Merge 18c36b1e24 into c946b13575

The file README.logs is installed only if SysVInit support is enabled.
Thus the link should depend on it as well.

hwdb.d/60-sensor.hwdb

@@ -953,6 +953,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
  ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
 
+#########################################
+# Pine64
+#########################################
+
+# PineTab2
+
+sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
+ ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
+
 #########################################
 # Pipo
 #########################################

src/basic/cgroup-util.c

@@ -28,6 +28,7 @@
 #include "mkdir.h"
 #include "parse-util.h"
 #include "path-util.h"
+#include "pidfd-util.h"
 #include "process-util.h"
 #include "set.h"
 #include "special.h"
@@ -72,6 +73,28 @@ int cg_cgroupid_open(int cgroupfs_fd, uint64_t id) {
         return fd;
 }
 
+int cg_path_from_cgroupid(int cgroupfs_fd, uint64_t id, char **ret) {
+        _cleanup_close_ int cgfd = -EBADF;
+        int r;
+
+        cgfd = cg_cgroupid_open(cgroupfs_fd, id);
+        if (cgfd < 0)
+                return cgfd;
+
+        _cleanup_free_ char *path = NULL;
+
+        r = fd_get_path(cgfd, &path);
+        if (r < 0)
+                return r;
+
+        if (isempty(path_startswith(path, "/sys/fs/cgroup/")))
+                return -EINVAL;
+
+        if (ret)
+                *ret = TAKE_PTR(path);
+        return 0;
+}
+
 static int cg_enumerate_items(const char *controller, const char *path, FILE **ret, const char *item) {
         _cleanup_free_ char *fs = NULL;
         FILE *f;
@@ -826,6 +849,16 @@ int cg_pidref_get_path(const char *controller, const PidRef *pidref, char **ret_
         if (!pidref_is_set(pidref))
                 return -ESRCH;
 
+        if (pidref->fd >= 0) {
+                uint64_t cgroup_id;
+
+                r = pidfd_get_cgroupid(pidref->fd, &cgroup_id);
+                if (r >= 0)
+                        return cg_path_from_cgroupid(/* cgroupfs_fd = */ -EBADF, cgroup_id, ret_path);
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(r))
+                        return r;
+        }
+
         r = cg_pid_get_path(controller, pidref->pid, &path);
         if (r < 0)
                 return r;

src/basic/cgroup-util.h

@@ -183,6 +183,8 @@ typedef enum CGroupUnified {
 int cg_path_open(const char *controller, const char *path);
 int cg_cgroupid_open(int fsfd, uint64_t id);
 
+int cg_path_from_cgroupid(int cgroupfs_fd, uint64_t id, char **ret);
+
 typedef enum CGroupFlags {
         CGROUP_SIGCONT            = 1 << 0,
         CGROUP_IGNORE_SELF        = 1 << 1,

src/basic/meson.build

@@ -72,6 +72,7 @@ basic_sources = files(
         'parse-util.c',
         'path-util.c',
         'percent-util.c',
+        'pidfd-util.c',
         'pidref.c',
         'prioq.c',
         'proc-cmdline.c',

src/basic/missing_pidfd.h

@@ -0,0 +1,43 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <linux/types.h>
+
+#define PIDFS_IOCTL_MAGIC 0xFF
+
+#ifndef PIDFD_GET_CGROUP_NAMESPACE
+#  define PIDFD_GET_CGROUP_NAMESPACE              _IO(PIDFS_IOCTL_MAGIC, 1)
+#  define PIDFD_GET_IPC_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 2)
+#  define PIDFD_GET_MNT_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 3)
+#  define PIDFD_GET_NET_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 4)
+#  define PIDFD_GET_PID_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 5)
+#  define PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE    _IO(PIDFS_IOCTL_MAGIC, 6)
+#  define PIDFD_GET_TIME_NAMESPACE                _IO(PIDFS_IOCTL_MAGIC, 7)
+#  define PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE   _IO(PIDFS_IOCTL_MAGIC, 8)
+#  define PIDFD_GET_USER_NAMESPACE                _IO(PIDFS_IOCTL_MAGIC, 9)
+#  define PIDFD_GET_UTS_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 10)
+#endif
+
+#ifndef PIDFD_GET_INFO
+struct pidfd_info {
+        __u64 mask;
+        __u64 cgroupid;
+        __u32 pid;
+        __u32 tgid;
+        __u32 ppid;
+        __u32 ruid;
+        __u32 rgid;
+        __u32 euid;
+        __u32 egid;
+        __u32 suid;
+        __u32 sgid;
+        __u32 fsuid;
+        __u32 fsgid;
+        __u32 spare0[1];
+};
+
+#define PIDFD_GET_INFO          _IOWR(PIDFS_IOCTL_MAGIC, 11, struct pidfd_info)
+#define PIDFD_INFO_PID          (1UL << 0)
+#define PIDFD_INFO_CREDS        (1UL << 1)
+#define PIDFD_INFO_CGROUPID     (1UL << 2)
+#endif

src/basic/pidfd-util.c

@@ -0,0 +1,161 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#include "errno-util.h"
+#include "fd-util.h"
+#include "fileio.h"
+#include "macro.h"
+#include "memory-util.h"
+#include "missing_magic.h"
+#include "missing_pidfd.h"
+#include "parse-util.h"
+#include "path-util.h"
+#include "pidfd-util.h"
+#include "stat-util.h"
+#include "string-util.h"
+
+static bool pidfd_get_info_supported = true;
+
+static bool ERRNO_IS_NEG_PIDFD_IOCTL_NOT_SUPPORTED(intmax_t r) {
+        return IN_SET(r, -ENOTTY, -EINVAL);
+}
+_DEFINE_ABS_WRAPPER(PIDFD_IOCTL_NOT_SUPPORTED);
+
+static int pidfd_get_pid_fdinfo(int fd, pid_t *ret) {
+        char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
+        _cleanup_free_ char *fdinfo = NULL;
+        int r;
+
+        assert(fd >= 0);
+
+        xsprintf(path, "/proc/self/fdinfo/%i", fd);
+
+        r = read_full_virtual_file(path, &fdinfo, NULL);
+        if (r == -ENOENT)
+                return proc_fd_enoent_errno();
+        if (r < 0)
+                return r;
+
+        char *p = find_line_startswith(fdinfo, "Pid:");
+        if (!p)
+                return -ENOTTY; /* not a pidfd? */
+
+        p = skip_leading_chars(p, /* bad = */ NULL);
+        p[strcspn(p, WHITESPACE)] = 0;
+
+        if (streq(p, "0"))
+                return -EREMOTE; /* PID is in foreign PID namespace? */
+        if (streq(p, "-1"))
+                return -ESRCH;   /* refers to reaped process? */
+
+        return parse_pid(p, ret);
+}
+
+static int pidfd_get_pid_ioctl(int fd, pid_t *ret) {
+        struct pidfd_info info = { .mask = PIDFD_INFO_PID };
+
+        assert(fd >= 0);
+
+        if (ioctl(fd, PIDFD_GET_INFO, &info) < 0)
+                return -errno;
+
+        assert(FLAGS_SET(info.mask, PIDFD_INFO_PID));
+
+        if (ret)
+                *ret = info.pid;
+        return 0;
+}
+
+int pidfd_get_pid(int fd, pid_t *ret) {
+        int r;
+
+        /* Converts a pidfd into a pid. We try ioctl(PIDFD_GET_INFO) (kernel 6.13+) first,
+         * /proc/self/fdinfo/ as fallback. Well known errors:
+         *
+         *    -EBADF   → fd invalid
+         *    -ESRCH   → fd valid, but process is already reaped
+         *
+         * pidfd_get_pid_fdinfo() might additionally fail for other reasons:
+         *
+         *    -ENOSYS  → /proc/ not mounted
+         *    -ENOTTY  → fd valid, but not a pidfd
+         *    -EREMOTE → fd valid, but pid is in another namespace we cannot translate to the local one
+         */
+
+        assert(fd >= 0);
+
+        if (pidfd_get_info_supported) {
+                r = pidfd_get_pid_ioctl(fd, ret);
+                if (!ERRNO_IS_NEG_PIDFD_IOCTL_NOT_SUPPORTED(r))
+                        return r;
+
+                pidfd_get_info_supported = false;
+        }
+
+        return pidfd_get_pid_fdinfo(fd, ret);
+}
+
+int pidfd_verify_pid(int pidfd, pid_t pid) {
+        pid_t current_pid;
+        int r;
+
+        assert(pidfd >= 0);
+        assert(pid > 0);
+
+        r = pidfd_get_pid(pidfd, &current_pid);
+        if (r < 0)
+                return r;
+
+        return current_pid != pid ? -ESRCH : 0;
+}
+
+int pidfd_get_cgroupid(int fd, uint64_t *ret) {
+        struct pidfd_info info = { .mask = PIDFD_INFO_CGROUP };
+
+        assert(fd >= 0);
+
+        if (!pidfd_get_info_supported)
+                return -EOPNOTSUPP;
+
+        if (ioctl(fd, PIDFD_GET_INFO, &info) < 0) {
+                if (ERRNO_IS_PIDFD_IOCTL_NOT_SUPPORTED(errno)) {
+                        pidfd_get_info_supported = false;
+                        return -EOPNOTSUPP;
+                }
+
+                return -errno;
+        }
+
+        if (!FLAGS_SET(info.mask, PIDFD_INFO_CGROUP))
+                return -ENODATA;
+
+        if (ret)
+                *ret = info.cgroupid;
+        return 0;
+}
+
+int pidfd_get_inode_id(int fd, uint64_t *ret) {
+        static int cached_supported = -1;
+        int r;
+
+        assert(fd >= 0);
+
+        if (cached_supported < 0) {
+                cached_supported = fd_is_fs_type(fd, PID_FS_MAGIC);
+                if (cached_supported < 0)
+                        return cached_supported;
+        }
+        if (cached_supported == 0)
+                return -EOPNOTSUPP;
+
+        struct stat st;
+
+        if (fstat(fd, &st) < 0)
+                return -errno;
+
+        if (ret)
+                *ret = (uint64_t) st.st_ino;
+        return 0;
+}

src/basic/pidfd-util.h

@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <stdint.h>
+#if HAVE_PIDFD_OPEN
+#include <sys/pidfd.h>
+#endif
+#include <sys/types.h>
+
+int pidfd_get_pid(int fd, pid_t *ret);
+int pidfd_verify_pid(int pidfd, pid_t pid);
+
+int pidfd_get_cgroupid(int fd, uint64_t *ret);
+
+int pidfd_get_inode_id(int fd, uint64_t *ret);

src/basic/pidref.c

@@ -1,36 +1,14 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
-#if HAVE_PIDFD_OPEN
-#include <sys/pidfd.h>
-#endif
-
 #include "errno-util.h"
 #include "fd-util.h"
-#include "missing_magic.h"
 #include "missing_syscall.h"
 #include "missing_wait.h"
 #include "parse-util.h"
+#include "pidfd-util.h"
 #include "pidref.h"
 #include "process-util.h"
 #include "signal-util.h"
-#include "stat-util.h"
-
-static int pidfd_inode_ids_supported(void) {
-        static int cached = -1;
-
-        if (cached >= 0)
-                return cached;
-
-        _cleanup_close_ int fd = pidfd_open(getpid_cached(), 0);
-        if (fd < 0) {
-                if (ERRNO_IS_NOT_SUPPORTED(errno))
-                        return (cached = false);
-
-                return -errno;
-        }
-
-        return (cached = fd_is_fs_type(fd, PID_FS_MAGIC));
-}
 
 int pidref_acquire_pidfd_id(PidRef *pidref) {
         int r;
@@ -49,19 +27,14 @@ int pidref_acquire_pidfd_id(PidRef *pidref) {
         if (pidref->fd_id > 0)
                 return 0;
 
-        r = pidfd_inode_ids_supported();
+        r = pidfd_get_inode_id(pidref->fd, &pidref->fd_id);
-        if (r < 0)
+        if (r < 0) {
-                return r;
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(r))
-        if (r == 0)
+                        log_debug_errno(r, "Failed to get inode number of pidfd for pid " PID_FMT ": %m",
-                return -EOPNOTSUPP;
-
-        struct stat st;
-
-        if (fstat(pidref->fd, &st) < 0)
-                return log_debug_errno(errno, "Failed to get inode number of pidfd for pid " PID_FMT ": %m",
                                         pidref->pid);
+                return r;
+        }
 
-        pidref->fd_id = (uint64_t) st.st_ino;
         return 0;
 }
 

src/basic/process-util.c

@@ -1874,59 +1874,6 @@ int get_oom_score_adjust(int *ret) {
         return 0;
 }
 
-int pidfd_get_pid(int fd, pid_t *ret) {
-        char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
-        _cleanup_free_ char *fdinfo = NULL;
-        int r;
-
-        /* Converts a pidfd into a pid. Well known errors:
-         *
-         *    -EBADF   → fd invalid
-         *    -ENOSYS  → /proc/ not mounted
-         *    -ENOTTY  → fd valid, but not a pidfd
-         *    -EREMOTE → fd valid, but pid is in another namespace we cannot translate to the local one
-         *    -ESRCH   → fd valid, but process is already reaped
-         */
-
-        assert(fd >= 0);
-
-        xsprintf(path, "/proc/self/fdinfo/%i", fd);
-
-        r = read_full_virtual_file(path, &fdinfo, NULL);
-        if (r == -ENOENT)
-                return proc_fd_enoent_errno();
-        if (r < 0)
-                return r;
-
-        char *p = find_line_startswith(fdinfo, "Pid:");
-        if (!p)
-                return -ENOTTY; /* not a pidfd? */
-
-        p = skip_leading_chars(p, /* bad = */ NULL);
-        p[strcspn(p, WHITESPACE)] = 0;
-
-        if (streq(p, "0"))
-                return -EREMOTE; /* PID is in foreign PID namespace? */
-        if (streq(p, "-1"))
-                return -ESRCH;   /* refers to reaped process? */
-
-        return parse_pid(p, ret);
-}
-
-int pidfd_verify_pid(int pidfd, pid_t pid) {
-        pid_t current_pid;
-        int r;
-
-        assert(pidfd >= 0);
-        assert(pid > 0);
-
-        r = pidfd_get_pid(pidfd, &current_pid);
-        if (r < 0)
-                return r;
-
-        return current_pid != pid ? -ESRCH : 0;
-}
-
 static int rlimit_to_nice(rlim_t limit) {
         if (limit <= 1)
                 return PRIO_MAX-1; /* i.e. 19 */

src/basic/process-util.h

@@ -251,9 +251,6 @@ assert_cc(TASKS_MAX <= (unsigned long) PID_T_MAX);
 /* Like TAKE_PTR() but for pid_t, resetting them to 0 */
 #define TAKE_PID(pid) TAKE_GENERIC(pid, pid_t, 0)
 
-int pidfd_get_pid(int fd, pid_t *ret);
-int pidfd_verify_pid(int pidfd, pid_t pid);
-
 int setpriority_closest(int priority);
 
 _noreturn_ void freeze(void);

src/libsystemd/sd-event/sd-event.c

@@ -1,9 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <sys/epoll.h>
-#if HAVE_PIDFD_OPEN
-#include <sys/pidfd.h>
-#endif
 #include <sys/timerfd.h>
 #include <sys/wait.h>
 
@@ -31,6 +28,7 @@
 #include "origin-id.h"
 #include "path-util.h"
 #include "prioq.h"
+#include "pidfd-util.h"
 #include "process-util.h"
 #include "psi-util.h"
 #include "set.h"

src/libsystemd/sd-login/sd-login.c

@@ -22,6 +22,7 @@
 #include "macro.h"
 #include "parse-util.h"
 #include "path-util.h"
+#include "pidfd-util.h"
 #include "process-util.h"
 #include "socket-util.h"
 #include "stdio-util.h"

src/libsystemd/sd-varlink/varlink-util.c

@@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {
 
         int pidfd = sd_varlink_get_peer_pidfd(v);
         if (pidfd < 0) {
-                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
                         return pidfd;
 
                 pid_t pid;

src/nsresourced/userns-registry.c

@@ -525,49 +525,20 @@ int userns_info_add_cgroup(UserNamespaceInfo *userns, uint64_t cgroup_id) {
 }
 
 static int userns_destroy_cgroup(uint64_t cgroup_id) {
-        _cleanup_close_ int cgroup_fd = -EBADF, parent_fd = -EBADF;
+        _cleanup_free_ char *path = NULL;
         int r;
 
-        cgroup_fd = cg_cgroupid_open(/* cgroupfsfd= */ -EBADF, cgroup_id);
+        r = cg_path_from_cgroupid(/* cgroupfs_fd = */ -EBADF, cgroup_id, &path);
-        if (cgroup_fd == -ESTALE) {
+        if (r == -ESTALE) {
-                log_debug_errno(cgroup_fd, "Control group %" PRIu64 " already gone, ignoring: %m", cgroup_id);
+                log_debug_errno(r, "Control group %" PRIu64 " already gone, ignoring.", cgroup_id);
                 return 0;
         }
-        if (cgroup_fd < 0)
-                return log_debug_errno(errno, "Failed to open cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
-
-        _cleanup_free_ char *path = NULL;
-        r = fd_get_path(cgroup_fd, &path);
         if (r < 0)
                 return log_debug_errno(r, "Failed to get path of cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
 
-        const char *e = path_startswith(path, "/sys/fs/cgroup/");
+        log_debug("Destroying cgroup %" PRIu64 " (%s)", cgroup_id, path);
-        if (!e)
-                return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Got cgroup path that doesn't start with /sys/fs/cgroup/, refusing: %s", path);
-        if (isempty(e))
-                return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Got root cgroup path, which can't be right, refusing.");
 
-        log_debug("Path of cgroup %" PRIu64 " is: %s", cgroup_id, path);
+        r = rm_rf(path, REMOVE_ROOT|REMOVE_ONLY_DIRECTORIES|REMOVE_CHMOD);
-
-        _cleanup_free_ char *fname = NULL;
-        r = path_extract_filename(path, &fname);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to extract name of cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
-
-        parent_fd = openat(cgroup_fd, "..", O_CLOEXEC|O_DIRECTORY);
-        if (parent_fd < 0)
-                return log_debug_errno(errno, "Failed to open parent cgroup of %" PRIu64 ", ignoring: %m", cgroup_id);
-
-        /* Safety check, never leave cgroupfs */
-        r = fd_is_fs_type(parent_fd, CGROUP2_SUPER_MAGIC);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to determine if parent directory of cgroup %" PRIu64 " is still a cgroup, ignoring: %m", cgroup_id);
-        if (!r)
-                return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Parent directory of cgroup %" PRIu64 " is not a cgroup, refusing.", cgroup_id);
-
-        cgroup_fd = safe_close(cgroup_fd);
-
-        r = rm_rf_child(parent_fd, fname, REMOVE_ONLY_DIRECTORIES|REMOVE_PHYSICAL|REMOVE_CHMOD);
         if (r < 0)
                 log_debug_errno(r, "Failed to remove delegated cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
 

src/shared/tpm2-util.h

@@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
 int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
 
 int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
-int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
+int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
 
 /* Default to PCR 7 only */
 #define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)

src/userdb/userdbctl.c

@@ -23,6 +23,7 @@
 #include "user-util.h"
 #include "userdb.h"
 #include "verbs.h"
+#include "virt.h"
 
 static enum {
         OUTPUT_CLASSIC,
@@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
         return 0;
 }
 
+static bool test_show_mapped(void) {
+        /* Show mapped user range only in environments where user mapping is a thing. */
+        return running_in_userns() > 0;
+}
+
 static const struct {
         uid_t first, last;
         const char *name;
         UserDisposition disposition;
+        bool (*test)(void);
 } uid_range_table[] = {
         {
                 .first = 1,
@@ -175,11 +182,12 @@ static const struct {
                 .last = MAP_UID_MAX,
                 .name = "mapped",
                 .disposition = USER_REGULAR,
+                .test = test_show_mapped,
         },
 };
 
 static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;
 
         assert(table);
 
@@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                 if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                         continue;
 
+                if (i->test && !i->test())
+                        continue;
+
                 name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                                " begin ", i->name, " users ",
                                special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                                 TABLE_INT, 1); /* sort after any other entry with the same UID */
                 if (r < 0)
                         return table_log_add_error(r);
+
+                n_added += 2;
         }
 
-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }
 
 static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
 }
 
 static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;
 
         assert(table);
 
         FOREACH_ELEMENT(i, uid_range_table) {
                 _cleanup_free_ char *name = NULL, *comment = NULL;
 
+                if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
+                        continue;
+
                 if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                         continue;
 
+                if (i->test && !i->test())
+                        continue;
+
                 name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                                " begin ", i->name, " groups ",
                                special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
                                 TABLE_INT, 1); /* sort after any other entry with the same GID */
                 if (r < 0)
                         return table_log_add_error(r);
+
+                n_added += 2;
         }
 
-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }
 
 static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {

tmpfiles.d/legacy.conf.in

@@ -13,11 +13,12 @@
 
 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
+
+{% if HAVE_SYSV_COMPAT %}
 {% if CREATE_LOG_DIRS %}
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}
 
-{% if HAVE_SYSV_COMPAT %}
 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
 d /run/lock/subsys 0755 root root -