Merge fb437dc7ab into 69af4849aa

Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Martin Srebotnjak <miles@filmsi.net>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/sl/
Translation: systemd/main

meson.build

@@ -1579,6 +1579,29 @@ conf.set('DEFAULT_DNS_OVER_TLS_MODE',
          'DNS_OVER_TLS_' + default_dns_over_tls.underscorify().to_upper())
 conf.set_quoted('DEFAULT_DNS_OVER_TLS_MODE_STR', default_dns_over_tls)
 
+dns_over_https = get_option('dns-over-https')
+if dns_over_https != 'false'
+         have = true
+         if conf.get('HAVE_LIBCURL') == 0
+            message('DNS-over-HTTPS support depends on libcurl, but dependencies are not available')
+            have = false
+         endif
+         if conf.get('HAVE_OPENSSL') == 0
+            message('openssl required, but not available')
+            have = false
+         endif
+endif
+conf.set10('ENABLE_DNS_OVER_HTTPS', have)
+
+default_dns_over_https = get_option('default-dns-over-https')
+if default_dns_over_https != 'no' and conf.get('ENABLE_DNS_OVER_HTTPS') == 0
+        message('default-dns-over-https cannot be enabled. Setting default-dns-over-https to no.')
+        default_dns_over_https = 'no'
+endif
+conf.set('DEFAULT_DNS_OVER_HTTPS_MODE',
+         'DNS_OVER_HTTPS_' + default_dns_over_https.underscorify().to_upper())
+conf.set_quoted('DEFAULT_DNS_OVER_HTTPS_MODE_STR', default_dns_over_https)
+
 default_mdns = get_option('default-mdns')
 conf.set('DEFAULT_MDNS_MODE',
          'RESOLVE_SUPPORT_' + default_mdns.to_upper())
@@ -3002,6 +3025,7 @@ summary({
         'default compression method' :      compression,
         'default DNSSEC mode' :             default_dnssec,
         'default DNS-over-TLS mode' :       default_dns_over_tls,
+        'default DNS-over-HTTPS mode' :     default_dns_over_https,
         'default mDNS mode' :               default_mdns,
         'default LLMNR mode' :              default_llmnr,
         'default DNS servers' :             dns_servers.split(' '),

meson_options.txt

@@ -353,6 +353,10 @@ option('default-dns-over-tls', type : 'combo',
        description : 'default DNS-over-TLS mode',
        choices : ['yes', 'opportunistic', 'no'],
        value : 'no')
+option('default-dns-over-https', type : 'combo',
+       description : 'default DNS-over-HTTPS mode',
+       choices : ['yes', 'no'],
+       value : 'no')
 option('default-mdns', type : 'combo',
        choices : ['yes', 'resolve', 'no'],
        description : 'default MulticastDNS mode',
@@ -363,6 +367,8 @@ option('default-llmnr', type : 'combo',
        value : 'yes')
 option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'],
        description : 'DNS-over-TLS support')
+option('dns-over-https', type : 'combo', choices : ['true', 'false'],
+       description : 'DNS-over-HTTPS support')
 option('dns-servers', type : 'string',
        description : 'space-separated list of default DNS servers',
        value : '1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google')

po/fi.po

@@ -3,12 +3,13 @@
 # Finnish translation of systemd.
 # Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2023.
 # Ricky Tigg <ricky.tigg@gmail.com>, 2022, 2024.
+# Jiri Grönroos <jiri.gronroos@iki.fi>, 2024.
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-09-12 13:43+0000\n"
-"Last-Translator: Ricky Tigg <ricky.tigg@gmail.com>\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>\n"
 "Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/"
 "main/fi/>\n"
 "Language: fi\n"
@@ -16,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.7.2\n"
+"X-Generator: Weblate 5.8.2\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -112,14 +113,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "Todennus vaaditaan käyttäjän kotialueen päivittämiseksi."
 
 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "Päivitä kotialue"
 
 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "Todennus vaaditaan käyttäjän kotialueen päivittämiseksi."
+msgstr "Todennus vaaditaan kotialueen päivittämiseksi."
 
 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@@ -1174,14 +1173,11 @@ msgstr "Todennus vaaditaan vanhojen järjestelmäpäivitysten puhdistamiseen."
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Hallitse valinnaisia ominaisuuksia"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Todennus vaaditaan aktiivisten istuntojen, käyttäjien ja paikkojen "
-"hallintaan."
+msgstr "Todennus vaaditaan valinnaisten ominaisuuksien hallintaan"
 
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"

po/fr.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-07 09:30+0000\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
 "Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
 "Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
 "main/fr/>\n"
@@ -360,8 +360,8 @@ msgid ""
 "Authentication is required to set the statically configured local hostname, "
 "as well as the pretty hostname."
 msgstr ""
-"Une authentification est requise pour définir le nom d'hôte local de manière "
-"statique, ainsi que le nom d'hôte familier."
+"Une authentification est requise pour définir le nom d'hôte local configuré "
+"de manière statique, ainsi que le nom d'hôte convivial."
 
 #: src/hostname/org.freedesktop.hostname1.policy:41
 msgid "Set machine information"

po/sl.po

@@ -7,7 +7,7 @@ msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-08-26 19:38+0000\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
 "Last-Translator: Martin Srebotnjak <miles@filmsi.net>\n"
 "Language-Team: Slovenian <https://translate.fedoraproject.org/projects/"
 "systemd/main/sl/>\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=4; plural=n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || "
 "n%100==4 ? 2 : 3;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.8.2\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -125,16 +125,13 @@ msgstr ""
 "območja."
 
 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
 msgstr "Posodobite domače območje"
 
 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
 msgstr ""
-"Preverjanje pristnosti je potrebno za posodobitev uporabnikovega domačega "
-"območja."
+"Preverjanje pristnosti je potrebno za posodobitev vašega domačega območja."
 
 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@@ -1234,14 +1231,12 @@ msgstr ""
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Upravljaj dodatne funkcionalnosti"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
 msgstr ""
-"Preverjanje pristnosti je potrebno za upravljanje aktivnih sej, uporabnikov "
-"in delovišč."
+"Preverjanje pristnosti je potrebno za upravljanje dodatnih funkcionalnosti."
 
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"

po/uk.po

@@ -4,12 +4,13 @@
 # Eugene Melnik <jeka7js@gmail.com>, 2014.
 # Daniel Korostil <ted.korostiled@gmail.com>, 2014, 2016, 2018.
 # Yuri Chornoivan <yurchor@ukr.net>, 2019, 2020, 2021, 2022, 2023, 2024.
+# Dmytro Markevych <hotr1pak@gmail.com>, 2024.
 msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-08-24 10:36+0000\n"
-"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
+"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"Last-Translator: Dmytro Markevych <hotr1pak@gmail.com>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
 "systemd/main/uk/>\n"
 "Language: uk\n"
@@ -18,7 +19,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
 "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.8.2\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -118,14 +119,12 @@ msgid "Authentication is required to update a user's home area."
 msgstr "Для оновлення домашньої теки користувача слід пройти розпізнавання."
 
 #: src/home/org.freedesktop.home1.policy:53
-#, fuzzy
 msgid "Update your home area"
-msgstr "Оновлення домашньої теки"
+msgstr "Оновіть свій домашній простір"
 
 #: src/home/org.freedesktop.home1.policy:54
-#, fuzzy
 msgid "Authentication is required to update your home area."
-msgstr "Для оновлення домашньої теки користувача слід пройти розпізнавання."
+msgstr "Для оновлення домашньої області потрібна автентифікація."
 
 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@@ -1212,14 +1211,11 @@ msgstr "Для вилучення застарілих оновлень сист
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:75
 msgid "Manage optional features"
-msgstr ""
+msgstr "Керування додатковими функціями"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features"
-msgstr ""
-"Для того, щоб керувати сеансами, користувачами і робочими місцями, слід "
-"пройти розпізнавання."
+msgstr "Для керування додатковими функціями потрібна автентифікація"
 
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"

src/basic/cgroup-util.c

@@ -803,6 +803,10 @@ int cg_pid_get_path(const char *controller, pid_t pid, char **ret_path) {
                 if (!path)
                         return -ENOMEM;
 
+                /* Refuse cgroup paths from outside our cgroup namespace */
+                if (startswith(path, "/../"))
+                        return -EUNATCH;
+
                 /* Truncate suffix indicating the process is a zombie */
                 e = endswith(path, " (deleted)");
                 if (e)

src/basic/process-util.c

@@ -102,8 +102,8 @@ int pid_get_comm(pid_t pid, char **ret) {
         _cleanup_free_ char *escaped = NULL, *comm = NULL;
         int r;
 
-        assert(ret);
         assert(pid >= 0);
+        assert(ret);
 
         if (pid == 0 || pid == getpid_cached()) {
                 comm = new0(char, TASK_COMM_LEN + 1); /* Must fit in 16 byte according to prctl(2) */
@@ -143,6 +143,9 @@ int pidref_get_comm(const PidRef *pid, char **ret) {
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         r = pid_get_comm(pid->pid, &comm);
         if (r < 0)
                 return r;
@@ -289,6 +292,9 @@ int pidref_get_cmdline(const PidRef *pid, size_t max_columns, ProcessCmdlineFlag
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         r = pid_get_cmdline(pid->pid, max_columns, flags, &s);
         if (r < 0)
                 return r;
@@ -331,6 +337,9 @@ int pidref_get_cmdline_strv(const PidRef *pid, ProcessCmdlineFlags flags, char *
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         r = pid_get_cmdline_strv(pid->pid, flags, &args);
         if (r < 0)
                 return r;
@@ -477,6 +486,9 @@ int pidref_is_kernel_thread(const PidRef *pid) {
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         result = pid_is_kernel_thread(pid->pid);
         if (result < 0)
                 return result;
@@ -594,6 +606,9 @@ int pidref_get_uid(const PidRef *pid, uid_t *ret) {
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         r = pid_get_uid(pid->pid, &uid);
         if (r < 0)
                 return r;
@@ -794,6 +809,9 @@ int pidref_get_start_time(const PidRef *pid, usec_t *ret) {
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         r = pid_get_start_time(pid->pid, ret ? &t : NULL);
         if (r < 0)
                 return r;
@@ -1093,6 +1111,9 @@ int pidref_is_my_child(const PidRef *pid) {
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         result = pid_is_my_child(pid->pid);
         if (result < 0)
                 return result;
@@ -1128,6 +1149,9 @@ int pidref_is_unwaited(const PidRef *pid) {
         if (!pidref_is_set(pid))
                 return -ESRCH;
 
+        if (pidref_is_remote(pid))
+                return -EREMOTE;
+
         if (pid->pid == 1 || pidref_is_self(pid))
                 return true;
 
@@ -1169,6 +1193,9 @@ int pidref_is_alive(const PidRef *pidref) {
         if (!pidref_is_set(pidref))
                 return -ESRCH;
 
+        if (pidref_is_remote(pidref))
+                return -EREMOTE;
+
         result = pid_is_alive(pidref->pid);
         if (result < 0) {
                 assert(result != -ESRCH);

src/cryptenroll/cryptenroll-fido2.c

@@ -193,7 +193,7 @@ int enroll_fido2(
                 fflush(stdout);
 
                 fprintf(stderr,
-                        "\nPlease save this FIDO2 credential ID. It is required when unloocking the volume\n"
+                        "\nPlease save this FIDO2 credential ID. It is required when unlocking the volume\n"
                         "using the associated FIDO2 keyslot which we just created. To configure automatic\n"
                         "unlocking using this FIDO2 token, add an appropriate entry to your /etc/crypttab\n"
                         "file, see %s for details.\n", link);

src/import/meson.build

@@ -14,7 +14,6 @@ systemd_pull_sources = files(
         'pull-tar.c',
         'pull-job.c',
         'pull-common.c',
-        'curl-util.c',
 )
 
 systemd_import_sources = files(

src/resolve/meson.build

@@ -117,6 +117,10 @@ if conf.get('ENABLE_DNS_OVER_TLS') == 1
         endif
 endif
 
+if conf.get('ENABLE_DNS_OVER_HTTPS') == 1
+        systemd_resolved_dependencies += libcurl
+endif
+
 link_with = [
         libshared,
         libsystemd_resolve_core,

src/resolve/resolved-dns-server.c

@@ -422,10 +422,17 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
 
         /* Determine the best feature level we care about. If DNSSEC mode is off there's no point in using anything
          * better than EDNS0, hence don't even try. */
-        if (dns_server_get_dnssec_mode(s) != DNSSEC_NO)
+        if (dns_server_get_dnssec_mode(s) != DNSSEC_NO) {
                 best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ?
                         DNS_SERVER_FEATURE_LEVEL_DO :
                         DNS_SERVER_FEATURE_LEVEL_TLS_DO;
+                /* TODO: Add HTTPS_PLAIN_DO too? */
+#if ENABLE_DNS_OVER_HTTPS
+                best = dns_server_get_dns_over_https_mode(s) == DNS_OVER_HTTPS_NO ?
+                        DNS_SERVER_FEATURE_LEVEL_DO :
+                        DNS_SERVER_FEATURE_LEVEL_HTTPS_PLAIN;
+#endif
+        }
         else
                 best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ?
                         DNS_SERVER_FEATURE_LEVEL_EDNS0 :
@@ -493,7 +500,8 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) {
                 } else if (s->packet_bad_opt &&
                            DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(s->possible_feature_level) &&
                            dns_server_get_dnssec_mode(s) != DNSSEC_YES &&
-                           dns_server_get_dns_over_tls_mode(s) != DNS_OVER_TLS_YES) {
+                           dns_server_get_dns_over_tls_mode(s) != DNS_OVER_TLS_YES &&
+                           dns_server_get_dns_over_https_mode(s) != DNS_OVER_HTTPS_YES) {
 
                         /* A reply to one of our EDNS0 queries didn't carry a valid OPT RR, then downgrade to
                          * below EDNS0 levels. After all, some servers generate different responses with and
@@ -962,6 +970,12 @@ DnsOverTlsMode dns_server_get_dns_over_tls_mode(DnsServer *s) {
         return manager_get_dns_over_tls_mode(s->manager);
 }
 
+DnsOverHttpsMode dns_server_get_dns_over_https_mode(DnsServer *s) {
+        assert(s);
+
+        return manager_get_dns_over_https_mode(s->manager);
+}
+
 void dns_server_flush_cache(DnsServer *s) {
         DnsServer *current;
         DnsScope *scope;
@@ -1099,6 +1113,7 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE
         [DNS_SERVER_FEATURE_LEVEL_UDP]         = "UDP",
         [DNS_SERVER_FEATURE_LEVEL_EDNS0]       = "UDP+EDNS0",
         [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN]   = "TLS+EDNS0",
+        [DNS_SERVER_FEATURE_LEVEL_HTTPS_PLAIN] = "HTTPS+EDNS0",
         [DNS_SERVER_FEATURE_LEVEL_DO]          = "UDP+EDNS0+DO",
         [DNS_SERVER_FEATURE_LEVEL_TLS_DO]      = "TLS+EDNS0+DO",
 };

src/resolve/resolved-dns-server.h

@@ -35,6 +35,7 @@ typedef enum DnsServerFeatureLevel {
         DNS_SERVER_FEATURE_LEVEL_UDP,
         DNS_SERVER_FEATURE_LEVEL_EDNS0,
         DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN,
+        DNS_SERVER_FEATURE_LEVEL_HTTPS_PLAIN,
         DNS_SERVER_FEATURE_LEVEL_DO,
         DNS_SERVER_FEATURE_LEVEL_TLS_DO,
         _DNS_SERVER_FEATURE_LEVEL_MAX,
@@ -46,6 +47,7 @@ typedef enum DnsServerFeatureLevel {
 #define DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_EDNS0)
 #define DNS_SERVER_FEATURE_LEVEL_IS_TLS(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_TLS_DO)
 #define DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_DO)
+#define DNS_SERVER_FEATURE_LEVEL_IS_HTTPS(x) ((x) == DNS_SERVER_FEATURE_LEVEL_HTTPS_PLAIN)
 #define DNS_SERVER_FEATURE_LEVEL_IS_UDP(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO)
 
 const char* dns_server_feature_level_to_string(DnsServerFeatureLevel i) _const_;
@@ -164,6 +166,7 @@ void manager_next_dns_server(Manager *m, DnsServer *if_current);
 
 DnssecMode dns_server_get_dnssec_mode(DnsServer *s);
 DnsOverTlsMode dns_server_get_dns_over_tls_mode(DnsServer *s);
+DnsOverHttpsMode dns_server_get_dns_over_https_mode(DnsServer *s);
 
 size_t dns_server_get_mtu(DnsServer *s);
 

src/resolve/resolved-dns-transaction.c

@@ -4,11 +4,13 @@
 
 #include "af-list.h"
 #include "alloc-util.h"
+
 #include "dns-domain.h"
 #include "errno-list.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "glyph-util.h"
+#include "hexdecoct.h"
 #include "random-util.h"
 #include "resolved-dns-cache.h"
 #include "resolved-dns-transaction.h"
@@ -16,6 +18,10 @@
 #include "resolved-llmnr.h"
 #include "string-table.h"
 
+#if ENABLE_DNS_OVER_HTTPS
+#include "curl-util.h"
+#endif
+
 #define TRANSACTIONS_MAX 4096
 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
 
@@ -682,7 +688,13 @@ static uint16_t dns_transaction_port(DnsTransaction *t) {
         if (t->server->port > 0)
                 return t->server->port;
 
-        return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
+        if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
+                return 853;
+
+        if (DNS_SERVER_FEATURE_LEVEL_IS_HTTPS(t->current_feature_level))
+                return 443;
+
+        return 53;
 }
 
 static int dns_transaction_emit_tcp(DnsTransaction *t) {
@@ -1518,6 +1530,9 @@ static int dns_transaction_emit_udp(DnsTransaction *t) {
                 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
                         return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
 
+                if (DNS_SERVER_FEATURE_LEVEL_IS_HTTPS(t->current_feature_level))
+                        return -EAGAIN; /* Direct request logic to HTTPS */
+
                 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
                         return -EOPNOTSUPP;
 
@@ -1984,6 +1999,223 @@ static int mdns_make_dummy_packet(DnsTransaction *t, DnsPacket **ret_packet, Set
         return add_known_answers;
 }
 
+#if ENABLE_DNS_OVER_HTTPS
+static size_t dns_transaction_curl_header_callback(void *contents, size_t size, size_t nmemb, void *userdata) {
+        _cleanup_free_ char *content_header = NULL;
+        DnsTransaction *t = ASSERT_PTR(userdata);
+        size_t sz = size * nmemb;
+        CURLcode code;
+        long status;
+        int r;
+
+        assert(contents);
+
+        code = curl_easy_getinfo(t->curl, CURLINFO_RESPONSE_CODE, &status);
+        if (code != CURLE_OK)
+                return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve response code: %s", curl_easy_strerror(code));
+
+        if (status >= 200 && status <= 299) {
+                r = curl_header_strdup(contents, sz, "Content-Type:", &content_header);
+                if (r < 0) {
+                        log_oom();
+                        return 0;
+                }
+                if (r > 0) {
+                        r = strcmp("application/dns-message", content_header);
+                        if (r == 0)
+                                t->valid_dns_message = true;
+                        return sz;
+                }
+        }
+
+        return sz;
+}
+
+static size_t dns_transaction_curl_write_callback(void *contents, size_t size, size_t nmemb, void *userdata) {
+        DnsTransaction *t = ASSERT_PTR(userdata);
+        size_t sz = size * nmemb;
+        int r;
+
+        t->payload = memdup(contents, sz);
+        if (!t->payload) {
+                log_debug("Failed to extract HTTP payload to further processing");
+                r = log_oom();
+                goto fail;
+        }
+
+        t->payload_size += sz;
+
+        return sz;
+
+ fail:
+        dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
+        return r;
+}
+
+static int dns_transaction_curl_recv(DnsTransaction *t, DnsPacket **p) {
+        size_t ms;
+        int r;
+
+        ms = t->payload_size;
+
+        if (t->payload_size < 1) {
+                log_debug("Received HTTP payload unexpected size %zu", t->payload_size);
+                return -1;
+        }
+
+        r = dns_packet_new(p, DNS_PROTOCOL_DNS, ms, DNS_PACKET_SIZE_MAX);
+        if (r < 0)
+                return r;
+
+        log_debug("Received HTTP payload of size %zu", t->payload_size);
+        return 0;
+}
+
+static int dns_transaction_curl_make_url(DnsTransaction *t, char **url) {
+        _cleanup_free_ char *base64_string = NULL;
+        uint8_t *packet_to_send = DNS_PACKET_DATA(t->sent);
+        int r;
+
+        /* Let's zero the query ID according to the RFC */
+        packet_to_send[0] = 0;
+        packet_to_send[1] = 0;
+
+        r = base64mem_full(packet_to_send, t->sent->size, MAX_URL_LENGTH, &base64_string);
+        if (r < 0) {
+                log_debug_errno(r, "Failed to encode DNS packet to base64");
+                return r;
+        }
+
+        /* Remove base64 trailing characters */
+        delete_trailing_chars(base64_string, "=");
+
+        /* Build the DoH's wire format request URL */
+        r = asprintf(url, "https://%s/dns-query?dns=%s", t->server->server_string, base64_string);
+        if (r < 0) {
+                log_debug("Failed to allocate and set the url for transaction %" PRIu16 ".", t->id);
+                return r;
+        }
+
+        return 0;
+}
+
+static void dns_transaction_curl_on_response(CurlGlue *g, CURL *curl, CURLcode result) {
+        _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+        DnsTransaction *t = NULL;
+        int status;
+        int r;
+
+        assert(g);
+        assert(curl);
+
+        curl_easy_getinfo(curl, CURLINFO_PRIVATE, &t);
+
+        if (result != CURLE_OK) {
+                log_error_errno(SYNTHETIC_ERRNO(EIO), "HTTP request failed: %s", curl_easy_strerror(result));
+                status = DNS_TRANSACTION_INVALID_REPLY;
+                goto finish;
+        }
+
+        if (!t->valid_dns_message) {
+                log_debug("Received invalid HTTP payload, expected content type of application/dns-message");
+                status = DNS_TRANSACTION_INVALID_REPLY;
+                goto finish;
+        }
+
+        r = dns_transaction_curl_recv(t, &p);
+        if (r < 0) {
+                log_debug_errno(r, "HTTP payload receive failure");
+                dns_transaction_complete_errno(t, r);
+                return;
+        }
+
+        /* Transfer the received payload to transaction/packet struct */
+        uint8_t *p_data = DNS_PACKET_DATA(p);
+        memcpy(p_data, t->payload, t->payload_size);
+
+        p->size = t->payload_size;
+
+        r = dns_packet_validate_reply(p);
+        if (r < 0)
+                log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
+
+        if (r == 0)
+                log_debug("Received inappropriate DNS packet as response, ignoring");
+
+        dns_transaction_process_reply(t, p, false);
+
+        return;
+ finish:
+        dns_transaction_complete(t, status);
+}
+
+static int dns_transaction_emit_curl(DnsTransaction *t) {
+        _cleanup_(sd_event_unrefp) sd_event *e = NULL;
+        _cleanup_free_ char *rule = NULL;
+        int r;
+
+        assert(t);
+        assert(t->sent);
+
+        dns_transaction_close_connection(t, true);
+
+        if (t->scope->protocol == DNS_PROTOCOL_DNS) {
+                r = dns_transaction_pick_server(t);
+                if (r < 0)
+                        return r;
+
+                if (manager_server_is_stub(t->scope->manager, t->server))
+                        return -ELOOP;
+
+                r = curl_glue_new(&t->glue, e);
+                if (r < 0)
+                        return r;
+
+                t->glue->on_finished = dns_transaction_curl_on_response;
+
+                r = dns_transaction_curl_make_url(t, &t->url);
+                if (r < 0)
+                        return r;
+
+                r = curl_glue_make(&t->curl, t->url, t);
+                if (r < 0)
+                        return r;
+
+                if (curl_easy_setopt(t->curl, CURLOPT_HEADERFUNCTION, dns_transaction_curl_header_callback) != CURLE_OK)
+                        return -EIO;
+
+                if (curl_easy_setopt(t->curl, CURLOPT_HEADERDATA, t) != CURLE_OK)
+                        return -EIO;
+
+                if (curl_easy_setopt(t->curl, CURLOPT_WRITEFUNCTION, dns_transaction_curl_write_callback) != CURLE_OK)
+                        return -EIO;
+
+                if (curl_easy_setopt(t->curl, CURLOPT_WRITEDATA, t) != CURLE_OK)
+                        return -EIO;
+
+                // Prevents libcurl's native name lookups
+                r = asprintf(&rule, "%s:443:%s", t->server->server_string, t->server->server_string);
+                if (r < 0) {
+                        log_debug("Failed to compound IP resolution to CURLOPT_RESOLVE parameter");
+                        return r;
+                }
+
+                t->glue->resolve_rules = curl_slist_append(NULL, rule);
+                if (curl_easy_setopt(t->curl, CURLOPT_RESOLVE, t->glue->resolve_rules) != CURLE_OK)
+                        return -EIO;
+
+
+                log_debug("Emitting HTTPS request via curl for transaction %" PRIu16, t->id);
+                r = curl_glue_add(t->glue, t->curl);
+                if (r < 0)
+                        return r;
+        } else
+                /* TODO: Is this the right error code here? */
+                return -ELOOP;
+
+        return 0;
+}
+#endif
 static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
         _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL, *dummy = NULL;
         _cleanup_set_free_ Set *keys = NULL;
@@ -2172,10 +2404,20 @@ int dns_transaction_go(DnsTransaction *t) {
                 r = dns_transaction_emit_udp(t);
                 if (r == -EMSGSIZE)
                         log_debug("Sending query via TCP since it is too large.");
+#if ENABLE_DNS_OVER_HTTPS
+                else if ((r == -EAGAIN &&
+                          (DNS_SERVER_FEATURE_LEVEL_IS_HTTPS(t->current_feature_level))))
+                        log_debug("Sending query via HTTPS.");
+#endif
                 else if (r == -EAGAIN)
                         log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
                 else if (r == -EPERM)
                         log_debug("Sending query via TCP since UDP is blocked.");
+#if ENABLE_DNS_OVER_HTTPS
+                if ((r == -EAGAIN &&
+                          (DNS_SERVER_FEATURE_LEVEL_IS_HTTPS(t->current_feature_level))))
+                        r = dns_transaction_emit_curl(t);
+#endif
                 if (IN_SET(r, -EMSGSIZE, -EAGAIN, -EPERM))
                         r = dns_transaction_emit_tcp(t);
         }

src/resolve/resolved-dns-transaction.h

@@ -1,9 +1,19 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#if ENABLE_DNS_OVER_HTTPS
+#include <curl/curl.h>
+#endif
+
 #include "sd-event.h"
+
+#if ENABLE_DNS_OVER_HTTPS
+#include "curl-util.h"
+#endif
+
 #include "in-addr-util.h"
 
+
 typedef struct DnsTransaction DnsTransaction;
 typedef struct DnsTransactionFinder DnsTransactionFinder;
 typedef enum DnsTransactionState DnsTransactionState;
@@ -92,7 +102,15 @@ struct DnsTransaction {
 
         /* TCP connection logic, if we need it */
         DnsStream *stream;
-
+#if ENABLE_DNS_OVER_HTTPS
+        /* HTTPS connection logic, if we need it */
+        CurlGlue *glue;
+        CURL *curl;
+        char *url;
+        uint8_t *payload;
+        size_t payload_size;
+        bool valid_dns_message;
+#endif
         /* The active server */
         DnsServer *server;
 
@@ -219,6 +237,9 @@ DnsTransactionSource dns_transaction_source_from_string(const char *s) _pure_;
 /* Maximum attempts to send MDNS requests, see RFC 6762 Section 8.1 */
 #define MDNS_TRANSACTION_ATTEMPTS_MAX 3
 
+/* Maximum URL length for HTTP GET request, see RFC ... */
+#define MAX_URL_LENGTH 2048
+
 #define TRANSACTION_ATTEMPTS_MAX(p) ((p) == DNS_PROTOCOL_LLMNR ?        \
                                      LLMNR_TRANSACTION_ATTEMPTS_MAX :   \
                                      (p) == DNS_PROTOCOL_MDNS ?         \

src/resolve/resolved-gperf.gperf

@@ -26,6 +26,7 @@ Resolve.LLMNR,                     config_parse_resolve_support,         0,
 Resolve.MulticastDNS,              config_parse_resolve_support,         0,                   offsetof(Manager, mdns_support)
 Resolve.DNSSEC,                    config_parse_dnssec_mode,             0,                   offsetof(Manager, dnssec_mode)
 Resolve.DNSOverTLS,                config_parse_dns_over_tls_mode,       0,                   offsetof(Manager, dns_over_tls_mode)
+Resolve.DNSOverHTTPS,              config_parse_dns_over_https_mode,     0,                   offsetof(Manager, dns_over_https_mode)
 Resolve.Cache,                     config_parse_dns_cache_mode,          DNS_CACHE_MODE_YES,  offsetof(Manager, enable_cache)
 Resolve.DNSStubListener,           config_parse_dns_stub_listener_mode,  0,                   offsetof(Manager, dns_stub_listener_mode)
 Resolve.ReadEtcHosts,              config_parse_bool,                    0,                   offsetof(Manager, read_etc_hosts)

src/resolve/resolved-manager.c

@@ -1670,6 +1670,15 @@ DnsOverTlsMode manager_get_dns_over_tls_mode(Manager *m) {
         return DNS_OVER_TLS_NO;
 }
 
+DnsOverHttpsMode manager_get_dns_over_https_mode(Manager *m) {
+        assert(m);
+
+        if (m->dns_over_https_mode != _DNS_OVER_HTTPS_MODE_INVALID)
+                return m->dns_over_https_mode;
+
+        return DNS_OVER_HTTPS_NO;
+}
+
 void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key) {
 
         assert(verdict >= 0);

src/resolve/resolved-manager.h

@@ -40,6 +40,7 @@ struct Manager {
         ResolveSupport mdns_support;
         DnssecMode dnssec_mode;
         DnsOverTlsMode dns_over_tls_mode;
+        DnsOverHttpsMode dns_over_https_mode;
         DnsCacheMode enable_cache;
         bool cache_from_localhost;
         DnsStubListenerMode dns_stub_listener_mode;
@@ -207,6 +208,8 @@ bool manager_dnssec_supported(Manager *m);
 
 DnsOverTlsMode manager_get_dns_over_tls_mode(Manager *m);
 
+DnsOverHttpsMode manager_get_dns_over_https_mode(Manager *m);
+
 void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key);
 
 bool manager_routable(Manager *m);

src/resolve/resolved.conf.in

@@ -26,6 +26,7 @@
 #Domains=
 #DNSSEC={{DEFAULT_DNSSEC_MODE_STR}}
 #DNSOverTLS={{DEFAULT_DNS_OVER_TLS_MODE_STR}}
+#DNSOverHTTPS={{DEFAULT_DNS_OVER_HTTPS_MODE_STR}}
 #MulticastDNS={{DEFAULT_MDNS_MODE_STR}}
 #LLMNR={{DEFAULT_LLMNR_MODE_STR}}
 #Cache=yes

src/shared/curl-util.c

@@ -311,6 +311,9 @@ void curl_glue_remove_and_free(CurlGlue *g, CURL *c) {
         if (g->curl)
                 curl_multi_remove_handle(g->curl, c);
 
+        if (g->resolve_rules)
+                curl_slist_free_all(g->resolve_rules);
+
         curl_easy_cleanup(c);
 }
 

src/shared/curl-util.h

@@ -20,6 +20,7 @@ struct CurlGlue {
 
         void (*on_finished)(CurlGlue *g, CURL *curl, CURLcode code);
         void *userdata;
+        struct curl_slist *resolve_rules;;
 };
 
 int curl_glue_new(CurlGlue **glue, sd_event *event);

src/shared/killall.c

@@ -46,13 +46,17 @@ static bool argv_has_at(pid_t pid) {
         return c == '@';
 }
 
-static bool is_survivor_cgroup(const PidRef *pid) {
+static bool is_in_survivor_cgroup(const PidRef *pid) {
         _cleanup_free_ char *cgroup_path = NULL;
         int r;
 
         assert(pidref_is_set(pid));
 
         r = cg_pidref_get_path(/* root= */ NULL, pid, &cgroup_path);
+        if (r == -EUNATCH) {
+                log_warning_errno(r, "Process " PID_FMT " appears to originate in foreign namespace, ignoring.", pid->pid);
+                return true;
+        }
         if (r < 0) {
                 log_warning_errno(r, "Failed to get cgroup path of process " PID_FMT ", ignoring: %m", pid->pid);
                 return false;
@@ -86,7 +90,7 @@ static bool ignore_proc(const PidRef *pid, bool warn_rootfs) {
                 return true; /* also ignore processes where we can't determine this */
 
         /* Ignore processes that are part of a cgroup marked with the user.survive_final_kill_signal xattr */
-        if (is_survivor_cgroup(pid))
+        if (is_in_survivor_cgroup(pid))
                 return true;
 
         r = pidref_get_uid(pid, &uid);

src/shared/meson.build

@@ -256,6 +256,10 @@ if conf.get('HAVE_TPM2') == 1 and conf.get('HAVE_LIBCRYPTSETUP') == 1
         shared_sources += files('cryptsetup-tpm2.c')
 endif
 
+if conf.get('HAVE_LIBCURL') == 1
+        shared_sources += files('curl-util.c')
+endif
+
 generate_ip_protocol_list = find_program('generate-ip-protocol-list.sh')
 ip_protocol_list_txt = custom_target(
         'ip-protocol-list.txt',
@@ -337,6 +341,11 @@ libshared_deps = [threads,
                   libxz_cflags,
                   libzstd_cflags]
 
+# Is this correct?
+if conf.get('HAVE_LIBCURL') == 1
+        libshared_deps += [libcurl]
+endif
+
 libshared_sym_path = meson.current_source_dir() / 'libshared.sym'
 libshared_build_dir = meson.current_build_dir()
 

src/shared/resolve-util.c

@@ -7,6 +7,7 @@
 DEFINE_CONFIG_PARSE_ENUM(config_parse_resolve_support, resolve_support, ResolveSupport);
 DEFINE_CONFIG_PARSE_ENUM(config_parse_dnssec_mode, dnssec_mode, DnssecMode);
 DEFINE_CONFIG_PARSE_ENUM(config_parse_dns_over_tls_mode, dns_over_tls_mode, DnsOverTlsMode);
+DEFINE_CONFIG_PARSE_ENUM(config_parse_dns_over_https_mode, dns_over_https_mode, DnsOverHttpsMode);
 
 static const char* const resolve_support_table[_RESOLVE_SUPPORT_MAX] = {
         [RESOLVE_SUPPORT_NO] = "no",
@@ -29,6 +30,12 @@ static const char* const dns_over_tls_mode_table[_DNS_OVER_TLS_MODE_MAX] = {
 };
 DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dns_over_tls_mode, DnsOverTlsMode, DNS_OVER_TLS_YES);
 
+static const char* const dns_over_https_mode_table[_DNS_OVER_HTTPS_MODE_MAX] = {
+        [DNS_OVER_HTTPS_NO] = "no",
+        [DNS_OVER_HTTPS_YES] = "yes",
+};
+DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(dns_over_https_mode, DnsOverHttpsMode, DNS_OVER_HTTPS_YES);
+
 bool dns_server_address_valid(int family, const union in_addr_union *sa) {
 
         /* Refuses the 0 IP addresses as well as 127.0.0.53/127.0.0.54 (which is our own DNS stub) */

src/shared/resolve-util.h

@@ -27,6 +27,7 @@ enum DnsCacheMode {
 typedef enum ResolveSupport ResolveSupport;
 typedef enum DnssecMode DnssecMode;
 typedef enum DnsOverTlsMode DnsOverTlsMode;
+typedef enum DnsOverHttpsMode DnsOverHttpsMode;
 
 /* Do not change the order, see link_get_llmnr_support() or link_get_mdns_support(). */
 enum ResolveSupport {
@@ -70,9 +71,21 @@ enum DnsOverTlsMode {
         _DNS_OVER_TLS_MODE_INVALID = -EINVAL,
 };
 
+enum DnsOverHttpsMode {
+        /* No connection is made for DNS-over-HTTPS */
+        DNS_OVER_HTTPS_NO,
+
+        /* Enforce DNS-over-HTTPS */
+        DNS_OVER_HTTPS_YES,
+
+        _DNS_OVER_HTTPS_MODE_MAX,
+        _DNS_OVER_HTTPS_MODE_INVALID = -EINVAL,
+};
+
 CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
 CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
 CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode);
+CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_https_mode);
 CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode);
 
 const char* resolve_support_to_string(ResolveSupport p) _const_;
@@ -84,6 +97,9 @@ DnssecMode dnssec_mode_from_string(const char *s) _pure_;
 const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_;
 DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_;
 
+const char* dns_over_https_mode_to_string(DnsOverHttpsMode p) _const_;
+DnsOverHttpsMode dns_over_https_mode_from_string(const char *s) _pure_;
+
 bool dns_server_address_valid(int family, const union in_addr_union *sa);
 
 const char* dns_cache_mode_to_string(DnsCacheMode p) _const_;

src/test/test-audit-util.c

@@ -7,24 +7,26 @@ TEST(audit_loginuid_from_pid) {
         _cleanup_(pidref_done) PidRef self = PIDREF_NULL, pid1 = PIDREF_NULL;
         int r;
 
-        assert_se(pidref_set_self(&self) >= 0);
-        assert_se(pidref_set_pid(&pid1, 1) >= 0);
+        ASSERT_OK(pidref_set_self(&self));
+        ASSERT_OK(pidref_set_pid(&pid1, 1));
 
         uid_t uid;
         r = audit_loginuid_from_pid(&self, &uid);
-        assert_se(r >= 0 || r == -ENODATA);
+        if (r != -ENODATA)
+                ASSERT_OK(r);
         if (r >= 0)
                 log_info("self audit login uid: " UID_FMT, uid);
 
-        assert_se(audit_loginuid_from_pid(&pid1, &uid) == -ENODATA);
+        ASSERT_ERROR(audit_loginuid_from_pid(&pid1, &uid), ENODATA);
 
         uint32_t sessionid;
         r = audit_session_from_pid(&self, &sessionid);
-        assert_se(r >= 0 || r == -ENODATA);
+        if (r != -ENODATA)
+                ASSERT_OK(r);
         if (r >= 0)
                 log_info("self audit session id: %" PRIu32, sessionid);
 
-        assert_se(audit_session_from_pid(&pid1, &sessionid) == -ENODATA);
+        ASSERT_ERROR(audit_session_from_pid(&pid1, &sessionid), ENODATA);
 }
 
 static int intro(void) {