meson: Don't install systemdstatedir (/var/lib/systemd) (#31627 )

import-generator: fix sysext/confext ordering in initrd
In the initrd, order the generated `systemd-import@.service` units before the initrd-specific sysext/confext units.
2026-03-14 09:04:47 +01:00 · 2026-02-03 10:08:54 +09:00 · 2026-02-03 08:18:41 +09:00 · 2026-02-03 08:17:34 +09:00 · 2026-02-03 08:16:25 +09:00 · 2026-02-03 07:48:13 +09:00
9 changed files with 41 additions and 21 deletions
--- a/meson.build
+++ b/meson.build
@ -2820,8 +2820,6 @@ install_data('LICENSE.GPL2',
 install_subdir('LICENSES',
               install_dir : docdir)

-install_emptydir(systemdstatedir)
-
 #####################################################################

 # Ensure that changes to the docs/ directory do not break the
--- a/mkosi/mkosi.pkgenv/mkosi.conf.d/debian-ubuntu.conf
+++ b/mkosi/mkosi.pkgenv/mkosi.conf.d/debian-ubuntu.conf
@ -9,5 +9,5 @@ Environment=
        GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
        GIT_SUBDIR=debian
        GIT_BRANCH=debian/master
-        GIT_COMMIT=6f4d90be5cb4075954f0a36653105e586a9a1fa9
+        GIT_COMMIT=ecec6127927ca59726e3d3535a2b2344f585cf74
        PKG_SUBDIR=debian
--- a/src/ask-password/ask-password.c
+++ b/src/ask-password/ask-password.c
@ -282,10 +282,10 @@ typedef struct MethodAskParameters {
 static int vl_method_ask(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {

        static const sd_json_dispatch_field dispatch_table[] = {
-                { "message",      SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, message),       0 },
-                { "keyname",      SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, keyring),       0 },
-                { "icon",         SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, icon),          0 },
-                { "id",           SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, id),            0 },
+                { "message",      SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, message),       SD_JSON_STRICT },
+                { "keyname",      SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, keyring),       SD_JSON_STRICT },
+                { "icon",         SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, icon),          SD_JSON_STRICT },
+                { "id",           SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(MethodAskParameters, id),            SD_JSON_STRICT },
                { "timeoutUSec",  _SD_JSON_VARIANT_TYPE_INVALID, sd_json_dispatch_uint64,       offsetof(MethodAskParameters, timeout_usec),  0              },
                { "untilUSec",    _SD_JSON_VARIANT_TYPE_INVALID, sd_json_dispatch_uint64,       offsetof(MethodAskParameters, until_usec),    0              },
                { "acceptCached", SD_JSON_VARIANT_BOOLEAN,       sd_json_dispatch_tristate,     offsetof(MethodAskParameters, accept_cached), 0              },
--- a/src/ask-password/meson.build
+++ b/src/ask-password/meson.build
@ -7,3 +7,6 @@ executables += [
                'sources' : files('ask-password.c'),
        },
 ]
+
+install_data('io.systemd.ask-password.policy',
+             install_dir : polkitpolicydir)
--- a/src/import/import-generator.c
+++ b/src/import/import-generator.c
@ -357,9 +357,11 @@ static int transfer_generate(const Transfer *t) {
                        arg_failure_action);

        if (t->class == IMAGE_SYSEXT)
-                fputs("Before=systemd-sysext.service\n", f);
+                fprintf(f, "Before=systemd-sysext%s.service\n",
+                        in_initrd() ? "-initrd" : "");
        else if (t->class == IMAGE_CONFEXT)
-                fputs("Before=systemd-confext.service\n", f);
+                fprintf(f, "Before=systemd-confext%s.service\n",
+                        in_initrd() ? "-initrd" : "");

        /* Assume network resource unless URL is file:// */
        if (!file_url_is_valid(t->remote))
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@ -1004,8 +1004,10 @@ int ask_password_agent(
                        goto finish;
                }

-                if (req->hup_fd >= 0 && pollfd[hup_fd_idx].revents & POLLHUP)
-                        return -ECONNRESET;
+                if (req->hup_fd >= 0 && pollfd[hup_fd_idx].revents & POLLHUP) {
+                        r = -ECONNRESET;
+                        goto finish;
+                }

                if (inotify_fd >= 0 && pollfd[inotify_idx].revents != 0) {
                        (void) flush_fd(inotify_fd);
--- a/src/shared/install.c
+++ b/src/shared/install.c
@ -3239,7 +3239,13 @@ int unit_file_get_state(
        return unit_file_lookup_state(scope, &lp, name, ret);
 }

-int unit_file_exists_full(RuntimeScope scope, const LookupPaths *lp, const char *name, char **ret_path) {
+int unit_file_exists_full(
+                RuntimeScope scope,
+                const LookupPaths *lp,
+                bool follow,
+                const char *name,
+                char **ret_path) {
+
        _cleanup_(install_context_done) InstallContext c = {
                .scope = scope,
        };
@ -3256,7 +3262,7 @@ int unit_file_exists_full(RuntimeScope scope, const LookupPaths *lp, const char
                        &c,
                        lp,
                        name,
-                        /* flags= */ 0,
+                        follow ? SEARCH_FOLLOW_CONFIG_SYMLINKS : 0,
                        ret_path ? &info : NULL,
                        /* changes= */ NULL,
                        /* n_changes= */ NULL);
--- a/src/shared/install.h
+++ b/src/shared/install.h
@ -181,9 +181,15 @@ int unit_file_lookup_state(

 int unit_file_get_state(RuntimeScope scope, const char *root_dir, const char *filename, UnitFileState *ret);

-int unit_file_exists_full(RuntimeScope scope, const LookupPaths *lp, const char *name, char **ret_path);
+int unit_file_exists_full(
+                RuntimeScope scope,
+                const LookupPaths *lp,
+                bool follow,
+                const char *name,
+                char **ret_path);
+
 static inline int unit_file_exists(RuntimeScope scope, const LookupPaths *lp, const char *name) {
-        return unit_file_exists_full(scope, lp, name, NULL);
+        return unit_file_exists_full(scope, lp, false, name, NULL);
 }

 int unit_file_get_list(RuntimeScope scope, const char *root_dir, char * const *states, char * const *patterns, Hashmap **ret);
--- a/src/ssh-generator/ssh-generator.c
+++ b/src/ssh-generator/ssh-generator.c
@ -475,7 +475,10 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
                return r;

        _cleanup_free_ char *found_sshd_template_unit = NULL;
-        r = unit_file_exists_full(RUNTIME_SCOPE_SYSTEM, &lp, "sshd@.service", &found_sshd_template_unit);
+        r = unit_file_exists_full(RUNTIME_SCOPE_SYSTEM, &lp,
+                                  /* follow = */ true,
+                                  "sshd@.service",
+                                  &found_sshd_template_unit);
        if (r < 0)
                return log_error_errno(r, "Unable to detect if sshd@.service exists: %m");
Author	SHA1	Message	Date
Yu Watanabe	3d6dfabd8c	meson: Don't install systemdstatedir (/var/lib/systemd) (#31627 )	2026-02-03 10:08:54 +09:00
Antonio Alvarez Feijoo	2f76b10b94	import-generator: fix sysext/confext ordering in initrd In the initrd, order the generated `systemd-import@.service` units before the initrd-specific sysext/confext units.	2026-02-03 08:18:41 +09:00
Mike Yuan	c27d1b3eec	ssh-generator: follow symlink when searching for sshd@.service unit_file_exists() currently does not follow symlinks, as it is mainly used to test whether the unit (of any install state) has been seen under search dirs. However, in ssh-generator we should search for and honor whatever the distro ships, which might be an alias or linked externally.	2026-02-03 08:17:34 +09:00
Luca Boccassi	ce41216e49	ask-password: install polkit policy The policy was added, but never hooked into meson to be installed, so it's unused. Install it. Follow-up for 066f6bfb6278962e288cce2ba522a2e400980e7c	2026-02-03 08:16:25 +09:00
Yu Watanabe	ab8603d26b	Fixes for ask-password (#40549 )	2026-02-03 07:48:13 +09:00
Luca Boccassi	15075cfe26	mkosi: update debian commit reference to ecec6127927ca59726e3d3535a2b2344f585cf74 * ecec612792 Stop installing /var/lib/systemd/ * 120f84266d d/rules: use --no-also for networkd and journald * 41780703f2 d/rules: do not restart sockets, it fails if the service is running * 5f219fbd65 Increase number of sections of sd-stub on amd64 too * 5832d7f614 d/systemd.postinst: use --no-dbus for daemon-reexec	2026-02-02 16:28:55 +01:00
Max Gautier	9013347ba9	Don't install systemdstatedir (/var/lib/systemd) systemdstatedir is created by tmpfiles conf (tmpfiles.d/systemd.conf.in) already. By shipping it, systemd prevents the effect of tmpfiles.d/var.conf.in: q /var 0755 - - - This should helps implementing the "Hermetic /usr" pattern. Links: https://0pointer.net/blog/fitting-everything-together.html	2026-02-03 00:10:06 +09:00
Zbigniew Jędrzejewski-Szmek	65f72f5dbb	ask-password: remove files in /run when query is aborted Because of the missing 'goto', if the query was aborted, we would leave behind the ask.* ini file.	2026-02-02 15:16:23 +01:00
Zbigniew Jędrzejewski-Szmek	f01c99c67e	ask-password: reject control chars and quotes in query description As reported in https://yeswehack.com/vulnerability-center/reports/705270, YesWeHack issue #YWH-PGM9780-66, if a newline is injected into the message field, it is passed through unmolested and lands in the .ini file. This obviously would cause the parser to be confused. Let's forbid any control characters or quotes in those fields. If we want something more complicated in the future, we can add a custom validation function and allow some escaping mechanism.	2026-02-02 15:16:23 +01:00