, &uid, &gid, &home, &shell,
+                                   USER_CREDS_CLEAN|USER_CREDS_SUPPRESS_PLACEHOLDER|USER_CREDS_PREFER_NSS);
                 if (r < 0)
                         return log_error_errno(r, "Failed to resolve user %s: %m", arg_exec_user);
 

src/shared/user-record-show.c

@@ -28,21 +28,28 @@ const char* user_record_state_color(const char *state) {
         return NULL;
 }
 
-static void dump_self_modifiable(const char *heading, char **field, const char **value) {
+static void dump_self_modifiable(
+                const char *heading,
+                char **field,
+                const char **value) {
+
         assert(heading);
 
         /* Helper function for printing the various self_modifiable_* fields from the user record */
 
-        if (strv_isempty((char**) value))
-                /* Case 1: the array is explicitly set to be empty by the administrator */
-                printf("%13s %sDisabled by Administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
+        if (!value)
+                /* Case 1: no value is set and no default either */
+                printf("%13s %snone%s\n", heading, ansi_highlight(), ansi_normal());
+        else if (strv_isempty((char**) value))
+                /* Case 2: the array is explicitly set to empty by the administrator */
+                printf("%13s %sdisabled by administrator%s\n", heading, ansi_highlight_red(), ansi_normal());
         else if (!field)
-                /* Case 2: we have values, but the field is NULL. This means that we're using the defaults.
+                /* Case 3: we have values, but the field is NULL. This means that we're using the defaults.
                  * We list them anyways, because they're security-sensitive to the administrator */
                 STRV_FOREACH(i, value)
                         printf("%13s %s%s%s\n", i == value ? heading : "", ansi_grey(), *i, ansi_normal());
         else
-                /* Case 3: we have a list provided by the administrator */
+                /* Case 4: we have a list provided by the administrator */
                 STRV_FOREACH(i, value)
                         printf("%13s %s\n", i == value ? heading : "", *i);
 }

src/shared/user-record.c

@@ -2165,8 +2165,15 @@ const char** user_record_self_modifiable_fields(UserRecord *h) {
 
         assert(h);
 
+        /* Note: if the self_modifiable_fields field in UserRecord is NULL we'll apply a default, if we have
+         * one. If it is a non-NULL empty strv, we'll report it as explicit empty list. When the field is
+         * NULL and we have no default list we'll return NULL. */
+
         /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_fields ?: (const char**) default_fields;
+        if (h->self_modifiable_fields)
+                return (const char**) h->self_modifiable_fields;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
 }
 
 const char** user_record_self_modifiable_blobs(UserRecord *h) {
@@ -2180,7 +2187,10 @@ const char** user_record_self_modifiable_blobs(UserRecord *h) {
         assert(h);
 
         /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_blobs ?: (const char**) default_blobs;
+        if (h->self_modifiable_blobs)
+                return (const char**) h->self_modifiable_blobs;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_blobs : NULL;
 }
 
 const char** user_record_self_modifiable_privileged(UserRecord *h) {
@@ -2201,7 +2211,10 @@ const char** user_record_self_modifiable_privileged(UserRecord *h) {
         assert(h);
 
         /* Note that we intentionally distinguish between NULL and an empty array here */
-        return (const char**) h->self_modifiable_privileged ?: (const char**) default_fields;
+        if (h->self_modifiable_privileged)
+                return (const char**) h->self_modifiable_privileged;
+
+        return user_record_disposition(h) == USER_REGULAR ? (const char**) default_fields : NULL;
 }
 
 static int remove_self_modifiable_json_fields_common(UserRecord *current, sd_json_variant **target) {

src/ssh-generator/ssh-generator.c

@@ -245,8 +245,8 @@ static int add_vsock_socket(
         if (r < 0)
                 return r;
 
-        log_info("Binding SSH to AF_VSOCK vsock::22.\n"
-                 "→ connect via 'ssh vsock/%u' from host", local_cid);
+        log_debug("Binding SSH to AF_VSOCK vsock::22.\n"
+                  "→ connect via 'ssh vsock/%u' from host", local_cid);
         return 0;
 }
 
@@ -280,8 +280,8 @@ static int add_local_unix_socket(
         if (r < 0)
                 return r;
 
-        log_info("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n"
-                 "→ connect via 'ssh .host' locally");
+        log_debug("Binding SSH to AF_UNIX socket /run/ssh-unix-local/socket.\n"
+                  "→ connect via 'ssh .host' locally");
         return 0;
 }
 
@@ -336,8 +336,8 @@ static int add_export_unix_socket(
         if (r < 0)
                 return r;
 
-        log_info("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n"
-                 "→ connect via 'ssh unix/run/systemd/nspawn/unix-export/\?\?\?/ssh' from host");
+        log_debug("Binding SSH to AF_UNIX socket /run/host/unix-export/ssh\n"
+                  "→ connect via 'ssh unix/run/systemd/nspawn/unix-export/\?\?\?/ssh' from host");
 
         return 0;
 }
@@ -387,7 +387,7 @@ static int add_extra_sockets(
                 if (r < 0)
                         return r;
 
-                log_info("Binding SSH to socket %s.", *i);
+                log_debug("Binding SSH to socket %s.", *i);
                 n++;
         }
 
@@ -462,7 +462,7 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
         _cleanup_free_ char *sshd_binary = NULL;
         r = find_executable("sshd", &sshd_binary);
         if (r == -ENOENT) {
-                log_info("Disabling SSH generator logic, since sshd is not installed.");
+                log_debug("Disabling SSH generator logic, since sshd is not installed.");
                 return 0;
         }
         if (r < 0)

src/systemctl/systemctl-show.c

@@ -724,7 +724,7 @@ static void print_status_info(
                 printf("      Tasks: %" PRIu64, i->tasks_current);
 
                 if (i->tasks_max != UINT64_MAX)
-                        printf(" (limit: %" PRIu64 ")\n", i->tasks_max);
+                        printf("%s (limit: %" PRIu64 ")%s\n", ansi_grey(), i->tasks_max, ansi_normal());
                 else
                         printf("\n");
         }

src/test/generate-sym-test.py

@@ -99,15 +99,15 @@ int main(void) {
         printf("Found %zu symbols from source files.\\n", j);
 
         for (i = 0; symbols_from_sym[i].name; i++) {
-                struct symbol*n = bsearch(symbols_from_sym+i, symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
+                struct symbol *n = bsearch(symbols_from_sym+i, symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
                 if (!n)
                         printf("Found in symbol file, but not in sources: %s\\n", symbols_from_sym[i].name);
         }
 
         for (j = 0; symbols_from_source[j].name; j++) {
-                struct symbol*n = bsearch(symbols_from_source+j, symbols_from_source, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
+                struct symbol *n = bsearch(symbols_from_source+j, symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
                 if (!n)
-                        printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[i].name);
+                        printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[j].name);
         }
 
         return i == j ? EXIT_SUCCESS : EXIT_FAILURE;

src/test/test-user-record.c

@@ -9,7 +9,7 @@
         ({                                      \
                 typeof(ret) _r = (ret);         \
                 user_record_unref(*_r);         \
-                assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(__VA_ARGS__)) >= 0); \
+                assert_se(user_record_build((ret), SD_JSON_BUILD_OBJECT(SD_JSON_BUILD_PAIR_STRING("disposition", "regular"), __VA_ARGS__)) >= 0); \
                 0;                              \
         })
 

src/vmspawn/vmspawn.c

@@ -2182,6 +2182,10 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
 
         (void) sd_event_add_signal(event, NULL, (SIGRTMIN+18) | SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, NULL);
 
+        r = sd_event_add_memory_pressure(event, NULL, NULL, NULL);
+        if (r < 0)
+                log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
+
         /* Exit when the child exits */
         (void) event_add_child_pidref(event, NULL, &child_pidref, WEXITED, on_child_exit, NULL);
 

test/units/TEST-07-PID1.working-directory.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+(! systemd-run --wait -p DynamicUser=yes \
+                      -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+                      -p WorkingDirectory='~' true)
+
+assert_eq "$(systemd-run --pipe --uid=root -p WorkingDirectory='~' pwd)" "/root"
+assert_eq "$(systemd-run --pipe --uid=nobody -p WorkingDirectory='~' pwd)" "/"
+assert_eq "$(systemd-run --pipe --uid=testuser -p WorkingDirectory='~' pwd)" "/home/testuser"
+
+(! systemd-run --wait -p DynamicUser=yes -p User=testuser \
+                      -p EnvironmentFile=-/usr/lib/systemd/systemd-asan-env \
+                      -p WorkingDirectory='~' true)

units/systemd-confext.service

@@ -16,6 +16,7 @@ ConditionDirectoryNotEmpty=|/run/confexts
 ConditionDirectoryNotEmpty=|/var/lib/confexts
 ConditionDirectoryNotEmpty=|/usr/local/lib/confexts
 ConditionDirectoryNotEmpty=|/usr/lib/confexts
+ConditionDirectoryNotEmpty=|/.extra/confext
 
 DefaultDependencies=no
 After=local-fs.target