man/systemd.unit.xml

@@ -1495,7 +1495,6 @@
           <term><varname>AssertHost=</varname></term>
           <term><varname>AssertKernelCommandLine=</varname></term>
           <term><varname>AssertKernelVersion=</varname></term>
-          <term><varname>AssertEnvironment=</varname></term>
           <term><varname>AssertSecurity=</varname></term>
           <term><varname>AssertCapability=</varname></term>
           <term><varname>AssertACPower=</varname></term>
@@ -1507,15 +1506,12 @@
           <term><varname>AssertPathIsSymbolicLink=</varname></term>
           <term><varname>AssertPathIsMountPoint=</varname></term>
           <term><varname>AssertPathIsReadWrite=</varname></term>
-          <term><varname>AssertPathIsEncrypted=</varname></term>
           <term><varname>AssertDirectoryNotEmpty=</varname></term>
           <term><varname>AssertFileNotEmpty=</varname></term>
           <term><varname>AssertFileIsExecutable=</varname></term>
           <term><varname>AssertUser=</varname></term>
           <term><varname>AssertGroup=</varname></term>
           <term><varname>AssertControlGroupController=</varname></term>
-          <term><varname>AssertMemory=</varname></term>
-          <term><varname>AssertCPUs=</varname></term>
 
           <listitem><para>Similar to the <varname>ConditionArchitecture=</varname>,
           <varname>ConditionVirtualization=</varname>, …, condition settings described above, these settings

meson.build

@@ -221,11 +221,11 @@ conf.set_quoted('USER_CONFIG_UNIT_DIR',                       join_paths(pkgsysc
 conf.set_quoted('USER_DATA_UNIT_DIR',                         userunitdir)
 conf.set_quoted('CERTIFICATE_ROOT',                           get_option('certificate-root'))
 conf.set_quoted('CATALOG_DATABASE',                           join_paths(catalogstatedir, 'database'))
+conf.set_quoted('SYSTEMD_CGROUP_AGENT_PATH',                  join_paths(rootlibexecdir, 'systemd-cgroups-agent'))
 conf.set_quoted('SYSTEMD_BINARY_PATH',                        join_paths(rootlibexecdir, 'systemd'))
-conf.set_quoted('SYSTEMD_CGROUPS_AGENT_PATH',                 join_paths(rootlibexecdir, 'systemd-cgroups-agent'))
 conf.set_quoted('SYSTEMD_FSCK_PATH',                          join_paths(rootlibexecdir, 'systemd-fsck'))
-conf.set_quoted('SYSTEMD_GROWFS_PATH',                        join_paths(rootlibexecdir, 'systemd-growfs'))
 conf.set_quoted('SYSTEMD_MAKEFS_PATH',                        join_paths(rootlibexecdir, 'systemd-makefs'))
+conf.set_quoted('SYSTEMD_GROWFS_PATH',                        join_paths(rootlibexecdir, 'systemd-growfs'))
 conf.set_quoted('SYSTEMD_SHUTDOWN_BINARY_PATH',               join_paths(rootlibexecdir, 'systemd-shutdown'))
 conf.set_quoted('SYSTEMCTL_BINARY_PATH',                      join_paths(rootbindir, 'systemctl'))
 conf.set_quoted('SYSTEMD_TTY_ASK_PASSWORD_AGENT_BINARY_PATH', join_paths(rootbindir, 'systemd-tty-ask-password-agent'))
@@ -3438,39 +3438,40 @@ endif
 
 fuzzer_exes = []
 
-foreach tuple : fuzzers
+if fuzz_tests or fuzzer_build
-        sources = tuple[0]
+        foreach tuple : fuzzers
-        link_with = tuple[1].length() > 0 ? tuple[1] : [libshared]
+                sources = tuple[0]
-        dependencies = tuple[2]
+                link_with = tuple[1].length() > 0 ? tuple[1] : [libshared]
-        defs = tuple.length() >= 4 ? tuple[3] : []
+                dependencies = tuple[2]
-        incs = tuple.length() >= 5 ? tuple[4] : includes
+                defs = tuple.length() >= 4 ? tuple[3] : []
-        link_args = []
+                incs = tuple.length() >= 5 ? tuple[4] : includes
+                link_args = []
 
-        if want_ossfuzz
+                if want_ossfuzz
-                dependencies += fuzzing_engine
-        elif want_libfuzzer
-                if fuzzing_engine.found()
                         dependencies += fuzzing_engine
+                elif want_libfuzzer
+                        if fuzzing_engine.found()
+                                dependencies += fuzzing_engine
+                        else
+                                link_args += ['-fsanitize=fuzzer']
+                        endif
                 else
-                        link_args += ['-fsanitize=fuzzer']
+                        sources += 'src/fuzz/fuzz-main.c'
                 endif
-        else
-                sources += 'src/fuzz/fuzz-main.c'
-        endif
 
-        name = sources[0].split('/')[-1].split('.')[0]
+                name = sources[0].split('/')[-1].split('.')[0]
 
-        fuzzer_exes += executable(
+                fuzzer_exes += executable(
-                name,
+                        name,
-                sources,
+                        sources,
-                include_directories : [incs, include_directories('src/fuzz')],
+                        include_directories : [incs, include_directories('src/fuzz')],
-                link_with : link_with,
+                        link_with : link_with,
-                dependencies : dependencies,
+                        dependencies : dependencies,
-                c_args : defs,
+                        c_args : defs,
-                link_args: link_args,
+                        link_args: link_args,
-                install : false,
+                        install : false)
-                build_by_default : fuzz_tests or fuzzer_build)
+        endforeach
-endforeach
+endif
 
 run_target(
         'fuzzers',

src/basic/socket-util.c

@@ -320,7 +320,7 @@ bool socket_address_matches_fd(const SocketAddress *a, int fd) {
 }
 
 int sockaddr_port(const struct sockaddr *_sa, unsigned *ret_port) {
-        const union sockaddr_union *sa = (const union sockaddr_union*) _sa;
+        union sockaddr_union *sa = (union sockaddr_union*) _sa;
 
         /* Note, this returns the port as 'unsigned' rather than 'uint16_t', as AF_VSOCK knows larger ports */
 
@@ -345,25 +345,6 @@ int sockaddr_port(const struct sockaddr *_sa, unsigned *ret_port) {
         }
 }
 
-const union in_addr_union *sockaddr_in_addr(const struct sockaddr *_sa) {
-        const union sockaddr_union *sa = (const union sockaddr_union*) _sa;
-
-        if (!sa)
-                return NULL;
-
-        switch (sa->sa.sa_family) {
-
-        case AF_INET:
-                return (const union in_addr_union*) &sa->in.sin_addr;
-
-        case AF_INET6:
-                return (const union in_addr_union*) &sa->in6.sin6_addr;
-
-        default:
-                return NULL;
-        }
-}
-
 int sockaddr_pretty(
                 const struct sockaddr *_sa,
                 socklen_t salen,

src/basic/socket-util.h

@@ -102,7 +102,6 @@ const char* socket_address_get_path(const SocketAddress *a);
 bool socket_ipv6_is_supported(void);
 
 int sockaddr_port(const struct sockaddr *_sa, unsigned *port);
-const union in_addr_union *sockaddr_in_addr(const struct sockaddr *sa);
 
 int sockaddr_pretty(const struct sockaddr *_sa, socklen_t salen, bool translate_ipv6, bool include_port, char **ret);
 int getpeername_pretty(int fd, bool include_port, char **ret);

src/basic/virt.c

@@ -345,7 +345,7 @@ int detect_vm(void) {
         /* We have to use the correct order here:
          *
          * → First, try to detect Oracle Virtualbox, even if it uses KVM, as well as Xen even if it cloaks as Microsoft
-         *   Hyper-V. Attempt to detect uml at this stage also since it runs as a user-process nested inside other VMs.
+         *   Hyper-V.
          *
          * → Second, try to detect from CPUID, this will report KVM for whatever software is used even if info in DMI is
          *   overwritten.
@@ -358,16 +358,6 @@ int detect_vm(void) {
                 goto finish;
         }
 
-        /* Detect UML */
-        r = detect_vm_uml();
-        if (r < 0)
-                return r;
-        if (r == VIRTUALIZATION_VM_OTHER)
-                other = true;
-        else if (r != VIRTUALIZATION_NONE)
-                goto finish;
-
-        /* Detect from CPUID */
         r = detect_vm_cpuid();
         if (r < 0)
                 return r;
@@ -416,6 +406,14 @@ int detect_vm(void) {
         else if (r != VIRTUALIZATION_NONE)
                 goto finish;
 
+        r = detect_vm_uml();
+        if (r < 0)
+                return r;
+        if (r == VIRTUALIZATION_VM_OTHER)
+                other = true;
+        else if (r != VIRTUALIZATION_NONE)
+                goto finish;
+
         r = detect_vm_zvm();
         if (r < 0)
                 return r;

src/core/cgroup.c

@@ -3052,7 +3052,7 @@ int manager_setup_cgroup(Manager *m) {
                 /* On the legacy hierarchy we only get notifications via cgroup agents. (Which isn't really reliable,
                  * since it does not generate events when control groups with children run empty. */
 
-                r = cg_install_release_agent(SYSTEMD_CGROUP_CONTROLLER, SYSTEMD_CGROUPS_AGENT_PATH);
+                r = cg_install_release_agent(SYSTEMD_CGROUP_CONTROLLER, SYSTEMD_CGROUP_AGENT_PATH);
                 if (r < 0)
                         log_warning_errno(r, "Failed to install release agent, ignoring: %m");
                 else if (r > 0)

src/resolve/resolved-bus.c

@@ -1762,7 +1762,7 @@ static int bus_method_flush_caches(sd_bus_message *message, void *userdata, sd_b
         assert(message);
         assert(m);
 
-        manager_flush_caches(m, LOG_INFO);
+        manager_flush_caches(m);
 
         return sd_bus_reply_method_return(message, NULL);
 }

src/resolve/resolved-dns-cache.c

@@ -20,7 +20,7 @@
 
 /* How long to cache strange rcodes, i.e. rcodes != SUCCESS and != NXDOMAIN (specifically: that's only SERVFAIL for
  * now) */
-#define CACHE_TTL_STRANGE_RCODE_USEC (10 * USEC_PER_SEC)
+#define CACHE_TTL_STRANGE_RCODE_USEC (30 * USEC_PER_SEC)
 
 typedef enum DnsCacheItemType DnsCacheItemType;
 typedef struct DnsCacheItem DnsCacheItem;

src/resolve/resolved-dns-scope.c

@@ -412,36 +412,9 @@ static int dns_scope_socket(
         if (ret_socket_address)
                 *ret_socket_address = sa;
         else {
-                bool bound = false;
-
-                /* Let's temporarily bind the socket to the specified ifindex. The kernel currently takes
-                 * only the SO_BINDTODEVICE/SO_BINDTOINDEX ifindex into account when making routing decisions
-                 * in connect() — and not IP_UNICAST_IF. We don't really want any of the other semantics of
-                 * SO_BINDTODEVICE/SO_BINDTOINDEX, hence we immediately unbind the socket after the fact
-                 * again.
-                 *
-                 * As a special exception we don't do this if we notice that the specified IP address is on
-                 * the local host. SO_BINDTODEVICE in combination with destination addresses on the local
-                 * host result in EHOSTUNREACH, since Linux won't send the packets out of the specified
-                 * interface, but delivers them directly to the local socket. */
-                if (s->link &&
-                    !manager_find_link_address(s->manager, sa.sa.sa_family, sockaddr_in_addr(&sa.sa))) {
-                        r = socket_bind_to_ifindex(fd, ifindex);
-                        if (r < 0)
-                                return r;
-
-                        bound = true;
-                }
-
                 r = connect(fd, &sa.sa, salen);
                 if (r < 0 && errno != EINPROGRESS)
                         return -errno;
-
-                if (bound) {
-                        r = socket_bind_to_ifindex(fd, 0);
-                        if (r < 0)
-                                return r;
-                }
         }
 
         return TAKE_FD(fd);
@@ -505,8 +478,9 @@ DnsScopeMatch dns_scope_good_domain(
         if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
                 return DNS_SCOPE_NO;
 
-        /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on
+        /* Never resolve any loopback hostname or IP address via DNS,
-         * synthesized RRs for these. */
+         * LLMNR or mDNS. Instead, always rely on synthesized RRs for
+         * these. */
         if (is_localhost(domain) ||
             dns_name_endswith(domain, "127.in-addr.arpa") > 0 ||
             dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
@@ -522,15 +496,6 @@ DnsScopeMatch dns_scope_good_domain(
         if (dns_name_endswith(domain, "invalid") > 0)
                 return DNS_SCOPE_NO;
 
-        /* Never go to network for the _gateway domain, it's something special, synthesized locally. Note
-         * that we don't use is_gateway_hostname() here, since that has support for the legacy "gateway"
-         * hostname (without the prefix underscore), which we don't want to filter on all protocols. i.e. we
-         * don't want to filter "gateway" on classic DNS, since there might very well be such a host inside
-         * some search domain, and we shouldn't block that. We do filter it in LLMNR however (and on mDNS by
-         * side-effect, since it's a single-label name which mDNS doesn't accept anyway). */
-        if (dns_name_equal(domain, "_gateway") > 0)
-                return DNS_SCOPE_NO;
-
         switch (s->protocol) {
 
         case DNS_PROTOCOL_DNS: {
@@ -623,7 +588,7 @@ DnsScopeMatch dns_scope_good_domain(
                         return DNS_SCOPE_MAYBE;
 
                 if ((dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */
-                     !is_gateway_hostname(domain) && /* don't resolve "_gateway" with LLMNR, let local synthesizing logic handle that */
+                     !is_gateway_hostname(domain) && /* don't resolve "gateway" with LLMNR, let nss-myhostname handle this */
                      dns_name_equal(domain, "local") == 0 && /* don't resolve "local" with LLMNR, it's the top-level domain of mDNS after all, see above */
                      manager_is_own_hostname(s->manager, domain) <= 0))  /* never resolve the local hostname via LLMNR */
                         return DNS_SCOPE_YES_BASE + 1; /* Return +1, as we consider ourselves authoritative

src/resolve/resolved-dns-server.c

@@ -530,7 +530,7 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature
 
         edns_do = level >= DNS_SERVER_FEATURE_LEVEL_DO;
 
-        if (level == DNS_SERVER_FEATURE_LEVEL_LARGE)
+        if (level >= DNS_SERVER_FEATURE_LEVEL_LARGE)
                 packet_size = DNS_PACKET_UNICAST_SIZE_LARGE_MAX;
         else
                 packet_size = server->received_udp_packet_max;

src/resolve/resolved-dns-stub.c

@@ -379,7 +379,8 @@ static void dns_stub_process_query(Manager *m, DnsStubListenerExtra *l, DnsStrea
         if (!l && /* l == NULL if this is the main stub */
             (in_addr_is_localhost(p->family, &p->sender) <= 0 ||
              in_addr_is_localhost(p->family, &p->destination) <= 0)) {
-                log_warning("Got packet on unexpected (i.e. non-localhost) IP range, ignoring.");
+                log_error("Got packet on unexpected IP range, refusing.");
+                dns_stub_send_failure(m, l, s, p, DNS_RCODE_SERVFAIL, false);
                 return;
         }
 

src/resolve/resolved-etc-hosts.c

@@ -10,7 +10,6 @@
 #include "resolved-dns-synthesize.h"
 #include "resolved-etc-hosts.h"
 #include "socket-netlink.h"
-#include "stat-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "time-util.h"
@@ -37,7 +36,9 @@ void etc_hosts_free(EtcHosts *hosts) {
 
 void manager_etc_hosts_flush(Manager *m) {
         etc_hosts_free(&m->etc_hosts);
-        m->etc_hosts_stat = (struct stat) {};
+        m->etc_hosts_mtime = USEC_INFINITY;
+        m->etc_hosts_ino = 0;
+        m->etc_hosts_dev = 0;
 }
 
 static int parse_line(EtcHosts *hosts, unsigned nr, const char *line) {
@@ -113,6 +114,10 @@ static int parse_line(EtcHosts *hosts, unsigned nr, const char *line) {
                         continue;
                 }
 
+                if (is_localhost(name))
+                        /* Suppress the "localhost" line that is often seen */
+                        continue;
+
                 if (!item) {
                         /* Optimize the case where we don't need to store any addresses, by storing
                          * only the name in a dedicated Set instead of the hashmap */
@@ -159,95 +164,6 @@ static int parse_line(EtcHosts *hosts, unsigned nr, const char *line) {
         return 0;
 }
 
-static void strip_localhost(EtcHosts *hosts) {
-        static const struct in_addr_data local_in_addrs[] = {
-                {
-                        .family = AF_INET,
-#if __BYTE_ORDER == __LITTLE_ENDIAN
-                        /* We want constant expressions here, that's why we don't use htole32() here */
-                        .address.in.s_addr = UINT32_C(0x0100007F),
-#else
-                        .address.in.s_addr = UINT32_C(0x7F000001),
-#endif
-                },
-                {
-                        .family = AF_INET6,
-                        .address.in6 = IN6ADDR_LOOPBACK_INIT,
-                },
-        };
-
-        EtcHostsItem *item;
-
-        assert(hosts);
-
-        /* Removes the 'localhost' entry from what we loaded. But only if the mapping is exclusively between
-         * 127.0.0.1 and localhost (or aliases to that we recognize). If there's any other name assigned to
-         * it, we leave the entry in.
-         *
-         * This way our regular synthesizing can take over, but only if it would result in the exact same
-         * mappings.  */
-
-        for (size_t j = 0; j < ELEMENTSOF(local_in_addrs); j++) {
-                bool all_localhost, in_order;
-                char **i;
-
-                item = hashmap_get(hosts->by_address, local_in_addrs + j);
-                if (!item)
-                        continue;
-
-                /* Check whether all hostnames the loopback address points to are localhost ones */
-                all_localhost = true;
-                STRV_FOREACH(i, item->names)
-                        if (!is_localhost(*i)) {
-                                all_localhost = false;
-                                break;
-                        }
-
-                if (!all_localhost) /* Not all names are localhost, hence keep the entries for this address. */
-                        continue;
-
-                /* Now check if the names listed for this address actually all point back just to this
-                 * address (or the other loopback address). If not, let's stay away from this too. */
-                in_order = true;
-                STRV_FOREACH(i, item->names) {
-                        EtcHostsItemByName *n;
-                        bool all_local_address;
-
-                        n = hashmap_get(hosts->by_name, *i);
-                        if (!n) /* No reverse entry? Then almost certainly the entry already got deleted from
-                                 * the previous iteration of this loop, i.e. via the other protocol */
-                                break;
-
-                        /* Now check if the addresses of this item are all localhost addresses */
-                        all_local_address = true;
-                        for (size_t m = 0; m < n->n_addresses; m++)
-                                if (!in_addr_is_localhost(n->addresses[m]->family, &n->addresses[m]->address)) {
-                                        all_local_address = false;
-                                        break;
-                                }
-
-                        if (!all_local_address) {
-                                in_order = false;
-                                break;
-                        }
-                }
-
-                if (!in_order)
-                        continue;
-
-                STRV_FOREACH(i, item->names) {
-                        EtcHostsItemByName *n;
-
-                        n = hashmap_remove(hosts->by_name, *i);
-                        if (n)
-                                etc_hosts_item_by_name_free(n);
-                }
-
-                assert_se(hashmap_remove(hosts->by_address, local_in_addrs + j) == item);
-                etc_hosts_item_free(item);
-        }
-}
-
 int etc_hosts_parse(EtcHosts *hosts, FILE *f) {
         _cleanup_(etc_hosts_free) EtcHosts t = {};
         unsigned nr = 0;
@@ -278,8 +194,6 @@ int etc_hosts_parse(EtcHosts *hosts, FILE *f) {
                         return r;
         }
 
-        strip_localhost(&t);
-
         etc_hosts_free(hosts);
         *hosts = t;
         t = (EtcHosts) {}; /* prevent cleanup */
@@ -300,7 +214,7 @@ static int manager_etc_hosts_read(Manager *m) {
 
         m->etc_hosts_last = ts;
 
-        if (m->etc_hosts_stat.st_mode != 0) {
+        if (m->etc_hosts_mtime != USEC_INFINITY) {
                 if (stat("/etc/hosts", &st) < 0) {
                         if (errno != ENOENT)
                                 return log_error_errno(errno, "Failed to stat /etc/hosts: %m");
@@ -310,7 +224,8 @@ static int manager_etc_hosts_read(Manager *m) {
                 }
 
                 /* Did the mtime or ino/dev change? If not, there's no point in re-reading the file. */
-                if (stat_inode_unmodified(&m->etc_hosts_stat, &st))
+                if (timespec_load(&st.st_mtim) == m->etc_hosts_mtime &&
+                    st.st_ino == m->etc_hosts_ino && st.st_dev == m->etc_hosts_dev)
                         return 0;
         }
 
@@ -333,7 +248,9 @@ static int manager_etc_hosts_read(Manager *m) {
         if (r < 0)
                 return r;
 
-        m->etc_hosts_stat = st;
+        m->etc_hosts_mtime = timespec_load(&st.st_mtim);
+        m->etc_hosts_ino = st.st_ino;
+        m->etc_hosts_dev = st.st_dev;
         m->etc_hosts_last = ts;
 
         return 1;

src/resolve/resolved-link-bus.c

@@ -9,7 +9,6 @@
 #include "bus-get-properties.h"
 #include "bus-message-util.h"
 #include "bus-polkit.h"
-#include "log-link.h"
 #include "parse-util.h"
 #include "resolve-util.h"
 #include "resolved-bus.h"
@@ -253,7 +252,6 @@ static int verify_unmanaged_link(Link *l, sd_bus_error *error) {
 }
 
 static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, void *userdata, sd_bus_error *error, bool extended) {
-        _cleanup_free_ char *j = NULL;
         struct in_addr_full **dns;
         Link *l = userdata;
         size_t n;
@@ -281,21 +279,6 @@ static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, voi
                 goto finalize;
         }
 
-        for (size_t i = 0; i < n; i++) {
-                const char *s;
-
-                s = in_addr_full_to_string(dns[i]);
-                if (!s) {
-                        r = -ENOMEM;
-                        goto finalize;
-                }
-
-                if (!strextend_with_separator(&j, ", ", s, NULL)) {
-                        r = -ENOMEM;
-                        goto finalize;
-                }
-        }
-
         dns_server_mark_all(l->dns_servers);
 
         for (size_t i = 0; i < n; i++) {
@@ -321,11 +304,6 @@ static int bus_link_method_set_dns_servers_internal(sd_bus_message *message, voi
         (void) manager_write_resolv_conf(l->manager);
         (void) manager_send_changed(l->manager, "DNS");
 
-        if (j)
-                log_link_info(l, "Bus client set DNS server list to: %s", j);
-        else
-                log_link_info(l, "Bus client reset DNS server list.");
-
         r = sd_bus_reply_method_return(message, NULL);
 
 finalize:
@@ -345,7 +323,6 @@ int bus_link_method_set_dns_servers_ex(sd_bus_message *message, void *userdata,
 }
 
 int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_error *error) {
-        _cleanup_free_ char *j = NULL;
         Link *l = userdata;
         int r;
 
@@ -361,7 +338,6 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
                 return r;
 
         for (;;) {
-                _cleanup_free_ char *prefixed = NULL;
                 const char *name;
                 int route_only;
 
@@ -378,17 +354,6 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
                         return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid search domain %s", name);
                 if (!route_only && dns_name_is_root(name))
                         return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Root domain is not suitable as search domain");
-
-                if (route_only) {
-                        prefixed = strjoin("~", name);
-                        if (!prefixed)
-                                return -ENOMEM;
-
-                        name = prefixed;
-                }
-
-                if (!strextend_with_separator(&j, ", ", name, NULL))
-                        return -ENOMEM;
         }
 
         r = sd_bus_message_rewind(message, false);
@@ -441,11 +406,6 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_
         (void) link_save_user(l);
         (void) manager_write_resolv_conf(l->manager);
 
-        if (j)
-                log_link_info(l, "Bus client set search domain list to: %s", j);
-        else
-                log_link_info(l, "Bus client reset search domain list.");
-
         return sd_bus_reply_method_return(message, NULL);
 
 clear:
@@ -484,8 +444,6 @@ int bus_link_method_set_default_route(sd_bus_message *message, void *userdata, s
                 (void) manager_write_resolv_conf(l->manager);
         }
 
-        log_link_info(l, "Bus client set default route setting: %s", yes_no(b));
-
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -529,8 +487,6 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er
 
         (void) link_save_user(l);
 
-        log_link_info(l, "Bus client set LLMNR setting: %s", resolve_support_to_string(mode));
-
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -574,8 +530,6 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err
 
         (void) link_save_user(l);
 
-        log_link_info(l, "Bus client set MulticastDNS setting: %s", resolve_support_to_string(mode));
-
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -617,9 +571,6 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd
 
         (void) link_save_user(l);
 
-        log_link_info(l, "Bus client set DNSOverTLS setting: %s",
-                      mode < 0 ? "default" : dns_over_tls_mode_to_string(mode));
-
         return sd_bus_reply_method_return(message, NULL);
 }
 
@@ -661,16 +612,12 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
 
         (void) link_save_user(l);
 
-        log_link_info(l, "Bus client set DNSSEC setting: %s",
-                      mode < 0 ? "default" : dnssec_mode_to_string(mode));
-
         return sd_bus_reply_method_return(message, NULL);
 }
 
 int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, void *userdata, sd_bus_error *error) {
         _cleanup_set_free_free_ Set *ns = NULL;
         _cleanup_strv_free_ char **ntas = NULL;
-        _cleanup_free_ char *j = NULL;
         Link *l = userdata;
         int r;
         char **i;
@@ -701,9 +648,6 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
                 r = set_put_strdup(&ns, *i);
                 if (r < 0)
                         return r;
-
-                if (!strextend_with_separator(&j, ", ", *i, NULL))
-                        return -ENOMEM;
         }
 
         r = bus_verify_polkit_async(message, CAP_NET_ADMIN,
@@ -720,11 +664,6 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
 
         (void) link_save_user(l);
 
-        if (j)
-                log_link_info(l, "Bus client set NTA list to: %s", j);
-        else
-                log_link_info(l, "Bus client reset NTA list.");
-
         return sd_bus_reply_method_return(message, NULL);
 }
 

src/resolve/resolved-manager.c

@@ -313,54 +313,6 @@ static int manager_network_monitor_listen(Manager *m) {
         return 0;
 }
 
-static int manager_clock_change_listen(Manager *m);
-
-static int on_clock_change(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
-        Manager *m = userdata;
-
-        assert(m);
-
-        /* The clock has changed, let's flush all caches. Why that? That's because DNSSEC validation takes
-         * the system clock into consideration, and if the clock changes the old validations might have been
-         * wrong. Let's redo all validation with the new, correct time.
-         *
-         * (Also, this is triggered after system suspend, which is also a good reason to drop caches, since
-         * we might be connected to a different network now without this being visible in a dropped link
-         * carrier or so.) */
-
-        log_info("Clock change detected. Flushing caches.");
-        manager_flush_caches(m, LOG_DEBUG /* downgrade the functions own log message, since we already logged here at LOG_INFO level */);
-
-        /* The clock change timerfd is unusable after it triggered once, create a new one. */
-        return manager_clock_change_listen(m);
-}
-
-static int manager_clock_change_listen(Manager *m) {
-        _cleanup_close_ int fd = -1;
-        int r;
-
-        assert(m);
-
-        m->clock_change_event_source = sd_event_source_unref(m->clock_change_event_source);
-
-        fd = time_change_fd();
-        if (fd < 0)
-                return log_error_errno(fd, "Failed to allocate clock change timer fd: %m");
-
-        r = sd_event_add_io(m->event, &m->clock_change_event_source, fd, EPOLLIN, on_clock_change, m);
-        if (r < 0)
-                return log_error_errno(r, "Failed to create clock change event source: %m");
-
-        r = sd_event_source_set_io_fd_own(m->clock_change_event_source, true);
-        if (r < 0)
-                return log_error_errno(r, "Failed to pass ownership of clock fd to event source: %m");
-        TAKE_FD(fd);
-
-        (void) sd_event_source_set_description(m->clock_change_event_source, "clock-change");
-
-        return 0;
-}
-
 static int determine_hostname(char **full_hostname, char **llmnr_hostname, char **mdns_hostname) {
         _cleanup_free_ char *h = NULL, *n = NULL;
 #if HAVE_LIBIDN2
@@ -597,7 +549,7 @@ static int manager_sigusr2(sd_event_source *s, const struct signalfd_siginfo *si
         assert(si);
         assert(m);
 
-        manager_flush_caches(m, LOG_INFO);
+        manager_flush_caches(m);
 
         return 0;
 }
@@ -641,6 +593,9 @@ int manager_new(Manager **ret) {
                 .read_resolv_conf = true,
                 .need_builtin_fallbacks = true,
                 .etc_hosts_last = USEC_INFINITY,
+                .etc_hosts_mtime = USEC_INFINITY,
+                .etc_hosts_ino = 0,
+                .etc_hosts_dev = 0,
                 .read_etc_hosts = true,
         };
 
@@ -687,10 +642,6 @@ int manager_new(Manager **ret) {
         if (r < 0)
                 return r;
 
-        r = manager_clock_change_listen(m);
-        if (r < 0)
-                return r;
-
         r = manager_connect_bus(m);
         if (r < 0)
                 return r;
@@ -758,7 +709,6 @@ Manager *manager_free(Manager *m) {
 
         sd_netlink_unref(m->rtnl);
         sd_event_source_unref(m->rtnl_event_source);
-        sd_event_source_unref(m->clock_change_event_source);
 
         manager_llmnr_stop(m);
         manager_mdns_stop(m);
@@ -1490,7 +1440,7 @@ bool manager_routable(Manager *m) {
         return false;
 }
 
-void manager_flush_caches(Manager *m, int log_level) {
+void manager_flush_caches(Manager *m) {
         DnsScope *scope;
 
         assert(m);
@@ -1498,7 +1448,7 @@ void manager_flush_caches(Manager *m, int log_level) {
         LIST_FOREACH(scopes, scope, m->dns_scopes)
                 dns_cache_flush(&scope->cache);
 
-        log_full(log_level, "Flushed all caches.");
+        log_info("Flushed all caches.");
 }
 
 void manager_reset_server_features(Manager *m) {

src/resolve/resolved-manager.h

@@ -129,8 +129,9 @@ struct Manager {
 
         /* Data from /etc/hosts */
         EtcHosts etc_hosts;
-        usec_t etc_hosts_last;
+        usec_t etc_hosts_last, etc_hosts_mtime;
-        struct stat etc_hosts_stat;
+        ino_t etc_hosts_ino;
+        dev_t etc_hosts_dev;
         bool read_etc_hosts;
 
         OrderedSet *dns_extra_stub_listeners;
@@ -142,8 +143,6 @@ struct Manager {
         Hashmap *polkit_registry;
 
         VarlinkServer *varlink_server;
-
-        sd_event_source *clock_change_event_source;
 };
 
 /* Manager */
@@ -189,7 +188,7 @@ void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResource
 
 bool manager_routable(Manager *m);
 
-void manager_flush_caches(Manager *m, int log_level);
+void manager_flush_caches(Manager *m);
 void manager_reset_server_features(Manager *m);
 
 void manager_cleanup_saved_user(Manager *m);

src/resolve/resolved.c

@@ -58,7 +58,7 @@ static int run(int argc, char *argv[]) {
                 if (r < 0)
                         return log_error_errno(r, "Could not create runtime directory: %m");
 
-                /* Drop privileges, but keep three caps. Note that we drop two of those too, later on (see below) */
+                /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
                 r = drop_privileges(uid, gid,
                                     (UINT64_C(1) << CAP_NET_RAW)|          /* needed for SO_BINDTODEVICE */
                                     (UINT64_C(1) << CAP_NET_BIND_SERVICE)| /* needed to bind on port 53 */
@@ -83,7 +83,7 @@ static int run(int argc, char *argv[]) {
         (void) manager_check_resolv_conf(m);
 
         /* Let's drop the remaining caps now */
-        r = capability_bounding_set_drop((UINT64_C(1) << CAP_NET_RAW), true);
+        r = capability_bounding_set_drop(0, true);
         if (r < 0)
                 return log_error_errno(r, "Failed to drop remaining caps: %m");
 

src/shared/dns-domain.c

@@ -1291,14 +1291,8 @@ int dns_name_apply_idna(const char *name, char **ret) {
         assert(name);
         assert(ret);
 
-        /* First, try non-transitional mode (i.e. IDN2008 rules) */
         r = sym_idn2_lookup_u8((uint8_t*) name, (uint8_t**) &t,
                                IDN2_NFC_INPUT | IDN2_NONTRANSITIONAL);
-        if (r == IDN2_DISALLOWED) /* If that failed, because of disallowed characters, try transitional mode.
-                                   * (i.e. IDN2003 rules which supports some unicode chars IDN2008 doesn't allow). */
-                r = sym_idn2_lookup_u8((uint8_t*) name, (uint8_t**) &t,
-                                       IDN2_NFC_INPUT | IDN2_TRANSITIONAL);
-
         log_debug("idn2_lookup_u8: %s → %s", name, t);
         if (r == IDN2_OK) {
                 if (!startswith(name, "xn--")) {