meson: bump version to 257.10

git restore -s origin/main hwdb.d/ test/hwdb.d && git checkout hwdb.d/meson.build

This primarily reverts some changes made in the previous update.

(cherry picked from commit 377aaf6a272d5f3dd9961fbede88887be70c9dd1)

hwdb.d/70-mouse.hwdb

@@ -825,12 +825,9 @@ mouse:usb:v0e8fp00a7:name:DaKai 2.4G RX:*
 # Nulea
 ##########################################
 
-# Note: it is possible that other devices may use the same wireless dongle,
+# Note: The Nulea uses a generic USB dongle. Overriding its value would cause
-# as such this could require revisiting if it causes issues with other mice
+# other mice to be erroneously registered as trackballs, so only bluetooth
-# Nulea M501 Wireless Trackball (USB Receiver)
+# detection is added.
-mouse:usb:v25a7pfa61:name:Compx 2.4G Receiver Mouse:*
- ID_INPUT_TRACKBALL=1
-
 # Nulea M501 Wireless Trackball (Bluetooth)
 mouse:bluetooth:v000ep3412:name:Nulea BT5.0 Mouse:*
  ID_INPUT_TRACKBALL=1

man/systemd-pcrlock.xml

@@ -466,7 +466,7 @@
         <filename>*.pcrlock.d/*.pcrlock</filename> files from. May be used more than once to specify multiple
         such directories. If not specified, defaults to <filename>/etc/pcrlock.d/</filename>,
         <filename>/run/pcrlock.d/</filename>, <filename>/var/lib/pcrlock.d/</filename>,
-        <filename>/usr/local/pcrlock.d/</filename>, <filename>/usr/lib/pcrlock.d/</filename>.</para>
+        <filename>/usr/local/lib/pcrlock.d/</filename>, <filename>/usr/lib/pcrlock.d/</filename>.</para>
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
       </varlistentry>

man/systemd.pcrlock.xml

@@ -28,8 +28,8 @@
       <member><filename>/run/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/var/lib/pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/var/lib/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
-      <member><filename>/usr/local/pcrlock.d/*.pcrlock</filename></member>
+      <member><filename>/usr/local/lib/pcrlock.d/*.pcrlock</filename></member>
-      <member><filename>/usr/local/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
+      <member><filename>/usr/local/lib/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/usr/lib/pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/usr/lib/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
     </simplelist></para>

meson.version

@@ -1 +1 @@
-257.9
+257.10

src/core/cgroup.c

@@ -5343,6 +5343,16 @@ int cgroup_runtime_serialize(Unit *u, FILE *f, FDSet *fds) {
         if (!crt)
                 return 0;
 
+        if (crt->cgroup_path)
+                (void) serialize_item(f, "cgroup", crt->cgroup_path);
+        if (crt->cgroup_id != 0)
+                (void) serialize_item_format(f, "cgroup-id", "%" PRIu64, crt->cgroup_id);
+
+        (void) serialize_bool(f, "cgroup-realized", crt->cgroup_realized);
+        (void) serialize_cgroup_mask(f, "cgroup-realized-mask", crt->cgroup_realized_mask);
+        (void) serialize_cgroup_mask(f, "cgroup-enabled-mask", crt->cgroup_enabled_mask);
+        (void) serialize_cgroup_mask(f, "cgroup-invalidated-mask", crt->cgroup_invalidated_mask);
+
         (void) serialize_item_format(f, "cpu-usage-base", "%" PRIu64, crt->cpu_usage_base);
         if (crt->cpu_usage_last != NSEC_INFINITY)
                 (void) serialize_item_format(f, "cpu-usage-last", "%" PRIu64, crt->cpu_usage_last);
@@ -5376,16 +5386,6 @@ int cgroup_runtime_serialize(Unit *u, FILE *f, FDSet *fds) {
                         (void) serialize_item_format(f, io_accounting_metric_field_last_to_string(im), "%" PRIu64, crt->io_accounting_last[im]);
         }
 
-        if (crt->cgroup_path)
-                (void) serialize_item(f, "cgroup", crt->cgroup_path);
-        if (crt->cgroup_id != 0)
-                (void) serialize_item_format(f, "cgroup-id", "%" PRIu64, crt->cgroup_id);
-
-        (void) serialize_bool(f, "cgroup-realized", crt->cgroup_realized);
-        (void) serialize_cgroup_mask(f, "cgroup-realized-mask", crt->cgroup_realized_mask);
-        (void) serialize_cgroup_mask(f, "cgroup-enabled-mask", crt->cgroup_enabled_mask);
-        (void) serialize_cgroup_mask(f, "cgroup-invalidated-mask", crt->cgroup_invalidated_mask);
-
         (void) bpf_socket_bind_serialize(u, f, fds);
 
         (void) bpf_program_serialize_attachment(f, fds, "ip-bpf-ingress-installed", crt->ip_bpf_ingress_installed);

src/core/timer.c

@@ -654,8 +654,6 @@ static int timer_start(Unit *u) {
         if (r < 0)
                 return r;
 
-        t->last_trigger = DUAL_TIMESTAMP_NULL;
-
         /* Reenable all timers that depend on unit activation time */
         LIST_FOREACH(value, v, t->values)
                 if (v->base == TIMER_ACTIVE)

src/nspawn/nspawn.c

@@ -1295,7 +1295,7 @@ static int parse_argv(int argc, char *argv[]) {
 
                         arg_userns_ownership = user_namespace_ownership_from_string(optarg);
                         if (arg_userns_ownership < 0)
-                                return log_error_errno(arg_userns_ownership, "Cannot parse --user-namespace-ownership= value: %s", optarg);
+                                return log_error_errno(arg_userns_ownership, "Cannot parse --private-users-ownership= value: %s", optarg);
 
                         arg_settings_mask |= SETTING_USERNS;
                         break;

src/systemd/sd-id128.h

@@ -134,7 +134,7 @@ _sd_const_ static __inline__ int sd_id128_is_allf(sd_id128_t a) {
 #define SD_ID128_NULL ((const sd_id128_t) { .qwords = { 0, 0 }})
 #define SD_ID128_ALLF ((const sd_id128_t) { .qwords = { UINT64_C(0xFFFFFFFFFFFFFFFF), UINT64_C(0xFFFFFFFFFFFFFFFF) }})
 
-_sd_const_ static __inline__ int sd_id128_in_setv(sd_id128_t a, va_list ap) {
+static __inline__ int sd_id128_in_setv(sd_id128_t a, va_list ap) {
         for (;;) {
                 sd_id128_t b = va_arg(ap, sd_id128_t);
 

test/integration-tests/meson.build

@@ -65,7 +65,7 @@ foreach dirname : [
         'TEST-46-HOMED',
         'TEST-50-DISSECT',
         'TEST-52-HONORFIRSTSHUTDOWN',
-        'TEST-53-ISSUE-16347',
+        'TEST-53-TIMER',
         'TEST-54-CREDS',
         'TEST-55-OOMD',
         'TEST-58-REPART',

test/units/TEST-53-TIMER.RandomizedDelaySec-reload.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# When deserializing a serialized timer unit with RandomizedDelaySec= set, systemd should use the last
+# inactive exit timestamp instead of current realtime to calculate the new next elapse, so the timer unit
+# actually runs in the given calendar window.
+#
+# Provides coverage for:
+#   - https://github.com/systemd/systemd/issues/18678
+#   - https://github.com/systemd/systemd/pull/27752
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/test-control.sh
+. "$(dirname "$0")"/util.sh
+
+UNIT_NAME="timer-RandomizedDelaySec-$RANDOM"
+TARGET_TS="$(date --date="tomorrow 00:10")"
+TARGET_TS_S="$(date --date="$TARGET_TS" "+%s")"
+# Maximum possible next elapse timestamp: $TARGET_TS (OnCalendar=) + 22 hours (RandomizedDelaySec=)
+MAX_NEXT_ELAPSE_REALTIME_S="$((TARGET_TS_S + 22 * 60 * 60))"
+MAX_NEXT_ELAPSE_REALTIME="$(date --date="@$MAX_NEXT_ELAPSE_REALTIME_S")"
+
+# Let's make sure to return the date & time back to the original state once we're done with our time
+# shenigans. One way to do this would be to use hwclock, but the RTC in VMs can be unreliable or slow to
+# respond, causing unexpected test fails/timeouts.
+#
+# Instead, let's save the realtime timestamp before we start with the test together with a current monotonic
+# timestamp, after the test ends take the difference between the current monotonic timestamp and the "start"
+# one, add it to the originally saved realtime timestamp, and finally use that timestamp to set the system
+# time. This should advance the system time by the amount of time the test actually ran, and hence restore it
+# to some sane state after the time jumps performed by the test. It won't be perfect, but it should be close
+# enough for our needs.
+START_REALTIME="$(date "+%s")"
+START_MONOTONIC="$(cut -d . -f 1 /proc/uptime)"
+at_exit() {
+    : "Restore the system date to a sane state"
+    END_MONOTONIC="$(cut -d . -f 1 /proc/uptime)"
+    date --set="@$((START_REALTIME + END_MONOTONIC - START_MONOTONIC))"
+}
+trap at_exit EXIT
+
+# Set some predictable time so we can schedule the first timer elapse in a deterministic-ish way
+date --set="23:00"
+
+# Setup
+cat >"/run/systemd/system/$UNIT_NAME.timer" <<EOF
+[Timer]
+# Run this timer daily, ten minutes after midnight
+OnCalendar=*-*-* 00:10:00
+RandomizedDelaySec=22h
+AccuracySec=1ms
+EOF
+
+cat >"/run/systemd/system/$UNIT_NAME.service" <<EOF
+[Service]
+ExecStart=echo "Hello world"
+EOF
+
+systemctl daemon-reload
+
+check_elapse_timestamp() {
+    systemctl status "$UNIT_NAME.timer"
+    systemctl show -p InactiveExitTimestamp "$UNIT_NAME.timer"
+
+    NEXT_ELAPSE_REALTIME="$(systemctl show -P NextElapseUSecRealtime "$UNIT_NAME.timer")"
+    NEXT_ELAPSE_REALTIME_S="$(date --date="$NEXT_ELAPSE_REALTIME" "+%s")"
+    : "Next elapse timestamp should be $TARGET_TS <= $NEXT_ELAPSE_REALTIME <= $MAX_NEXT_ELAPSE_REALTIME"
+    assert_ge "$NEXT_ELAPSE_REALTIME_S" "$TARGET_TS_S"
+    assert_le "$NEXT_ELAPSE_REALTIME_S" "$MAX_NEXT_ELAPSE_REALTIME_S"
+}
+
+# Restart the timer unit and check the initial next elapse timestamp
+: "Initial next elapse timestamp"
+systemctl restart "$UNIT_NAME.timer"
+check_elapse_timestamp
+
+# Bump the system date to 1 minute after the original calendar timer would've expired (without any random
+# delay!) - systemd should recalculate the next elapse timestamp with a new randomized delay, but it should
+# use the original inactive exit timestamp as a "base", so the final timestamp should not end up beyond the
+# original calendar timestamp + randomized delay range.
+#
+# Similarly, do the same check after doing daemon-reload, as that also forces systemd to recalculate the next
+# elapse timestamp (this goes through a slightly different codepath that actually contained the original
+# issue).
+: "Next elapse timestamp after time jump"
+date -s "tomorrow 00:11"
+check_elapse_timestamp
+
+: "Next elapse timestamp after daemon-reload"
+systemctl daemon-reload
+check_elapse_timestamp
+
+# Cleanup
+systemctl stop "$UNIT_NAME".{timer,service}
+rm -f "/run/systemd/system/$UNIT_NAME".{timer,service}
+systemctl daemon-reload

test/units/TEST-53-TIMER.issue-16347.sh

@@ -3,10 +3,9 @@
 set -eux
 set -o pipefail
 
-: >/failed
-
 # Reset host date to current time, 3 days in the past.
 date -s "-3 days"
+trap 'date -s "+3 days"' EXIT
 
 # Run a timer for every 15 minutes.
 systemd-run --unit test-timer --on-calendar "*:0/15:0" true
@@ -17,15 +16,12 @@ now=$(date +%s)
 time_delta=$((next_elapsed - now))
 
 # Check that the timer will elapse in less than 20 minutes.
-((0 < time_delta && time_delta < 1200)) || {
+if [[ "$time_delta" -lt 0 || "$time_delta" -gt 1200 ]]; then
     echo 'Timer elapse outside of the expected 20 minute window.'
     echo "  next_elapsed=${next_elapsed}"
     echo "  now=${now}"
     echo "  time_delta=${time_delta}"
-    echo ''
+    echo
-} >>/failed
 
-if test ! -s /failed ; then
+    exit 1
-    rm -f /failed
-    touch /testok
 fi

test/units/TEST-53-TIMER.restart-trigger.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Restarting an already elapsed timer shouldn't immediately trigger the corresponding service unit.
+#
+# Provides coverage for:
+#   - https://github.com/systemd/systemd/issues/31231
+#   - https://github.com/systemd/systemd/issues/35805
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/test-control.sh
+. "$(dirname "$0")"/util.sh
+
+UNIT_NAME="timer-restart-$RANDOM"
+TEST_MESSAGE="Hello from timer $RANDOM"
+
+# Setup
+cat >"/run/systemd/system/$UNIT_NAME.timer" <<EOF
+[Timer]
+OnCalendar=$(date --date="+1 hour" "+%Y-%m-%d %H:%M:%S")
+AccuracySec=1s
+EOF
+
+cat >"/run/systemd/system/$UNIT_NAME.service" <<EOF
+[Service]
+ExecStart=echo "$TEST_MESSAGE"
+EOF
+
+systemctl daemon-reload
+
+JOURNAL_TS="$(date "+%s")"
+# Paranoia check that the test message is not already in the logs
+(! journalctl -p info --since="@$JOURNAL_TS" --unit="$UNIT_NAME" --grep="$TEST_MESSAGE")
+
+# Restart time timer and move time forward by 2 hours to trigger the timer
+systemctl restart "$UNIT_NAME.timer"
+systemctl status "$UNIT_NAME.timer"
+
+date -s '+2 hours'
+trap 'date -s "-2 hours"' EXIT
+sleep 1
+systemctl status "$UNIT_NAME.timer"
+assert_eq "$(journalctl -q -p info --since="@$JOURNAL_TS" --unit="$UNIT_NAME" --grep="$TEST_MESSAGE" | wc -l)" "1"
+
+# Restarting the timer unit shouldn't trigger neither the timer nor the service, so these
+# fields should remain constant through the following tests
+SERVICE_INV_ID="$(systemctl show --property=InvocationID "$UNIT_NAME.service")"
+TIMER_LAST_TRIGGER="$(systemctl show --property=LastTriggerUSec "$UNIT_NAME.timer")"
+
+# Now restart the timer and check if the timer and the service weren't triggered again
+systemctl restart "$UNIT_NAME.timer"
+sleep 5
+assert_eq "$(journalctl -q -p info --since="@$JOURNAL_TS" --unit="$UNIT_NAME" --grep="$TEST_MESSAGE" | wc -l)" "1"
+assert_eq "$SERVICE_INV_ID" "$(systemctl show --property=InvocationID "$UNIT_NAME.service")"
+assert_eq "$TIMER_LAST_TRIGGER" "$(systemctl show --property=LastTriggerUSec "$UNIT_NAME.timer")"
+
+# Set the timer into the past, restart it, and again check if it wasn't triggered
+TIMER_TS="$(date --date="-1 day" "+%Y-%m-%d %H:%M:%S")"
+mkdir "/run/systemd/system/$UNIT_NAME.timer.d/"
+cat >"/run/systemd/system/$UNIT_NAME.timer.d/99-override.conf" <<EOF
+[Timer]
+OnCalendar=$TIMER_TS
+EOF
+systemctl daemon-reload
+systemctl status "$UNIT_NAME.timer"
+assert_in "OnCalendar=$TIMER_TS" "$(systemctl show -P TimersCalendar "$UNIT_NAME".timer)"
+systemctl restart "$UNIT_NAME.timer"
+sleep 5
+assert_eq "$(journalctl -q -p info --since="@$JOURNAL_TS" --unit="$UNIT_NAME" --grep="$TEST_MESSAGE" | wc -l)" "1"
+assert_eq "$SERVICE_INV_ID" "$(systemctl show --property=InvocationID "$UNIT_NAME.service")"
+assert_eq "$TIMER_LAST_TRIGGER" "$(systemctl show --property=LastTriggerUSec "$UNIT_NAME.timer")"
+
+# Cleanup
+systemctl stop "$UNIT_NAME".{timer,service}
+rm -f "/run/systemd/system/$UNIT_NAME".{timer,service}
+systemctl daemon-reload

test/units/TEST-53-TIMER.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/test-control.sh
+. "$(dirname "$0")"/test-control.sh
+
+run_subtests
+
+touch /testok

test/units/util.sh

@@ -57,6 +57,15 @@ assert_le() {(
     fi
 )}
 
+assert_ge() {(
+    set +ex
+
+    if [[ "${1:?}" -lt "${2:?}" ]]; then
+        echo "FAIL: '$1' < '$2'" >&2
+        exit 1
+    fi
+)}
+
 assert_in() {(
     set +ex
 

units/systemd-mountfsd.service.in

@@ -17,7 +17,7 @@ Before=sysinit.target shutdown.target
 DefaultDependencies=no
 
 [Service]
-#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_CHOWN CAP_SYS_ADMIN
 ExecStart={{LIBEXECDIR}}/systemd-mountfsd
 IPAddressDeny=any
 LimitNOFILE={{HIGH_RLIMIT_NOFILE}}