home: Prompt for auxiliary groups in homectl firstboot

This mirrors the behavior of `systemd-firstboot` and allows bootup
messages to settle down before user input is actually processed.

See: https://github.com/systemd/systemd/issues/34448

src/basic/terminal-util.c

@@ -29,6 +29,7 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
+#include "glyph-util.h"
 #include "hexdecoct.h"
 #include "inotify-util.h"
 #include "io-util.h"
@@ -255,6 +256,71 @@ int ask_string(char **ret, const char *text, ...) {
         return 0;
 }
 
+bool any_key_to_proceed(void) {
+        char key = 0;
+        bool need_nl = true;
+
+        /*
+         * Insert a new line here as well as to when the user inputs, as this is also used during the
+         * boot up sequence when status messages may be interleaved with the current program output.
+         * This ensures that the status messages aren't appended on the same line as this message.
+         */
+        puts("-- Press any key to proceed --");
+
+        (void) read_one_char(stdin, &key, USEC_INFINITY, &need_nl);
+
+        if (need_nl)
+                putchar('\n');
+
+        return key != 'q';
+}
+
+int show_menu(char **x, unsigned n_columns, unsigned width, unsigned percentage) {
+        unsigned break_lines, break_modulo;
+        size_t n, per_column, i, j;
+
+        assert(n_columns > 0);
+
+        n = strv_length(x);
+        per_column = DIV_ROUND_UP(n, n_columns);
+
+        break_lines = lines();
+        if (break_lines > 2)
+                break_lines--;
+
+        /* The first page gets two extra lines, since we want to show
+         * a title */
+        break_modulo = break_lines;
+        if (break_modulo > 3)
+                break_modulo -= 3;
+
+        for (i = 0; i < per_column; i++) {
+
+                for (j = 0; j < n_columns; j++) {
+                        _cleanup_free_ char *e = NULL;
+
+                        if (j * per_column + i >= n)
+                                break;
+
+                        e = ellipsize(x[j * per_column + i], width, percentage);
+                        if (!e)
+                                return log_oom();
+
+                        printf("%4zu) %-*s", j * per_column + i + 1, (int) width, e);
+                }
+
+                putchar('\n');
+
+                /* on the first screen we reserve 2 extra lines for the title */
+                if (i % break_lines == break_modulo) {
+                        if (!any_key_to_proceed())
+                                return 0;
+                }
+        }
+
+        return 0;
+}
+
 int open_terminal(const char *name, int mode) {
         _cleanup_close_ int fd = -EBADF;
         unsigned c = 0;

src/basic/terminal-util.h

@@ -78,6 +78,8 @@ int chvt(int vt);
 int read_one_char(FILE *f, char *ret, usec_t timeout, bool *need_nl);
 int ask_char(char *ret, const char *replies, const char *text, ...) _printf_(3, 4);
 int ask_string(char **ret, const char *text, ...) _printf_(2, 3);
+bool any_key_to_proceed(void);
+int show_menu(char **x, unsigned n_columns, unsigned width, unsigned percentage);
 
 int vt_disallocate(const char *name);
 

src/firstboot/firstboot.c

@@ -93,20 +93,6 @@ STATIC_DESTRUCTOR_REGISTER(arg_root_shell, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_kernel_cmdline, freep);
 STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
 
-static bool press_any_key(void) {
-        char k = 0;
-        bool need_nl = true;
-
-        puts("-- Press any key to proceed --");
-
-        (void) read_one_char(stdin, &k, USEC_INFINITY, &need_nl);
-
-        if (need_nl)
-                putchar('\n');
-
-        return k != 'q';
-}
-
 static void print_welcome(int rfd) {
         _cleanup_free_ char *pretty_name = NULL, *os_name = NULL, *ansi_color = NULL;
         static bool done = false;
@@ -141,57 +127,11 @@ static void print_welcome(int rfd) {
 
         printf("\nPlease configure your system!\n\n");
 
-        press_any_key();
+        any_key_to_proceed();
 
         done = true;
 }
 
-static int show_menu(char **x, unsigned n_columns, unsigned width, unsigned percentage) {
-        unsigned break_lines, break_modulo;
-        size_t n, per_column, i, j;
-
-        assert(n_columns > 0);
-
-        n = strv_length(x);
-        per_column = DIV_ROUND_UP(n, n_columns);
-
-        break_lines = lines();
-        if (break_lines > 2)
-                break_lines--;
-
-        /* The first page gets two extra lines, since we want to show
-         * a title */
-        break_modulo = break_lines;
-        if (break_modulo > 3)
-                break_modulo -= 3;
-
-        for (i = 0; i < per_column; i++) {
-
-                for (j = 0; j < n_columns; j++) {
-                        _cleanup_free_ char *e = NULL;
-
-                        if (j * per_column + i >= n)
-                                break;
-
-                        e = ellipsize(x[j * per_column + i], width, percentage);
-                        if (!e)
-                                return log_oom();
-
-                        printf("%4zu) %-*s", j * per_column + i + 1, (int) width, e);
-                }
-
-                putchar('\n');
-
-                /* on the first screen we reserve 2 extra lines for the title */
-                if (i % break_lines == break_modulo) {
-                        if (!press_any_key())
-                                return 0;
-                }
-        }
-
-        return 0;
-}
-
 static int prompt_loop(const char *text, char **l, unsigned percentage, bool (*is_valid)(const char *name), char **ret) {
         int r;
 

src/home/homectl.c

@@ -2434,6 +2434,8 @@ static int create_interactively(void) {
                 return 0;
         }
 
+        any_key_to_proceed();
+
         r = acquire_bus(&bus);
         if (r < 0)
                 return r;
@@ -2461,7 +2463,7 @@ static int create_interactively(void) {
                         continue;
                 }
 
-                r = userdb_by_name(username, USERDB_SUPPRESS_SHADOW, /* ret= */ NULL);
+                r = userdb_by_name(username, USERDB_SUPPRESS_SHADOW|USERDB_EXCLUDE_DYNAMIC_USER, /* ret= */ NULL);
                 if (r == -ESRCH)
                         break;
                 if (r < 0)
@@ -2474,6 +2476,109 @@ static int create_interactively(void) {
         if (r < 0)
                 return log_error_errno(r, "Failed to set userName field: %m");
 
+        _cleanup_(userdb_iterator_freep) UserDBIterator *iterator = NULL;
+        _cleanup_strv_free_ char **available = NULL, **groups = NULL;
+
+        r = groupdb_all(USERDB_SUPPRESS_SHADOW|USERDB_EXCLUDE_DYNAMIC_USER, &iterator);
+        if (r == -ENOLINK)
+                log_debug_errno(r, "No entries found. (Didn't check via Varlink.)");
+        else if (r == -ESRCH)
+                log_debug_errno(r, "No entries found.");
+        else if (r < 0)
+                return log_error_errno(r, "Failed to enumerate groups: %m");
+        else {
+                for (;;) {
+                        _cleanup_(group_record_unrefp) GroupRecord *gr = NULL;
+
+                        r = groupdb_iterator_get(iterator, &gr);
+                        if (r == -ESRCH)
+                                break;
+                        if (r < 0)
+                                return log_error_errno(r, "Failed acquire next group: %m");
+
+                        if (!IN_SET(group_record_disposition(gr), USER_REGULAR, USER_SYSTEM))
+                                continue;
+
+                        if (group_record_disposition(gr) == USER_REGULAR) {
+                                _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
+
+                                r = userdb_by_name(gr->group_name, USERDB_SUPPRESS_SHADOW|USERDB_EXCLUDE_DYNAMIC_USER, &ur);
+                                if (r < 0 && r != -ESRCH)
+                                        return log_error_errno(r, "Failed to check if matching user exists for group '%s': %m", gr->group_name);
+
+                                if (r >= 0 && user_record_disposition(ur) == USER_REGULAR)
+                                        continue;
+
+                        }
+
+                        r = strv_extend(&available, gr->group_name);
+                        if (r < 0)
+                                return log_oom();
+                }
+        }
+
+        for (;;) {
+                _cleanup_free_ char *s = NULL;
+                unsigned u;
+
+                r = ask_string(&s,
+                               "%s Please enter an auxiliary group for user %s (empty to continue, \"list\" to list available groups): ",
+                               special_glyph(SPECIAL_GLYPH_TRIANGULAR_BULLET), username);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to query user for auxiliary group: %m");
+
+                if (isempty(s))
+                        break;
+
+                if (streq(s, "list")) {
+                        r = show_menu(available, /*n_columns=*/ 3, /*width=*/ 20, /*percentage=*/ 60);
+                        if (r < 0)
+                                return r;
+
+                        putchar('\n');
+                        continue;
+                };
+
+                r = safe_atou(s, &u);
+                if (r >= 0) {
+                        if (u <= 0 || u > strv_length(available)) {
+                                log_error("Specified entry number out of range.");
+                                continue;
+                        }
+
+                        log_info("Selected '%s'.", available[u-1]);
+
+                        r = strv_extend(&groups, available[u-1]);
+                        if (r < 0)
+                                return log_oom();
+
+                        continue;
+                }
+
+                if (!valid_user_group_name(s, /* flags= */ 0)) {
+                        log_notice("Specified group name is not a valid UNIX group name, try again: %s", s);
+                        continue;
+                }
+
+                r = groupdb_by_name(s, USERDB_SUPPRESS_SHADOW|USERDB_EXCLUDE_DYNAMIC_USER, /*ret=*/ NULL);
+                if (r == -ESRCH) {
+                        log_notice("Specified auxiliary group does not exist, try again: %s", s);
+                        continue;
+                }
+                if (r < 0)
+                        return log_error_errno(r, "Failed to check if specified group '%s' already exists: %m", s);
+
+                r = strv_extend(&groups, s);
+                if (r < 0)
+                        return log_oom();
+        }
+
+        if (groups) {
+                r = sd_json_variant_set_field_strv(&arg_identity_extra, "memberOf", groups);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to set memberOf field: %m");
+        }
+
         return create_home_common(/* input= */ NULL);
 }
 

src/network/bpf/sysctl_monitor/sysctl-monitor.bpf.c

@@ -36,23 +36,22 @@ struct str {
 static long cut_last(u32 i, struct str *str) {
         char *s;
 
+        /* Sanity check for the preverifier */
+        if (i >= str->l)
+                return 1; /* exit from the loop */
+
         i = str->l - i - 1;
         s = str->s + i;
 
-        /* Sanity check for the preverifier */
-        if (i >= str->l)
-                return 1;
-
         if (*s == 0)
-                return 0;
+                return 0; /* continue */
 
         if (*s == '\n' || *s == '\r' || *s == ' ' || *s == '\t') {
                 *s = 0;
-
-                return 0;
+                return 0; /* continue */
         }
 
-        return 1;
+        return 1; /* exit from the loop */
 }
 
 /* Cut off trailing whitespace and newlines */

src/network/networkd-ipv6ll.c

@@ -221,7 +221,7 @@ int link_set_ipv6ll_stable_secret(Link *link) {
         }
 
         return sysctl_write_ip_property(AF_INET6, link->ifname, "stable_secret",
-                                        IN6_ADDR_TO_STRING(&a), &link->manager->sysctl_shadow);
+                                        IN6_ADDR_TO_STRING(&a), manager_get_sysctl_shadow(link->manager));
 }
 
 int link_set_ipv6ll_addrgen_mode(Link *link, IPv6LinkLocalAddressGenMode mode) {
@@ -232,7 +232,7 @@ int link_set_ipv6ll_addrgen_mode(Link *link, IPv6LinkLocalAddressGenMode mode) {
         if (mode == link->ipv6ll_address_gen_mode)
                 return 0;
 
-        return sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "addr_gen_mode", mode, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "addr_gen_mode", mode, manager_get_sysctl_shadow(link->manager));
 }
 
 static const char* const ipv6_link_local_address_gen_mode_table[_IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_MAX] = {

src/network/networkd-manager.c

@@ -604,7 +604,9 @@ int manager_new(Manager **ret, bool test_mode) {
                 .duid_product_uuid.type = DUID_TYPE_UUID,
                 .dhcp_server_persist_leases = true,
                 .ip_forwarding = { -1, -1, },
+#if HAVE_VMLINUX_H
                 .cgroup_fd = -EBADF,
+#endif
         };
 
         *ret = TAKE_PTR(m);
@@ -624,8 +626,6 @@ Manager* manager_free(Manager *m) {
         HASHMAP_FOREACH(link, m->links_by_index)
                 (void) link_stop_engines(link, true);
 
-        hashmap_free(m->sysctl_shadow);
-
         m->request_queue = ordered_set_free(m->request_queue);
         m->remove_request_queue = ordered_set_free(m->remove_request_queue);
 

src/network/networkd-manager.h

@@ -122,12 +122,14 @@ struct Manager {
 
         /* sysctl */
         int ip_forwarding[2];
+#if HAVE_VMLINUX_H
         Hashmap *sysctl_shadow;
         sd_event_source *sysctl_event_source;
         struct ring_buffer *sysctl_buffer;
         struct sysctl_monitor_bpf *sysctl_skel;
         struct bpf_link *sysctl_link;
         int cgroup_fd;
+#endif
 };
 
 int manager_new(Manager **ret, bool test_mode);
@@ -150,4 +152,12 @@ int manager_set_timezone(Manager *m, const char *timezone);
 
 int manager_reload(Manager *m, sd_bus_message *message);
 
+static inline Hashmap** manager_get_sysctl_shadow(Manager *manager) {
+#if HAVE_VMLINUX_H
+        return &ASSERT_PTR(manager)->sysctl_shadow;
+#else
+        return NULL;
+#endif
+}
+
 DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);

src/network/networkd-ndisc.c

@@ -987,7 +987,7 @@ static int ndisc_router_process_reachable_time(Link *link, sd_ndisc_router *rt)
         }
 
         /* Set the reachable time for Neighbor Solicitations. */
-        r = sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "base_reachable_time_ms", (uint32_t) msec, &link->manager->sysctl_shadow);
+        r = sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "base_reachable_time_ms", (uint32_t) msec, manager_get_sysctl_shadow(link->manager));
         if (r < 0)
                 log_link_warning_errno(link, r, "Failed to apply neighbor reachable time (%"PRIu64"), ignoring: %m", msec);
 
@@ -1021,7 +1021,7 @@ static int ndisc_router_process_retransmission_time(Link *link, sd_ndisc_router
         }
 
         /* Set the retransmission time for Neighbor Solicitations. */
-        r = sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "retrans_time_ms", (uint32_t) msec, &link->manager->sysctl_shadow);
+        r = sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "retrans_time_ms", (uint32_t) msec, manager_get_sysctl_shadow(link->manager));
         if (r < 0)
                 log_link_warning_errno(link, r, "Failed to apply neighbor retransmission time (%"PRIu64"), ignoring: %m", msec);
 
@@ -1057,7 +1057,7 @@ static int ndisc_router_process_hop_limit(Link *link, sd_ndisc_router *rt) {
         if (hop_limit <= 0)
                 return 0;
 
-        r = sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "hop_limit", (uint32_t) hop_limit, &link->manager->sysctl_shadow);
+        r = sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "hop_limit", (uint32_t) hop_limit, manager_get_sysctl_shadow(link->manager));
         if (r < 0)
                 log_link_warning_errno(link, r, "Failed to apply hop_limit (%u), ignoring: %m", hop_limit);
 

src/network/networkd-sysctl.c

@@ -34,13 +34,7 @@ static struct sysctl_monitor_bpf* sysctl_monitor_bpf_free(struct sysctl_monitor_
         return NULL;
 }
 
-static struct ring_buffer* rb_free(struct ring_buffer *rb) {
-        sym_ring_buffer__free(rb);
-        return NULL;
-}
-
 DEFINE_TRIVIAL_CLEANUP_FUNC(struct sysctl_monitor_bpf *, sysctl_monitor_bpf_free);
-DEFINE_TRIVIAL_CLEANUP_FUNC(struct ring_buffer *, rb_free);
 
 static int sysctl_event_handler(void *ctx, void *data, size_t data_sz) {
         struct sysctl_write_event *we = ASSERT_PTR(data);
@@ -99,10 +93,10 @@ static int on_ringbuf_io(sd_event_source *s, int fd, uint32_t revents, void *use
 int sysctl_add_monitor(Manager *manager) {
         _cleanup_(sysctl_monitor_bpf_freep) struct sysctl_monitor_bpf *obj = NULL;
         _cleanup_(bpf_link_freep) struct bpf_link *sysctl_link = NULL;
-        _cleanup_(rb_freep) struct ring_buffer *sysctl_buffer = NULL;
-        _cleanup_close_ int cgroup_fd = -EBADF, rootcg = -EBADF;
+        _cleanup_(bpf_ring_buffer_freep) struct ring_buffer *sysctl_buffer = NULL;
+        _cleanup_close_ int cgroup_fd = -EBADF, root_cgroup_fd = -EBADF;
         _cleanup_free_ char *cgroup = NULL;
-        int idx = 0, r;
+        int idx = 0, r, fd;
 
         assert(manager);
 
@@ -116,9 +110,9 @@ int sysctl_add_monitor(Manager *manager) {
         if (r < 0)
                 return log_warning_errno(r, "Failed to get cgroup path, ignoring: %m.");
 
-        rootcg = cg_path_open(SYSTEMD_CGROUP_CONTROLLER, "/");
-        if (rootcg < 0)
-                return log_warning_errno(rootcg, "Failed to open cgroup, ignoring: %m.");
+        root_cgroup_fd = cg_path_open(SYSTEMD_CGROUP_CONTROLLER, "/");
+        if (root_cgroup_fd < 0)
+                return log_warning_errno(root_cgroup_fd, "Failed to open cgroup, ignoring: %m.");
 
         obj = sysctl_monitor_bpf__open_and_load();
         if (!obj) {
@@ -133,21 +127,27 @@ int sysctl_add_monitor(Manager *manager) {
         if (sym_bpf_map_update_elem(sym_bpf_map__fd(obj->maps.cgroup_map), &idx, &cgroup_fd, BPF_ANY))
                 return log_warning_errno(errno, "Failed to update cgroup map: %m");
 
-        sysctl_link = sym_bpf_program__attach_cgroup(obj->progs.sysctl_monitor, rootcg);
+        sysctl_link = sym_bpf_program__attach_cgroup(obj->progs.sysctl_monitor, root_cgroup_fd);
         r = bpf_get_error_translated(sysctl_link);
         if (r < 0) {
                 log_info_errno(r, "Unable to attach sysctl monitor BPF program to cgroup, ignoring: %m.");
                 return 0;
         }
 
-        sysctl_buffer = sym_ring_buffer__new(
-                        sym_bpf_map__fd(obj->maps.written_sysctls),
-                        sysctl_event_handler, &manager->sysctl_shadow, NULL);
+        fd = sym_bpf_map__fd(obj->maps.written_sysctls);
+        if (fd < 0)
+                return log_warning_errno(fd, "Failed to get fd of sysctl maps: %m");
+
+        sysctl_buffer = sym_ring_buffer__new(fd, sysctl_event_handler, &manager->sysctl_shadow, NULL);
         if (!sysctl_buffer)
                 return log_warning_errno(errno, "Failed to create ring buffer: %m");
 
+        fd = sym_ring_buffer__epoll_fd(sysctl_buffer);
+        if (fd < 0)
+                return log_warning_errno(fd, "Failed to get poll fd of ring buffer: %m");
+
         r = sd_event_add_io(manager->event, &manager->sysctl_event_source,
-                        sym_ring_buffer__epoll_fd(sysctl_buffer), EPOLLIN, on_ringbuf_io, sysctl_buffer);
+                            fd, EPOLLIN, on_ringbuf_io, sysctl_buffer);
         if (r < 0)
                 return log_warning_errno(r, "Failed to watch sysctl event ringbuffer: %m");
 
@@ -163,23 +163,11 @@ void sysctl_remove_monitor(Manager *manager) {
         assert(manager);
 
         manager->sysctl_event_source = sd_event_source_disable_unref(manager->sysctl_event_source);
-
-        if (manager->sysctl_buffer) {
-                sym_ring_buffer__free(manager->sysctl_buffer);
-                manager->sysctl_buffer = NULL;
-        }
-
-        if (manager->sysctl_link) {
-                sym_bpf_link__destroy(manager->sysctl_link);
-                manager->sysctl_link = NULL;
-        }
-
-        if (manager->sysctl_skel) {
-                sysctl_monitor_bpf__destroy(manager->sysctl_skel);
-                manager->sysctl_skel = NULL;
-        }
-
+        manager->sysctl_buffer = bpf_ring_buffer_free(manager->sysctl_buffer);
+        manager->sysctl_link = bpf_link_free(manager->sysctl_link);
+        manager->sysctl_skel = sysctl_monitor_bpf_free(manager->sysctl_skel);
         manager->cgroup_fd = safe_close(manager->cgroup_fd);
+        manager->sysctl_shadow = hashmap_free(manager->sysctl_shadow);
 }
 
 int sysctl_clear_link_shadows(Link *link) {
@@ -222,13 +210,13 @@ static void manager_set_ip_forwarding(Manager *manager, int family) {
                 return; /* keep */
 
         /* First, set the default value. */
-        r = sysctl_write_ip_property_boolean(family, "default", "forwarding", t, &manager->sysctl_shadow);
+        r = sysctl_write_ip_property_boolean(family, "default", "forwarding", t, manager_get_sysctl_shadow(manager));
         if (r < 0)
                 log_warning_errno(r, "Failed to %s the default %s forwarding: %m",
                                   enable_disable(t), af_to_ipv4_ipv6(family));
 
         /* Then, set the value to all interfaces. */
-        r = sysctl_write_ip_property_boolean(family, "all", "forwarding", t, &manager->sysctl_shadow);
+        r = sysctl_write_ip_property_boolean(family, "all", "forwarding", t, manager_get_sysctl_shadow(manager));
         if (r < 0)
                 log_warning_errno(r, "Failed to %s %s forwarding for all interfaces: %m",
                                   enable_disable(t), af_to_ipv4_ipv6(family));
@@ -273,7 +261,7 @@ static int link_update_ipv6_sysctl(Link *link) {
         if (!link_ipv6_enabled(link))
                 return 0;
 
-        return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "disable_ipv6", false, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "disable_ipv6", false, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_proxy_arp(Link *link) {
@@ -286,7 +274,7 @@ static int link_set_proxy_arp(Link *link) {
         if (link->network->proxy_arp < 0)
                 return 0;
 
-        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp", link->network->proxy_arp > 0, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp", link->network->proxy_arp > 0, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_proxy_arp_pvlan(Link *link) {
@@ -299,7 +287,7 @@ static int link_set_proxy_arp_pvlan(Link *link) {
         if (link->network->proxy_arp_pvlan < 0)
                 return 0;
 
-        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp_pvlan", link->network->proxy_arp_pvlan > 0, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp_pvlan", link->network->proxy_arp_pvlan > 0, manager_get_sysctl_shadow(link->manager));
 }
 
 int link_get_ip_forwarding(Link *link, int family) {
@@ -341,7 +329,7 @@ static int link_set_ip_forwarding_impl(Link *link, int family) {
         if (t < 0)
                 return 0; /* keep */
 
-        r = sysctl_write_ip_property_boolean(family, link->ifname, "forwarding", t, &link->manager->sysctl_shadow);
+        r = sysctl_write_ip_property_boolean(family, link->ifname, "forwarding", t, manager_get_sysctl_shadow(link->manager));
         if (r < 0)
                 return log_link_warning_errno(link, r, "Failed to %s %s forwarding, ignoring: %m",
                                               enable_disable(t), af_to_ipv4_ipv6(family));
@@ -418,7 +406,7 @@ static int link_set_ipv4_rp_filter(Link *link) {
         if (link->network->ipv4_rp_filter < 0)
                 return 0;
 
-        return sysctl_write_ip_property_int(AF_INET, link->ifname, "rp_filter", link->network->ipv4_rp_filter, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_int(AF_INET, link->ifname, "rp_filter", link->network->ipv4_rp_filter, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv6_privacy_extensions(Link *link) {
@@ -438,7 +426,7 @@ static int link_set_ipv6_privacy_extensions(Link *link) {
         if (val == IPV6_PRIVACY_EXTENSIONS_KERNEL)
                 return 0;
 
-        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "use_tempaddr", (int) val, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "use_tempaddr", (int) val, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv6_accept_ra(Link *link) {
@@ -448,7 +436,7 @@ static int link_set_ipv6_accept_ra(Link *link) {
         if (!link_is_configured_for_family(link, AF_INET6))
                 return 0;
 
-        return sysctl_write_ip_property(AF_INET6, link->ifname, "accept_ra", "0", &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property(AF_INET6, link->ifname, "accept_ra", "0", manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv6_dad_transmits(Link *link) {
@@ -461,7 +449,7 @@ static int link_set_ipv6_dad_transmits(Link *link) {
         if (link->network->ipv6_dad_transmits < 0)
                 return 0;
 
-        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "dad_transmits", link->network->ipv6_dad_transmits, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "dad_transmits", link->network->ipv6_dad_transmits, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv6_hop_limit(Link *link) {
@@ -474,7 +462,7 @@ static int link_set_ipv6_hop_limit(Link *link) {
         if (link->network->ipv6_hop_limit <= 0)
                 return 0;
 
-        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "hop_limit", link->network->ipv6_hop_limit, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "hop_limit", link->network->ipv6_hop_limit, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv6_retransmission_time(Link *link) {
@@ -493,7 +481,7 @@ static int link_set_ipv6_retransmission_time(Link *link) {
          if (retrans_time_ms <= 0 || retrans_time_ms > UINT32_MAX)
                 return 0;
 
-        return sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "retrans_time_ms", retrans_time_ms, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "retrans_time_ms", retrans_time_ms, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv6_proxy_ndp(Link *link) {
@@ -510,7 +498,7 @@ static int link_set_ipv6_proxy_ndp(Link *link) {
         else
                 v = !set_isempty(link->network->ipv6_proxy_ndp_addresses);
 
-        return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "proxy_ndp", v, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "proxy_ndp", v, manager_get_sysctl_shadow(link->manager));
 }
 
 int link_set_ipv6_mtu(Link *link, int log_level) {
@@ -538,7 +526,7 @@ int link_set_ipv6_mtu(Link *link, int log_level) {
                 mtu = link->mtu;
         }
 
-        return sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "mtu", mtu, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "mtu", mtu, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv4_accept_local(Link *link) {
@@ -551,7 +539,7 @@ static int link_set_ipv4_accept_local(Link *link) {
         if (link->network->ipv4_accept_local < 0)
                 return 0;
 
-        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "accept_local", link->network->ipv4_accept_local > 0, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "accept_local", link->network->ipv4_accept_local > 0, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv4_route_localnet(Link *link) {
@@ -564,7 +552,7 @@ static int link_set_ipv4_route_localnet(Link *link) {
         if (link->network->ipv4_route_localnet < 0)
                 return 0;
 
-        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "route_localnet", link->network->ipv4_route_localnet > 0, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "route_localnet", link->network->ipv4_route_localnet > 0, manager_get_sysctl_shadow(link->manager));
 }
 
 static int link_set_ipv4_promote_secondaries(Link *link) {
@@ -579,7 +567,7 @@ static int link_set_ipv4_promote_secondaries(Link *link) {
          * otherwise. The way systemd-networkd works is that the new IP of a lease is added as a
          * secondary IP and when the primary one expires it relies on the kernel to promote the
          * secondary IP. See also https://github.com/systemd/systemd/issues/7163 */
-        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "promote_secondaries", true, &link->manager->sysctl_shadow);
+        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "promote_secondaries", true, manager_get_sysctl_shadow(link->manager));
 }
 
 int link_set_sysctl(Link *link) {

src/nsresourced/nsresourced-manager.c

@@ -6,6 +6,7 @@
 #include "sd-daemon.h"
 
 #include "bpf-dlopen.h"
+#include "bpf-link.h"
 #include "build-path.h"
 #include "common-signal.h"
 #include "env-util.h"
@@ -141,8 +142,7 @@ Manager* manager_free(Manager *m) {
 
 #if HAVE_VMLINUX_H
         sd_event_source_disable_unref(m->userns_restrict_bpf_ring_buffer_event_source);
-        if (m->userns_restrict_bpf_ring_buffer)
-                sym_ring_buffer__free(m->userns_restrict_bpf_ring_buffer);
+        bpf_ring_buffer_free(m->userns_restrict_bpf_ring_buffer);
         userns_restrict_bpf_free(m->userns_restrict_bpf);
 #endif
 

src/shared/bpf-link.c

@@ -31,7 +31,7 @@ int bpf_serialize_link(FILE *f, FDSet *fds, const char *key, struct bpf_link *li
         return serialize_fd(f, fds, key, sym_bpf_link__fd(link));
 }
 
-struct bpf_link *bpf_link_free(struct bpf_link *link) {
+struct bpf_link* bpf_link_free(struct bpf_link *link) {
         /* If libbpf wasn't dlopen()ed, sym_bpf_link__destroy might be unresolved (NULL), so let's not try to
          * call it if link is NULL. link might also be a non-null "error pointer", but such a value can only
          * originate from a call to libbpf, but that means that libbpf is available, and we can let
@@ -41,3 +41,10 @@ struct bpf_link *bpf_link_free(struct bpf_link *link) {
 
         return NULL;
 }
+
+struct ring_buffer* bpf_ring_buffer_free(struct ring_buffer *rb) {
+        if (rb) /* See the comment in bpf_link_free(). */
+                sym_ring_buffer__free(rb);
+
+        return NULL;
+}

src/shared/bpf-link.h

@@ -12,5 +12,8 @@ bool bpf_can_link_program(struct bpf_program *prog);
 
 int bpf_serialize_link(FILE *f, FDSet *fds, const char *key, struct bpf_link *link);
 
-struct bpf_link *bpf_link_free(struct bpf_link *p);
+struct bpf_link* bpf_link_free(struct bpf_link *p);
 DEFINE_TRIVIAL_CLEANUP_FUNC(struct bpf_link *, bpf_link_free);
+
+struct ring_buffer* bpf_ring_buffer_free(struct ring_buffer *rb);
+DEFINE_TRIVIAL_CLEANUP_FUNC(struct ring_buffer *, bpf_ring_buffer_free);

src/systemctl/systemctl-list-jobs.c

@@ -28,17 +28,16 @@ static int output_waiting_jobs(sd_bus *bus, Table *table, uint32_t id, const cha
 
         while ((r = sd_bus_message_read(reply, "(usssoo)", &other_id, &name, &type, NULL, NULL, NULL)) > 0) {
                 _cleanup_free_ char *row = NULL;
-                int rc;
 
                 if (asprintf(&row, "%s %u (%s/%s)", prefix, other_id, name, type) < 0)
                         return log_oom();
 
-                rc = table_add_many(table,
+                r = table_add_many(table,
                                     TABLE_STRING, special_glyph(SPECIAL_GLYPH_TREE_RIGHT),
                                     TABLE_STRING, row,
                                     TABLE_EMPTY,
                                     TABLE_EMPTY);
-                if (rc < 0)
+                if (r < 0)
                         return table_log_add_error(r);
         }