Merge pull request #16833 from JackFangXN/master

analyze-verify: drop pointless zero initialization

TODO

@@ -234,9 +234,6 @@ Features:
 * systemd-repart: allow sizing partitions as factor of available RAM, so that
   we can reasonably size swap partitions for hibernation.
 
-* systemd-repart: allow running mkfs before making partitions pop up +
-  encryption via LUKS to allow booting into an empty root with only /usr mounted in
-
 * systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag
 
 * systemd-repart: allow boolean option that ensures that if existing partition
@@ -252,10 +249,6 @@ Features:
 * systemd-repart: add per-partition option to fail if partition already exist,
   i.e. is not added new. Similar, add option to fail if partition does not exist yet.
 
-* systemd-repart: add --size=auto for generating/resizing images of minimal
-  size, i.e. where the image file is sized exactly as large as necessary taking
-  SizeMin= into account, but not a single byte larger.
-
 * systemd-repart: allow disabling growing of specific partitions, or making
   them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
 

docs/TRANSIENT-SETTINGS.md

@@ -151,6 +151,8 @@ All execution-related settings are available for transient units.
 ✓ TimerSlackNSec=
 ✓ NoNewPrivileges=
 ✓ KeyringMode=
+✓ ProtectProc=
+✓ ProcSubset=
 ✓ SystemCallFilter=
 ✓ SystemCallArchitectures=
 ✓ SystemCallErrorNumber=

man/repart.d.xml

@@ -55,11 +55,11 @@
     partition slot greater than the highest slot number currently in use. Any existing partitions that have
     no matching partition file are left as they are.</para>
 
-    <para>Note that these partition definition files do not describe the contents of the partitions, such as
+    <para>Note that these definitions may only be used to created and initialize new partitions or grow
-    the file system used. Separate mechanisms, such as
+    existing ones. In the latter case it will not grow the contained files systems however; separate
-    <citerefentry><refentrytitle>systemd-growfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> and
+    mechanisms, such as
-    <command>systemd-makefs</command> maybe be used to initialize or grow the file systems inside of these
+    <citerefentry><refentrytitle>systemd-growfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> may be
-    partitions.</para>
+    used to grow the file systems inside of these partitions.</para>
   </refsect1>
 
   <refsect1>
@@ -327,7 +327,72 @@
         data is never overwritten. Note that the data is copied in before the partition table is updated,
         i.e. before the partition actually is persistently created. This provides robustness: it is
         guaranteed that the partition either doesn't exist or exists fully populated; it is not possible that
-        the partition exists but is not or only partially populated.</para></listitem>
+        the partition exists but is not or only partially populated.</para>
+
+        <para>This option cannot be combined with <varname>Format=</varname> or
+        <varname>CopyFiles=</varname>.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>Format=</varname></term>
+
+        <listitem><para>Takes a file system name, such as <literal>ext4</literal>, <literal>btrfs</literal>,
+        <literal>xfs</literal> or <literal>vfat</literal>, or the special value <literal>swap</literal>. If
+        specified and the partition is newly created it is formatted with the specified file system (or as
+        swap device). The file system UUID and label are automatically derived from the partition UUID and
+        label. If this option is used, the size allocation algorithm is slightly altered: the partition is
+        created as least as big as required for the minimal file system of the specified type (or 4KiB if the
+        minimal size is not known).</para>
+
+        <para>This option has no effect if the partition already exists.</para>
+
+        <para>Similar to the behaviour of <varname>CopyBlocks=</varname> the file system is formatted before
+        the partition is created, ensuring that the partition only ever exists with a fully initialized
+        file system.</para>
+
+        <para>This option cannot be combined with <varname>CopyBlocks=</varname>.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>CopyFiles=</varname></term>
+
+        <listitem><para>Takes a pair of colon separated absolute file system paths. The first path refers to
+        a source file or directory on the host, the second path refers to a target in the file system of the
+        newly created partition and formatted file system. This setting may be used to copy files or
+        directories from the host into the file system that is created due to the <varname>Format=</varname>
+        option. If <varname>CopyFiles=</varname> is used without <varname>Format=</varname> specified
+        explicitly, <literal>Format=</literal> with a suitable default is implied (currently
+        <literal>ext4</literal>, but this may change in the future). This option may be used multiple times
+        to copy multiple files or directories from host into the newly formatted file system. The colon and
+        second path may be omitted in which case the source path is also used as the target path (relative to
+        the root of the newly created file system). If the source path refers to a directory it is copied
+        recursively.</para>
+
+        <para>This option has no effect if the partition already exists: it cannot be used to copy additional
+        files into an existing partition, it may only be used to populate a file system created anew.</para>
+
+        <para>The copy operation is executed before the file system is registered in the partition table,
+        thus ensuring that a file system populated this way only ever exists fully initialized.</para>
+
+        <para>This option cannot be combined with <varname>CopyBlocks=</varname>.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>Encrypt=</varname></term>
+
+        <listitem><para>Takes a boolean parameter, defaulting to false. If true the partition will be
+        formatted with a LUKS2 superblock, before the blocks configured with <varname>CopyBlocks=</varname>
+        are copied in or the file system configured with <varname>Format=</varname> is created.</para>
+
+        <para>The LUKS2 UUID is automatically derived from the partition UUID in a stable fashion. A single
+        key is added to the LUKS2 superblock, configurable with the <option>--key-file=</option> switch to
+        <command>systemd-repart</command>.</para>
+
+        <para>When used this slightly alters the size allocation logic as the implicit, minimal size limits
+        of <varname>Format=</varname> and <varname>CopyBlocks=</varname> are increased by the space necessary
+        for the LUKS2 superblock (see above).</para>
+
+        <para>This option has no effect if the partition already exists.</para></listitem>
       </varlistentry>
 
       <varlistentry>

man/rules/meson.build

@@ -241,6 +241,8 @@ manpages = [
    'sd_bus_error_free',
    'sd_bus_error_get_errno',
    'sd_bus_error_has_name',
+   'sd_bus_error_has_names',
+   'sd_bus_error_has_names_sentinel',
    'sd_bus_error_is_set',
    'sd_bus_error_move',
    'sd_bus_error_set',

man/sd_bus_error.xml

@@ -31,6 +31,8 @@
     <refname>sd_bus_error_move</refname>
     <refname>sd_bus_error_is_set</refname>
     <refname>sd_bus_error_has_name</refname>
+    <refname>sd_bus_error_has_names_sentinel</refname>
+    <refname>sd_bus_error_has_names</refname>
 
     <refpurpose>sd-bus error handling</refpurpose>
   </refnamediv>
@@ -128,6 +130,16 @@
         <paramdef>const sd_bus_error *<parameter>e</parameter></paramdef>
         <paramdef>const char *<parameter>name</parameter></paramdef>
       </funcprototype>
+
+      <funcprototype>
+        <funcdef>int <function>sd_bus_error_has_names_sentinel</function></funcdef>
+        <paramdef>const sd_bus_error *<parameter>e</parameter></paramdef>
+        <paramdef>...</paramdef>
+      </funcprototype>
+
+      <para>
+        &#35;define sd_bus_error_has_names(e, ...) sd_bus_error_has_names_sentinel(e, ..., NULL)
+      </para>
     </funcsynopsis>
 
   </refsynopsisdiv>
@@ -268,6 +280,12 @@
     <parameter>name</parameter> has been set,
     <constant>false</constant> otherwise.</para>
 
+    <para><function>sd_bus_error_has_names_sentinel()</function> is similar to
+    <function>sd_bus_error_has_name()</function>, but takes multiple names to check against. The list must be
+    terminated with <constant>NULL</constant>. <function>sd_bus_error_has_names()</function>
+    is a macro wrapper around <function>sd_bus_error_has_names_sentinel()</function> that adds the
+    <constant>NULL</constant> sentinel automatically.</para>
+
     <para><function>sd_bus_error_free()</function> will destroy
     resources held by <parameter>e</parameter>. The parameter itself
     will not be deallocated, and must be <citerefentry
@@ -307,11 +325,10 @@
     <structfield>name</structfield> field are
     non-<constant>NULL</constant>, zero otherwise.</para>
 
-    <para><function>sd_bus_error_has_name()</function> returns a
+    <para><function>sd_bus_error_has_name()</function>, <function>sd_bus_error_has_names()</function>, and
-    non-zero value when <parameter>e</parameter> is
+    <function>sd_bus_error_has_names_sentinel()</function> return a non-zero value when <parameter>e</parameter> is
-    non-<constant>NULL</constant> and the
+    non-<constant>NULL</constant> and the <structfield>name</structfield> field is equal to one of the given
-    <structfield>name</structfield> field is equal to
+    names, zero otherwise.</para>
-    <parameter>name</parameter>, zero otherwise.</para>
   </refsect1>
 
   <refsect1>

man/systemd-repart.xml

@@ -202,13 +202,26 @@
       <varlistentry>
         <term><option>--size=</option></term>
 
-        <listitem><para>Takes a size in bytes, using the usual K, M, G, T suffixes. If used the specified
+        <listitem><para>Takes a size in bytes, using the usual K, M, G, T suffixes, or the special value
-        device node path must refer to a regular file, which is then grown to the specified size if smaller,
+        <literal>auto</literal>. If used the specified device node path must refer to a regular file, which
-        before any change is made to the partition table. This is not supported if the specified node is a
+        is then grown to the specified size if smaller, before any change is made to the partition table. If
-        block device. This switch has no effect if the file is already as large as the specified size or
+        specified as <literal>auto</literal> the minimal size for the disk image is automatically determined
-        larger. The specified size is implicitly rounded up to multiples of 4096. When used with
+        (i.e. the minimal sizes of all partitions are summed up, taking space for additional metadata into
-        <option>--empty=create</option> this specifies the initial size of the loopback file to
+        account). This switch is not supported if the specified node is a block device. This switch has no
-        create.</para></listitem>
+        effect if the file is already as large as the specified size or larger. The specified size is
+        implicitly rounded up to multiples of 4096. When used with <option>--empty=create</option> this
+        specifies the initial size of the loopback file to create.</para>
+
+        <para>The <option>--size=auto</option> option takes the sizes of pre-existing partitions into
+        account. However, it does not accomodate for partition tables that are not tightly packed: the
+        configured partitions might still not fit into the backing device if empty space exists between
+        pre-existing partitions (or before the first partition) that cannot be fully filled by partitions to
+        grow or create.</para>
+
+        <para>Also note that the automatic size determination does not take files or directories specified
+        with <option>CopyFiles=</option> into account: operation might fail if the specified files or
+        directories require more disk space then the configured per-partition minimal size
+        limit.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -283,6 +296,18 @@
         <filename>/run/repart.d/*.conf</filename>.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--key-file=</option></term>
+
+        <listitem><para>Takes a file system path. Configures the encryption key to use when setting up LUKS2
+        volumes configured with the <varname>Encrypt=</varname> setting in partition files. Should refer to a
+        regular file containing the key, or an <constant>AF_UNIX</constant> stream socket in the file
+        system. In the latter case a connection is made to it and the key read from it. If this switch is not
+        specified the empty key (i.e. zero length key) is used. This behaviour is useful for setting up encrypted
+        partitions during early first boot that receive their user-supplied password only in a later setup
+        step.</para></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="help" />
       <xi:include href="standard-options.xml" xpointer="version" />
     </variablelist>

man/systemd.exec.xml

@@ -267,6 +267,55 @@
         <xi:include href="system-only.xml" xpointer="singular"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>ProtectProc=</varname></term>
+
+        <listitem><para>Takes one of <literal>noaccess</literal>, <literal>invisible</literal>,
+        <literal>ptraceable</literal> or <literal>default</literal> (which it defaults to). When set, this
+        controls the <literal>hidepid=</literal> mount option of the <literal>procfs</literal> instance for
+        the unit that controls which directories with process metainformation
+        (<filename>/proc/<replaceable>PID</replaceable></filename>) are visible and accessible: when set to
+        <literal>noaccess</literal> the ability to access most of other users' process metadata in
+        <filename>/proc/</filename> is taken away for processes of the service. When set to
+        <literal>invisible</literal> processes owned by other users are hidden from
+        <filename>/proc/</filename>. If <literal>ptraceable</literal> all processes that cannot be
+        <function>ptrace()</function>'ed by a process are hidden to it. If <literal>default</literal> no
+        restrictions on <filename>/proc/</filename> access or visibility are made. For further details see
+        <ulink url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc
+        Filesystem</ulink>. It is generally recommended to run most system services with this option set to
+        <literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot
+        be used with services that shall be able to install mount points in the host file system
+        hierarchy. It also cannot be used for services that need to access metainformation about other users'
+        processes. This option implies <varname>MountAPIVFS=</varname>.</para>
+
+        <para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this
+        setting remains without effect, and the unit's processes will be able to access and see other process
+        as if the option was not used.</para>
+
+        <xi:include href="system-only.xml" xpointer="singular"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>ProcSubset=</varname></term>
+
+        <listitem><para>Takes one of <literal>all</literal> (the default) and <literal>pid</literal>. If
+        the latter all files and directories not directly associated with process management and introspection
+        are made invisible in the <filename>/proc/</filename> file system configured for the unit's
+        processes. This controls the <literal>subset=</literal> mount option of the <literal>procfs</literal>
+        instance for the unit. For further details see <ulink
+        url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc
+        Filesystem</ulink>. Note that Linux exposes various kernel APIs via <filename>/proc/</filename>,
+        which are made unavailable with this setting. Since these APIs are used frequently this option is
+        useful only in a few, specific cases, and is not suitable for most non-trivial programs.</para>
+
+        <para>Much like <varname>ProtectProc=</varname> above, this is implemented via file system mount
+        namespacing, and hence the same restrictions apply: it is only available to system services, it
+        disables mount propagation to the host mount table, and it implies
+        <varname>MountAPIVFS=</varname>. Also, like <varname>ProtectProc=</varname> this setting is gracefully
+        disabled if the used kernel does not support the <literal>subset=</literal> mount option of
+        <literal>procfs</literal>.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>BindPaths=</varname></term>
         <term><varname>BindReadOnlyPaths=</varname></term>
@@ -1981,6 +2030,10 @@ RestrictNamespaces=~cgroup net</programlisting>
                 <entry>@timer</entry>
                 <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
               </row>
+              <row>
+                <entry>@known</entry>
+                <entry>All system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systmed version was released. It will become progressively more out-of-date as the kernel is updated.</entry>
+              </row>
             </tbody>
           </tgroup>
         </table>

meson.build

@@ -1625,8 +1625,15 @@ install_libsystemd_static = static_library(
                         libgcrypt],
         c_args : libsystemd_c_args + (static_libsystemd_pic ? [] : ['-fno-PIC']))
 
-# Generate autosuspend rules
+############################################################
+
+autosuspend_update_sh = find_program('tools/autosuspend-update.sh')
+hwdb_update_sh = find_program('tools/hwdb-update.sh')
 make_autosuspend_rules_py = find_program('tools/make-autosuspend-rules.py')
+make_directive_index_py = find_program('tools/make-directive-index.py')
+make_man_index_py = find_program('tools/make-man-index.py')
+syscall_names_update_sh = find_program('tools/syscall-names-update.sh')
+xml_helper_py = find_program('tools/xml_helper.py')
 
 ############################################################
 
@@ -3329,12 +3336,6 @@ run_target(
 
 ############################################################
 
-make_directive_index_py = find_program('tools/make-directive-index.py')
-make_man_index_py = find_program('tools/make-man-index.py')
-xml_helper_py = find_program('tools/xml_helper.py')
-hwdb_update_sh = find_program('tools/hwdb-update.sh')
-autosuspend_update_sh = find_program('tools/autosuspend-update.sh')
-
 subdir('sysctl.d')
 subdir('sysusers.d')
 subdir('tmpfiles.d')

rules.d/meson.build

@@ -21,10 +21,13 @@ rules = files('''
         75-net-description.rules
         75-probe_mtd.rules
         78-sound-card.rules
-        80-drivers.rules
         80-net-setup-link.rules
 '''.split())
 
+if conf.get('HAVE_KMOD') == 1
+        rules += files('80-drivers.rules')
+endif
+
 install_data(rules,
              install_dir : udevrulesdir)
 

shell-completion/zsh/_journalctl

@@ -26,11 +26,11 @@ _journalctl_fields() {
 _journalctl_none() {
     local -a _commands _files _jrnl_none
     # Setting use-cache will slow this down considerably
-    _commands=( ${"$(_call_program commands "$service $_sys_service_mgr -F _EXE" 2>/dev/null)"} )
+    _commands=( ${(f)"$(_call_program commands "$service $_sys_service_mgr -F _EXE" 2>/dev/null)"} )
     _jrnl_none='yes'
     _alternative : \
         'files:/dev files:_files -W /dev -P /dev/' \
-        "commands:commands:($_commands[@])" \
+        'commands:commands:compadd -a _commands' \
         'fields:fields:_journalctl_fields'
 }
 

src/analyze/analyze-security.c

@@ -50,6 +50,8 @@ struct security_info {
         bool ip_filters_custom_egress;
 
         char *keyring_mode;
+        char *protect_proc;
+        char *proc_subset;
         bool lock_personality;
         bool memory_deny_write_execute;
         bool no_new_privileges;
@@ -135,6 +137,8 @@ static void security_info_free(struct security_info *i) {
         free(i->root_image);
 
         free(i->keyring_mode);
+        free(i->protect_proc);
+        free(i->proc_subset);
         free(i->notify_access);
 
         free(i->device_policy);
@@ -388,6 +392,44 @@ static int assess_keyring_mode(
         return 0;
 }
 
+static int assess_protect_proc(
+                const struct security_assessor *a,
+                const struct security_info *info,
+                const void *data,
+                uint64_t *ret_badness,
+                char **ret_description) {
+
+        assert(ret_badness);
+        assert(ret_description);
+
+        if (streq_ptr(info->protect_proc, "noaccess"))
+                *ret_badness = 1;
+        else if (STRPTR_IN_SET(info->protect_proc, "invisible", "ptraceable"))
+                *ret_badness = 0;
+        else
+                *ret_badness = 3;
+
+        *ret_description = NULL;
+
+        return 0;
+}
+
+static int assess_proc_subset(
+                const struct security_assessor *a,
+                const struct security_info *info,
+                const void *data,
+                uint64_t *ret_badness,
+                char **ret_description) {
+
+        assert(ret_badness);
+        assert(ret_description);
+
+        *ret_badness = !streq_ptr(info->proc_subset, "pid");
+        *ret_description = NULL;
+
+        return 0;
+}
+
 static int assess_notify_access(
                 const struct security_assessor *a,
                 const struct security_info *info,
@@ -1149,6 +1191,24 @@ static const struct security_assessor security_assessor_table[] = {
                 .range = 1,
                 .assess = assess_keyring_mode,
         },
+        {
+                .id = "ProtectProc=",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=",
+                .description_good = "Service has restricted access to process tree (/proc hidepid=)",
+                .description_bad = "Service has full access to process tree (/proc hidepid=)",
+                .weight = 1000,
+                .range = 3,
+                .assess = assess_protect_proc,
+        },
+        {
+                .id = "ProcSubset=",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProcSubset=",
+                .description_good = "Service has no access to non-process /proc files (/proc subset=)",
+                .description_bad = "Service has full access to non-process /proc files (/proc subset=)",
+                .weight = 10,
+                .range = 1,
+                .assess = assess_proc_subset,
+        },
         {
                 .id = "NotifyAccess=",
                 .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NotifyAccess=",
@@ -1908,6 +1968,8 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
                 { "IPEgressFilterPath",      "as",      property_read_ip_filters,                0                                                         },
                 { "Id",                      "s",       NULL,                                    offsetof(struct security_info, id)                        },
                 { "KeyringMode",             "s",       NULL,                                    offsetof(struct security_info, keyring_mode)              },
+                { "ProtectProc",             "s",       NULL,                                    offsetof(struct security_info, protect_proc)              },
+                { "ProcSubset",              "s",       NULL,                                    offsetof(struct security_info, proc_subset)               },
                 { "LoadState",               "s",       NULL,                                    offsetof(struct security_info, load_state)                },
                 { "LockPersonality",         "b",       NULL,                                    offsetof(struct security_info, lock_personality)          },
                 { "MemoryDenyWriteExecute",  "b",       NULL,                                    offsetof(struct security_info, memory_deny_write_execute) },

src/analyze/analyze-verify.c

@@ -223,7 +223,7 @@ int verify_units(char **filenames, UnitFileScope scope, bool check_man, bool run
         _cleanup_(manager_freep) Manager *m = NULL;
         Unit *units[strv_length(filenames)];
         _cleanup_free_ char *var = NULL;
-        int r = 0, k, i, count = 0;
+        int r, k, i, count = 0;
         char **filename;
 
         if (strv_isempty(filenames))

src/analyze/analyze.c

@@ -899,7 +899,7 @@ static bool times_in_range(const struct unit_times *times, const struct boot_tim
 static int list_dependencies_one(sd_bus *bus, const char *name, unsigned level, char ***units, unsigned branches) {
         _cleanup_strv_free_ char **deps = NULL;
         char **c;
-        int r = 0;
+        int r;
         usec_t service_longest = 0;
         int to_print = 0;
         struct unit_times *times;

src/basic/missing_syscall.h

@@ -33,39 +33,49 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
 
 /* ======================================================================= */
 
-#if !HAVE_MEMFD_CREATE
+#if defined __x86_64__
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_memfd_create 319
-#  if ! (defined __NR_memfd_create && __NR_memfd_create >= 0)
+#elif defined __arm__
-#    if defined __NR_memfd_create
+#  define systemd_NR_memfd_create 385
-#      undef __NR_memfd_create
+#elif defined __aarch64__
-#    endif
+#  define systemd_NR_memfd_create 279
-#    if defined __x86_64__
+#elif defined(__powerpc__)
-#      define __NR_memfd_create 319
+#  define systemd_NR_memfd_create 360
-#    elif defined __arm__
+#elif defined __s390__
-#      define __NR_memfd_create 385
+#  define systemd_NR_memfd_create 350
-#    elif defined __aarch64__
+#elif defined _MIPS_SIM
-#      define __NR_memfd_create 279
+#  if _MIPS_SIM == _MIPS_SIM_ABI32
-#    elif defined __s390__
+#    define systemd_NR_memfd_create 4354
-#      define __NR_memfd_create 350
-#    elif defined _MIPS_SIM
-#      if _MIPS_SIM == _MIPS_SIM_ABI32
-#        define __NR_memfd_create 4354
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_NABI32
-#        define __NR_memfd_create 6318
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_ABI64
-#        define __NR_memfd_create 5314
-#      endif
-#    elif defined __i386__
-#      define __NR_memfd_create 356
-#    elif defined __arc__
-#      define __NR_memfd_create 279
-#    else
-#      warning "__NR_memfd_create unknown for your architecture"
-#    endif
 #  endif
+#  if _MIPS_SIM == _MIPS_SIM_NABI32
+#    define systemd_NR_memfd_create 6318
+#  endif
+#  if _MIPS_SIM == _MIPS_SIM_ABI64
+#    define systemd_NR_memfd_create 5314
+#  endif
+#elif defined __i386__
+#  define systemd_NR_memfd_create 356
+#elif defined __arc__
+#  define systemd_NR_memfd_create 279
+#else
+#  warning "memfd_create() syscall number unknown for your architecture"
+#endif
 
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_memfd_create && __NR_memfd_create >= 0
+#  if defined systemd_NR_memfd_create
+assert_cc(__NR_memfd_create == systemd_NR_memfd_create);
+#  endif
+#else
+#  if defined __NR_memfd_create
+#    undef __NR_memfd_create
+#  endif
+#  if defined systemd_NR_memfd_create
+#    define __NR_memfd_create systemd_NR_memfd_create
+#  endif
+#endif
+
+#if !HAVE_MEMFD_CREATE
 static inline int missing_memfd_create(const char *name, unsigned int flags) {
 #  ifdef __NR_memfd_create
         return syscall(__NR_memfd_create, name, flags);
@@ -80,45 +90,53 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
 
 /* ======================================================================= */
 
-#if !HAVE_GETRANDOM
+#if defined __x86_64__
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_getrandom 318
-#  if ! (defined __NR_getrandom && __NR_getrandom >= 0)
+#elif defined(__i386__)
-#    if defined __NR_getrandom
+#  define systemd_NR_getrandom 355
-#      undef __NR_getrandom
+#elif defined(__arm__)
-#    endif
+#  define systemd_NR_getrandom 384
-#    if defined __x86_64__
+#elif defined(__aarch64__)
-#      define __NR_getrandom 318
+#  define systemd_NR_getrandom 278
-#    elif defined(__i386__)
+#elif defined(__ia64__)
-#      define __NR_getrandom 355
+#  define systemd_NR_getrandom 1339
-#    elif defined(__arm__)
+#elif defined(__m68k__)
-#      define __NR_getrandom 384
+#  define systemd_NR_getrandom 352
-#   elif defined(__aarch64__)
+#elif defined(__s390x__)
-#      define __NR_getrandom 278
+#  define systemd_NR_getrandom 349
-#    elif defined(__ia64__)
+#elif defined(__powerpc__)
-#      define __NR_getrandom 1339
+#  define systemd_NR_getrandom 359
-#    elif defined(__m68k__)
+#elif defined _MIPS_SIM
-#      define __NR_getrandom 352
+#  if _MIPS_SIM == _MIPS_SIM_ABI32
-#    elif defined(__s390x__)
+#    define systemd_NR_getrandom 4353
-#      define __NR_getrandom 349
-#    elif defined(__powerpc__)
-#      define __NR_getrandom 359
-#    elif defined _MIPS_SIM
-#      if _MIPS_SIM == _MIPS_SIM_ABI32
-#        define __NR_getrandom 4353
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_NABI32
-#        define __NR_getrandom 6317
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_ABI64
-#        define __NR_getrandom 5313
-#      endif
-#    elif defined(__arc__)
-#      define __NR_getrandom 278
-#    else
-#      warning "__NR_getrandom unknown for your architecture"
-#    endif
 #  endif
+#  if _MIPS_SIM == _MIPS_SIM_NABI32
+#    define systemd_NR_getrandom 6317
+#  endif
+#  if _MIPS_SIM == _MIPS_SIM_ABI64
+#    define systemd_NR_getrandom 5313
+#  endif
+#elif defined(__arc__)
+#  define systemd_NR_getrandom 278
+#else
+#  warning "getrandom() syscall number unknown for your architecture"
+#endif
 
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_getrandom && __NR_getrandom >= 0
+#  if defined systemd_NR_getrandom
+assert_cc(__NR_getrandom == systemd_NR_getrandom);
+#  endif
+#else
+#  if defined __NR_getrandom
+#    undef __NR_getrandom
+#  endif
+#  if defined systemd_NR_getrandom
+#    define __NR_getrandom systemd_NR_getrandom
+#  endif
+#endif
+
+#if !HAVE_GETRANDOM
 static inline int missing_getrandom(void *buffer, size_t count, unsigned flags) {
 #  ifdef __NR_getrandom
         return syscall(__NR_getrandom, buffer, count, flags);
@@ -133,9 +151,14 @@ static inline int missing_getrandom(void *buffer, size_t count, unsigned flags)
 
 /* ======================================================================= */
 
+/* The syscall has been defined since forever, but the glibc wrapper was missing. */
 #if !HAVE_GETTID
 static inline pid_t missing_gettid(void) {
+#  if defined __NR_gettid && __NR_gettid >= 0
         return (pid_t) syscall(__NR_gettid);
+#  else
+#    error "__NR_gettid not defined"
+#  endif
 }
 
 #  define gettid missing_gettid
@@ -143,27 +166,39 @@ static inline pid_t missing_gettid(void) {
 
 /* ======================================================================= */
 
-#if !HAVE_NAME_TO_HANDLE_AT
+#if defined(__x86_64__)
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_name_to_handle_at 303
-#  if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0)
+#elif defined(__i386__)
-#    if defined __NR_name_to_handle_at
+#  define systemd_NR_name_to_handle_at 341
-#      undef __NR_name_to_handle_at
+#elif defined(__arm__)
-#    endif
+#  define systemd_NR_name_to_handle_at 370
-#    if defined(__x86_64__)
+#elif defined __aarch64__
-#      define __NR_name_to_handle_at 303
+#  define systemd_NR_name_to_handle_at 264
-#    elif defined(__i386__)
+#elif defined(__powerpc__)
-#      define __NR_name_to_handle_at 341
+#  define systemd_NR_name_to_handle_at 345
-#    elif defined(__arm__)
+#elif defined __s390__ || defined __s390x__
-#      define __NR_name_to_handle_at 370
+#  define systemd_NR_name_to_handle_at 335
-#    elif defined(__powerpc__)
+#elif defined(__arc__)
-#      define __NR_name_to_handle_at 345
+#  define systemd_NR_name_to_handle_at 264
-#    elif defined(__arc__)
+#else
-#      define __NR_name_to_handle_at 264
+#  warning "name_to_handle_at number is not defined"
-#    else
+#endif
-#      error "__NR_name_to_handle_at is not defined"
-#    endif
-#  endif
 
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0
+#  if defined systemd_NR_name_to_handle_at
+assert_cc(__NR_name_to_handle_at == systemd_NR_name_to_handle_at);
+#  endif
+#else
+#  if defined __NR_name_to_handle_at
+#    undef __NR_name_to_handle_at
+#  endif
+#  if defined systemd_NR_name_to_handle_at
+#    define __NR_name_to_handle_at systemd_NR_name_to_handle_at
+#  endif
+#endif
+
+#if !HAVE_NAME_TO_HANDLE_AT
 struct file_handle {
         unsigned int handle_bytes;
         int handle_type;
@@ -184,23 +219,39 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil
 
 /* ======================================================================= */
 
-#if !HAVE_SETNS
+#if defined __aarch64__
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_setns 268
-#  if ! (defined __NR_setns && __NR_setns >= 0)
+#elif defined __arm__
-#    if defined __NR_setns
+#  define systemd_NR_setns 375
-#      undef __NR_setns
+#elif defined(__x86_64__)
-#    endif
+#  define systemd_NR_setns 308
-#    if defined(__x86_64__)
+#elif defined(__i386__)
-#      define __NR_setns 308
+#  define systemd_NR_setns 346
-#    elif defined(__i386__)
+#elif defined(__powerpc__)
-#      define __NR_setns 346
+#  define systemd_NR_setns 350
-#    elif defined(__arc__)
+#elif defined __s390__ || defined __s390x__
-#      define __NR_setns 268
+#  define systemd_NR_setns 339
-#    else
+#elif defined(__arc__)
-#      error "__NR_setns is not defined"
+#  define systemd_NR_setns 268
-#    endif
+#else
-#  endif
+#  warning "setns() syscall number unknown for your architecture"
+#endif
 
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_setns && __NR_setns >= 0
+#  if defined systemd_NR_setns
+assert_cc(__NR_setns == systemd_NR_setns);
+#  endif
+#else
+#  if defined __NR_setns
+#    undef __NR_setns
+#  endif
+#  if defined systemd_NR_setns
+#    define __NR_setns systemd_NR_setns
+#  endif
+#endif
+
+#if !HAVE_SETNS
 static inline int missing_setns(int fd, int nstype) {
 #  ifdef __NR_setns
         return syscall(__NR_setns, fd, nstype);
@@ -225,41 +276,49 @@ static inline pid_t raw_getpid(void) {
 
 /* ======================================================================= */
 
-#if !HAVE_RENAMEAT2
+#if defined __x86_64__
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_renameat2 316
-#  if ! (defined __NR_renameat2 && __NR_renameat2 >= 0)
+#elif defined __arm__
-#    if defined __NR_renameat2
+#  define systemd_NR_renameat2 382
-#      undef __NR_renameat2
+#elif defined __aarch64__
-#    endif
+#  define systemd_NR_renameat2 276
-#    if defined __x86_64__
+#elif defined _MIPS_SIM
-#      define __NR_renameat2 316
+#  if _MIPS_SIM == _MIPS_SIM_ABI32
-#    elif defined __arm__
+#    define systemd_NR_renameat2 4351
-#      define __NR_renameat2 382
-#    elif defined __aarch64__
-#      define __NR_renameat2 276
-#    elif defined _MIPS_SIM
-#      if _MIPS_SIM == _MIPS_SIM_ABI32
-#        define __NR_renameat2 4351
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_NABI32
-#        define __NR_renameat2 6315
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_ABI64
-#        define __NR_renameat2 5311
-#      endif
-#    elif defined __i386__
-#      define __NR_renameat2 353
-#    elif defined __powerpc64__
-#      define __NR_renameat2 357
-#    elif defined __s390__ || defined __s390x__
-#      define __NR_renameat2 347
-#    elif defined __arc__
-#      define __NR_renameat2 276
-#    else
-#      warning "__NR_renameat2 unknown for your architecture"
-#    endif
 #  endif
+#  if _MIPS_SIM == _MIPS_SIM_NABI32
+#    define systemd_NR_renameat2 6315
+#  endif
+#  if _MIPS_SIM == _MIPS_SIM_ABI64
+#    define systemd_NR_renameat2 5311
+#  endif
+#elif defined __i386__
+#  define systemd_NR_renameat2 353
+#elif defined __powerpc64__
+#  define systemd_NR_renameat2 357
+#elif defined __s390__ || defined __s390x__
+#  define systemd_NR_renameat2 347
+#elif defined __arc__
+#  define systemd_NR_renameat2 276
+#else
+#  warning "renameat2() syscall number unknown for your architecture"
+#endif
 
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_renameat2 && __NR_renameat2 >= 0
+#  if defined systemd_NR_renameat2
+assert_cc(__NR_renameat2 == systemd_NR_renameat2);
+#  endif
+#else
+#  if defined __NR_renameat2
+#    undef __NR_renameat2
+#  endif
+#  if defined systemd_NR_renameat2
+#    define __NR_renameat2 systemd_NR_renameat2
+#  endif
+#endif
+
+#if !HAVE_RENAMEAT2
 static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, const char *newname, unsigned flags) {
 #  ifdef __NR_renameat2
         return syscall(__NR_renameat2, oldfd, oldname, newfd, newname, flags);
@@ -326,31 +385,39 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
 
 /* ======================================================================= */
 
-#if !HAVE_COPY_FILE_RANGE
+#if defined(__x86_64__)
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_copy_file_range 326
-#  if ! (defined __NR_copy_file_range && __NR_copy_file_range >= 0)
+#elif defined(__i386__)
-#    if defined __NR_copy_file_range
+#  define systemd_NR_copy_file_range 377
-#      undef __NR_copy_file_range
+#elif defined __s390__
-#    endif
+#  define systemd_NR_copy_file_range 375
-#    if defined(__x86_64__)
+#elif defined __arm__
-#      define __NR_copy_file_range 326
+#  define systemd_NR_copy_file_range 391
-#    elif defined(__i386__)
+#elif defined __aarch64__
-#      define __NR_copy_file_range 377
+#  define systemd_NR_copy_file_range 285
-#    elif defined __s390__
+#elif defined __powerpc__
-#      define __NR_copy_file_range 375
+#  define systemd_NR_copy_file_range 379
-#    elif defined __arm__
+#elif defined __arc__
-#      define __NR_copy_file_range 391
+#  define systemd_NR_copy_file_range 285
-#    elif defined __aarch64__
+#else
-#      define __NR_copy_file_range 285
+#  warning "copy_file_range() syscall number unknown for your architecture"
-#    elif defined __powerpc__
+#endif
-#      define __NR_copy_file_range 379
-#    elif defined __arc__
-#      define __NR_copy_file_range 285
-#    else
-#      warning "__NR_copy_file_range not defined for your architecture"
-#    endif
-#  endif
 
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_copy_file_range && __NR_copy_file_range >= 0
+#  if defined systemd_NR_copy_file_range
+assert_cc(__NR_copy_file_range == systemd_NR_copy_file_range);
+#  endif
+#else
+#  if defined __NR_copy_file_range
+#    undef __NR_copy_file_range
+#  endif
+#  if defined systemd_NR_copy_file_range
+#    define __NR_copy_file_range systemd_NR_copy_file_range
+#  endif
+#endif
+
+#if !HAVE_COPY_FILE_RANGE
 static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
                                               int fd_out, loff_t *off_out,
                                               size_t len,
@@ -368,31 +435,41 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
 
 /* ======================================================================= */
 
-#if !HAVE_BPF
+#if defined __i386__
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_bpf 357
-#  if ! (defined __NR_bpf && __NR_bpf >= 0)
+#elif defined __x86_64__
-#    if defined __NR_bpf
+#  define systemd_NR_bpf 321
-#      undef __NR_bpf
+#elif defined __aarch64__
-#    endif
+#  define systemd_NR_bpf 280
-#    if defined __i386__
+#elif defined __arm__
-#      define __NR_bpf 357
+#  define systemd_NR_bpf 386
-#    elif defined __x86_64__
+#elif defined(__powerpc__)
-#      define __NR_bpf 321
+#  define systemd_NR_bpf 361
-#    elif defined __aarch64__
+#elif defined __sparc__
-#      define __NR_bpf 280
+#  define systemd_NR_bpf 349
-#    elif defined __arm__
+#elif defined __s390__
-#      define __NR_bpf 386
+#  define systemd_NR_bpf 351
-#    elif defined __sparc__
+#elif defined __tilegx__
-#      define __NR_bpf 349
+#  define systemd_NR_bpf 280
-#    elif defined __s390__
+#else
-#      define __NR_bpf 351
+#  warning "bpf() syscall number unknown for your architecture"
-#    elif defined __tilegx__
+#endif
-#      define __NR_bpf 280
-#    else
-#      warning "__NR_bpf not defined for your architecture"
-#    endif
-#  endif
 
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_bpf && __NR_bpf >= 0
+#  if defined systemd_NR_bpf
+assert_cc(__NR_bpf == systemd_NR_bpf);
+#  endif
+#else
+#  if defined __NR_bpf
+#    undef __NR_bpf
+#  endif
+#  if defined systemd_NR_bpf
+#    define __NR_bpf systemd_NR_bpf
+#  endif
+#endif
+
+#if !HAVE_BPF
 union bpf_attr;
 
 static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
@@ -410,69 +487,84 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
 /* ======================================================================= */
 
 #ifndef __IGNORE_pkey_mprotect
+#  if defined __i386__
+#    define systemd_NR_pkey_mprotect 380
+#  elif defined __x86_64__
+#    define systemd_NR_pkey_mprotect 329
+#  elif defined __aarch64__
+#    define systemd_NR_pkey_mprotect 288
+#  elif defined __arm__
+#    define systemd_NR_pkey_mprotect 394
+#  elif defined __powerpc__
+#    define systemd_NR_pkey_mprotect 386
+#  elif defined __s390__
+#    define systemd_NR_pkey_mprotect 384
+#  elif defined _MIPS_SIM
+#    if _MIPS_SIM == _MIPS_SIM_ABI32
+#      define systemd_NR_pkey_mprotect 4363
+#    endif
+#    if _MIPS_SIM == _MIPS_SIM_NABI32
+#      define systemd_NR_pkey_mprotect 6327
+#    endif
+#    if _MIPS_SIM == _MIPS_SIM_ABI64
+#      define systemd_NR_pkey_mprotect 5323
+#    endif
+#  else
+#    warning "pkey_mprotect() syscall number unknown for your architecture"
+#  endif
+
 /* may be (invalid) negative number due to libseccomp, see PR 13319 */
-#  if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0)
+#  if defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0
+#    if defined systemd_NR_pkey_mprotect
+assert_cc(__NR_pkey_mprotect == systemd_NR_pkey_mprotect);
+#    endif
+#  else
 #    if defined __NR_pkey_mprotect
 #      undef __NR_pkey_mprotect
 #    endif
-#    if defined __i386__
+#    if defined systemd_NR_pkey_mprotect
-#      define __NR_pkey_mprotect 380
+#      define __NR_pkey_mprotect systemd_NR_pkey_mprotect
-#    elif defined __x86_64__
-#      define __NR_pkey_mprotect 329
-#    elif defined __arm__
-#      define __NR_pkey_mprotect 394
-#    elif defined __aarch64__
-#      define __NR_pkey_mprotect 394
-#    elif defined __powerpc__
-#      define __NR_pkey_mprotect 386
-#    elif defined __s390__
-#      define __NR_pkey_mprotect 384
-#    elif defined _MIPS_SIM
-#      if _MIPS_SIM == _MIPS_SIM_ABI32
-#        define __NR_pkey_mprotect 4363
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_NABI32
-#        define __NR_pkey_mprotect 6327
-#      endif
-#      if _MIPS_SIM == _MIPS_SIM_ABI64
-#        define __NR_pkey_mprotect 5323
-#      endif
-#    else
-#      warning "__NR_pkey_mprotect not defined for your architecture"
 #    endif
 #  endif
 #endif
 
 /* ======================================================================= */
 
-#if !HAVE_STATX
+#if defined __aarch64__
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#  define systemd_NR_statx 291
-#  if ! (defined __NR_statx && __NR_statx >= 0)
+#elif defined __arm__
-#    if defined __NR_statx
+#  define systemd_NR_statx 397
-#      undef __NR_statx
+#elif defined __alpha__
-#    endif
+#  define systemd_NR_statx 522
-#    if defined __aarch64__ || defined __arm__
+#elif defined __i386__ || defined __powerpc64__
-#      define __NR_statx 397
+#  define systemd_NR_statx 383
-#    elif defined __alpha__
+#elif defined __s390__ || defined __s390x__
-#      define __NR_statx 522
+#  define systemd_NR_statx 379
-#    elif defined __i386__ || defined __powerpc64__
+#elif defined __sparc__
-#      define __NR_statx 383
+#  define systemd_NR_statx 360
-#    elif defined __sparc__
+#elif defined __x86_64__
-#      define __NR_statx 360
+#  define systemd_NR_statx 332
-#    elif defined __x86_64__
+#else
-#      define __NR_statx 332
+#  warning "statx() syscall number unknown for your architecture"
-#    else
-#      warning "__NR_statx not defined for your architecture"
-#    endif
-#  endif
-
-struct statx;
 #endif
 
-/* This typedef is supposed to be always defined. */
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
-typedef struct statx struct_statx;
+#if defined __NR_statx && __NR_statx >= 0
+#  if defined systemd_NR_statx
+assert_cc(__NR_statx == systemd_NR_statx);
+#  endif
+#else
+#  if defined __NR_statx
+#    undef __NR_statx
+#  endif
+#  if defined systemd_NR_statx
+#    define __NR_statx systemd_NR_statx
+#  endif
+#endif
 
 #if !HAVE_STATX
+struct statx;
+
 static inline ssize_t missing_statx(int dfd, const char *filename, unsigned flags, unsigned int mask, struct statx *buffer) {
 #  ifdef __NR_statx
         return syscall(__NR_statx, dfd, filename, flags, mask, buffer);
@@ -481,12 +573,18 @@ static inline ssize_t missing_statx(int dfd, const char *filename, unsigned flag
         return -1;
 #  endif
 }
+#endif
 
+/* This typedef is supposed to be always defined. */
+typedef struct statx struct_statx;
+
+#if !HAVE_STATX
 #  define statx(dfd, filename, flags, mask, buffer) missing_statx(dfd, filename, flags, mask, buffer)
 #endif
 
-#if !HAVE_SET_MEMPOLICY
+/* ======================================================================= */
 
+#if !HAVE_SET_MEMPOLICY
 enum {
         MPOL_DEFAULT,
         MPOL_PREFERRED,
@@ -527,19 +625,28 @@ static inline long missing_get_mempolicy(int *mode, unsigned long *nodemask,
 #  define get_mempolicy missing_get_mempolicy
 #endif
 
-#if !HAVE_PIDFD_SEND_SIGNAL
+/* ======================================================================= */
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+
-#  if ! (defined __NR_pidfd_send_signal && __NR_pidfd_send_signal >= 0)
-#    if defined __NR_pidfd_send_signal
-#      undef __NR_pidfd_send_signal
-#    endif
 /* should be always defined, see kernel 39036cd2727395c3369b1051005da74059a85317 */
-#    if defined(__alpha__)
+#if defined(__alpha__)
-#      define __NR_pidfd_send_signal 534
+#  define systemd_NR_pidfd_send_signal 534
-#    else
+#else
-#      define __NR_pidfd_send_signal 424
+#  define systemd_NR_pidfd_send_signal 424
-#    endif
+#endif
+
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_pidfd_send_signal && __NR_pidfd_send_signal >= 0
+#  if defined systemd_NR_pidfd_send_signal
+assert_cc(__NR_pidfd_send_signal == systemd_NR_pidfd_send_signal);
 #  endif
+#else
+#  if defined __NR_pidfd_send_signal
+#    undef __NR_pidfd_send_signal
+#  endif
+#  define __NR_pidfd_send_signal systemd_NR_pidfd_send_signal
+#endif
+
+#if !HAVE_PIDFD_SEND_SIGNAL
 static inline int missing_pidfd_send_signal(int fd, int sig, siginfo_t *info, unsigned flags) {
 #  ifdef __NR_pidfd_open
         return syscall(__NR_pidfd_send_signal, fd, sig, info, flags);
@@ -552,19 +659,26 @@ static inline int missing_pidfd_send_signal(int fd, int sig, siginfo_t *info, un
 #  define pidfd_send_signal missing_pidfd_send_signal
 #endif
 
-#if !HAVE_PIDFD_OPEN
-/* may be (invalid) negative number due to libseccomp, see PR 13319 */
-#  if ! (defined __NR_pidfd_open && __NR_pidfd_open >= 0)
-#    if defined __NR_pidfd_open
-#      undef __NR_pidfd_open
-#    endif
 /* should be always defined, see kernel 7615d9e1780e26e0178c93c55b73309a5dc093d7 */
-#    if defined(__alpha__)
+#if defined(__alpha__)
-#      define __NR_pidfd_open 544
+#  define systemd_NR_pidfd_open 544
-#    else
+#else
-#      define __NR_pidfd_open 434
+#  define systemd_NR_pidfd_open 434
-#    endif
+#endif
+
+/* may be (invalid) negative number due to libseccomp, see PR 13319 */
+#if defined __NR_pidfd_open && __NR_pidfd_open >= 0
+#  if defined systemd_NR_pidfd_open
+assert_cc(__NR_pidfd_open == systemd_NR_pidfd_open);
 #  endif
+#else
+#  if defined __NR_pidfd_open
+#    undef __NR_pidfd_open
+#  endif
+#  define __NR_pidfd_open systemd_NR_pidfd_open
+#endif
+
+#if !HAVE_PIDFD_OPEN
 static inline int missing_pidfd_open(pid_t pid, unsigned flags) {
 #  ifdef __NR_pidfd_open
         return syscall(__NR_pidfd_open, pid, flags);
@@ -577,9 +691,15 @@ static inline int missing_pidfd_open(pid_t pid, unsigned flags) {
 #  define pidfd_open missing_pidfd_open
 #endif
 
+/* ======================================================================= */
+
 #if !HAVE_RT_SIGQUEUEINFO
 static inline int missing_rt_sigqueueinfo(pid_t tgid, int sig, siginfo_t *info) {
+#  if defined __NR_rt_sigqueueinfo && __NR_rt_sigqueueinfo >= 0
         return syscall(__NR_rt_sigqueueinfo, tgid, sig, info);
+#  else
+#    error "__NR_rt_sigqueueinfo not defined"
+#  endif
 }
 
 #  define rt_sigqueueinfo missing_rt_sigqueueinfo

src/basic/mkdir.c

@@ -5,6 +5,7 @@
 #include <string.h>
 
 #include "alloc-util.h"
+#include "fd-util.h"
 #include "format-util.h"
 #include "fs-util.h"
 #include "macro.h"
@@ -187,3 +188,54 @@ int mkdir_p(const char *path, mode_t mode) {
 int mkdir_p_safe(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags) {
         return mkdir_p_internal(prefix, path, mode, uid, gid, flags, mkdir_errno_wrapper);
 }
+
+int mkdir_p_root(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m) {
+        _cleanup_free_ char *pp = NULL;
+        _cleanup_close_ int dfd = -1;
+        const char *bn;
+        int r;
+
+        pp = dirname_malloc(p);
+        if (!pp)
+                return -ENOMEM;
+
+        /* Not top-level? */
+        if (!(path_equal(pp, "/") || isempty(pp) || path_equal(pp, "."))) {
+
+                /* Recurse up */
+                r = mkdir_p_root(root, pp, uid, gid, m);
+                if (r < 0)
+                        return r;
+        }
+
+        bn = basename(p);
+        if (path_equal(bn, "/") || isempty(bn) || path_equal(bn, "."))
+                return 0;
+
+        if (!filename_is_valid(bn))
+                return -EINVAL;
+
+        dfd = chase_symlinks_and_open(pp, root, CHASE_PREFIX_ROOT, O_RDONLY|O_CLOEXEC|O_DIRECTORY, NULL);
+        if (dfd < 0)
+                return dfd;
+
+        if (mkdirat(dfd, bn, m) < 0) {
+                if (errno == EEXIST)
+                        return 0;
+
+                return -errno;
+        }
+
+        if (uid_is_valid(uid) || gid_is_valid(gid)) {
+                _cleanup_close_ int nfd = -1;
+
+                nfd = openat(dfd, bn, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
+                if (nfd < 0)
+                        return -errno;
+
+                if (fchown(nfd, uid, gid) < 0)
+                        return -errno;
+        }
+
+        return 1;
+}

src/basic/mkdir.h

@@ -26,3 +26,5 @@ typedef int (*mkdir_func_t)(const char *pathname, mode_t mode);
 int mkdir_safe_internal(const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir);
 int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir);
 int mkdir_p_internal(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir);
+
+int mkdir_p_root(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m);

src/basic/path-util.c

@@ -726,18 +726,6 @@ int fsck_exists(const char *fstype) {
         return binary_is_good(checker);
 }
 
-int mkfs_exists(const char *fstype) {
-        const char *mkfs;
-
-        assert(fstype);
-
-        if (streq(fstype, "auto"))
-                return -EINVAL;
-
-        mkfs = strjoina("mkfs.", fstype);
-        return binary_is_good(mkfs);
-}
-
 int parse_path_argument_and_warn(const char *path, bool suppress_root, char **arg) {
         char *p;
         int r;

src/basic/path-util.h

@@ -85,7 +85,6 @@ int find_binary(const char *name, char **filename);
 bool paths_check_timestamp(const char* const* paths, usec_t *paths_ts_usec, bool update);
 
 int fsck_exists(const char *fstype);
-int mkfs_exists(const char *fstype);
 
 /* Iterates through the path prefixes of the specified path, going up
  * the tree, to root. Also returns "" (and not "/"!) for the root

src/core/dbus-execute.c

@@ -47,6 +47,8 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_input, exec_input, ExecInp
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode);
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_preserve_mode, exec_preserve_mode, ExecPreserveMode);
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_keyring_mode, exec_keyring_mode, ExecKeyringMode);
+static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_proc, protect_proc, ProtectProc);
+static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_proc_subset, proc_subset, ProcSubset);
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_home, protect_home, ProtectHome);
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_system, protect_system, ProtectSystem);
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_personality, personality, unsigned long);
@@ -1016,6 +1018,8 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("TemporaryFileSystem", "a(ss)", property_get_temporary_filesystems, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("MountAPIVFS", "b", bus_property_get_bool, offsetof(ExecContext, mount_apivfs), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("KeyringMode", "s", property_get_exec_keyring_mode, offsetof(ExecContext, keyring_mode), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("ProtectProc", "s", property_get_protect_proc, offsetof(ExecContext, protect_proc), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("ProcSubset", "s", property_get_proc_subset, offsetof(ExecContext, proc_subset), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("ProtectHostname", "b", bus_property_get_bool, offsetof(ExecContext, protect_hostname), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("NetworkNamespacePath", "s", NULL, offsetof(ExecContext, network_namespace_path), SD_BUS_VTABLE_PROPERTY_CONST),
 
@@ -1354,6 +1358,8 @@ static BUS_DEFINE_SET_TRANSIENT_PARSE(utmp_mode, ExecUtmpMode, exec_utmp_mode_fr
 static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_system, ProtectSystem, protect_system_from_string);
 static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_home, ProtectHome, protect_home_from_string);
 static BUS_DEFINE_SET_TRANSIENT_PARSE(keyring_mode, ExecKeyringMode, exec_keyring_mode_from_string);
+static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_proc, ProtectProc, protect_proc_from_string);
+static BUS_DEFINE_SET_TRANSIENT_PARSE(proc_subset, ProcSubset, proc_subset_from_string);
 static BUS_DEFINE_SET_TRANSIENT_PARSE(preserve_mode, ExecPreserveMode, exec_preserve_mode_from_string);
 static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(personality, unsigned long, parse_personality);
 static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(secure_bits, "i", int32_t, int, "%" PRIi32, secure_bits_to_string_alloc_with_check);
@@ -1706,6 +1712,12 @@ int bus_exec_context_set_transient_property(
         if (streq(name, "KeyringMode"))
                 return bus_set_transient_keyring_mode(u, name, &c->keyring_mode, message, flags, error);
 
+        if (streq(name, "ProtectProc"))
+                return bus_set_transient_protect_proc(u, name, &c->protect_proc, message, flags, error);
+
+        if (streq(name, "ProcSubset"))
+                return bus_set_transient_proc_subset(u, name, &c->proc_subset, message, flags, error);
+
         if (streq(name, "RuntimeDirectoryPreserve"))
                 return bus_set_transient_preserve_mode(u, name, &c->runtime_directory_preserve_mode, message, flags, error);
 

src/core/execute.c

@@ -1948,7 +1948,9 @@ static bool exec_needs_mount_namespace(
             context->protect_kernel_tunables ||
             context->protect_kernel_modules ||
             context->protect_kernel_logs ||
-            context->protect_control_groups)
+            context->protect_control_groups ||
+            context->protect_proc != PROTECT_PROC_DEFAULT ||
+            context->proc_subset != PROC_SUBSET_ALL)
                 return true;
 
         if (context->root_directory) {
@@ -2650,6 +2652,10 @@ static int apply_mount_namespace(
                         .protect_hostname = context->protect_hostname,
                         .mount_apivfs = context->mount_apivfs,
                         .private_mounts = context->private_mounts,
+                        .protect_home = context->protect_home,
+                        .protect_system = context->protect_system,
+                        .protect_proc = context->protect_proc,
+                        .proc_subset = context->proc_subset,
                 };
         } else if (!context->dynamic_user && root_dir)
                 /*
@@ -2680,8 +2686,6 @@ static int apply_mount_namespace(
                             tmp_dir,
                             var_tmp_dir,
                             context->log_namespace,
-                            needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
-                            needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
                             context->mount_flags,
                             context->root_hash, context->root_hash_size, context->root_hash_path,
                             context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,
@@ -4601,7 +4605,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
                 "%sRestrictRealtime: %s\n"
                 "%sRestrictSUIDSGID: %s\n"
                 "%sKeyringMode: %s\n"
-                "%sProtectHostname: %s\n",
+                "%sProtectHostname: %s\n"
+                "%sProtectProc: %s\n"
+                "%sProcSubset: %s\n",
                 prefix, c->umask,
                 prefix, c->working_directory ? c->working_directory : "/",
                 prefix, c->root_directory ? c->root_directory : "/",
@@ -4623,7 +4629,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
                 prefix, yes_no(c->restrict_realtime),
                 prefix, yes_no(c->restrict_suid_sgid),
                 prefix, exec_keyring_mode_to_string(c->keyring_mode),
-                prefix, yes_no(c->protect_hostname));
+                prefix, yes_no(c->protect_hostname),
+                prefix, protect_proc_to_string(c->protect_proc),
+                prefix, proc_subset_to_string(c->proc_subset));
 
         if (c->root_image)
                 fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);

src/core/execute.h

@@ -260,6 +260,9 @@ struct ExecContext {
 
         char *log_namespace;
 
+        ProtectProc protect_proc;  /* hidepid= */
+        ProcSubset proc_subset;    /* subset= */
+
         bool private_tmp;
         bool private_network;
         bool private_devices;

src/core/load-fragment-gperf.gperf.m4

@@ -73,6 +73,8 @@ $1.AmbientCapabilities,          config_parse_capability_set,        0,
 $1.TimerSlackNSec,               config_parse_nsec,                  0,                             offsetof($1, exec_context.timer_slack_nsec)
 $1.NoNewPrivileges,              config_parse_bool,                  0,                             offsetof($1, exec_context.no_new_privileges)
 $1.KeyringMode,                  config_parse_exec_keyring_mode,     0,                             offsetof($1, exec_context.keyring_mode)
+$1.ProtectProc,                  config_parse_protect_proc,          0,                             offsetof($1, exec_context.protect_proc)
+$1.ProcSubset,                   config_parse_proc_subset,           0,                             offsetof($1, exec_context.proc_subset)
 m4_ifdef(`HAVE_SECCOMP',
 `$1.SystemCallFilter,            config_parse_syscall_filter,        0,                             offsetof($1, exec_context)
 $1.SystemCallArchitectures,      config_parse_syscall_archs,         0,                             offsetof($1, exec_context.syscall_archs)
@@ -265,7 +267,6 @@ Unit.SuccessAction,              config_parse_emergency_action,      0,
 Unit.FailureActionExitStatus,    config_parse_exit_status,           0,                             offsetof(Unit, failure_action_exit_status)
 Unit.SuccessActionExitStatus,    config_parse_exit_status,           0,                             offsetof(Unit, success_action_exit_status)
 Unit.RebootArgument,             config_parse_unit_string_printf,    0,                             offsetof(Unit, reboot_arg)
-m4_dnl Also add any conditions to condition_definitions[] in src/analyze/analyze-condition.c.
 Unit.ConditionPathExists,        config_parse_unit_condition_path,   CONDITION_PATH_EXISTS,         offsetof(Unit, conditions)
 Unit.ConditionPathExistsGlob,    config_parse_unit_condition_path,   CONDITION_PATH_EXISTS_GLOB,    offsetof(Unit, conditions)
 Unit.ConditionPathIsDirectory,   config_parse_unit_condition_path,   CONDITION_PATH_IS_DIRECTORY,   offsetof(Unit, conditions)

src/core/load-fragment.c

@@ -118,6 +118,8 @@ DEFINE_CONFIG_PARSE(config_parse_exec_secure_bits, secure_bits_from_string, "Fai
 DEFINE_CONFIG_PARSE_ENUM(config_parse_collect_mode, collect_mode, CollectMode, "Failed to parse garbage collection mode");
 DEFINE_CONFIG_PARSE_ENUM(config_parse_device_policy, cgroup_device_policy, CGroupDevicePolicy, "Failed to parse device policy");
 DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_keyring_mode, exec_keyring_mode, ExecKeyringMode, "Failed to parse keyring mode");
+DEFINE_CONFIG_PARSE_ENUM(config_parse_protect_proc, protect_proc, ProtectProc, "Failed to parse /proc/ protection mode");
+DEFINE_CONFIG_PARSE_ENUM(config_parse_proc_subset, proc_subset, ProcSubset, "Failed to parse /proc/ subset mode");
 DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode, "Failed to parse utmp mode");
 DEFINE_CONFIG_PARSE_ENUM(config_parse_job_mode, job_mode, JobMode, "Failed to parse job mode");
 DEFINE_CONFIG_PARSE_ENUM(config_parse_notify_access, notify_access, NotifyAccess, "Failed to parse notify access specifier");

src/core/load-fragment.h

@@ -108,6 +108,8 @@ CONFIG_PARSER_PROTOTYPE(config_parse_user_group_strv_compat);
 CONFIG_PARSER_PROTOTYPE(config_parse_restrict_namespaces);
 CONFIG_PARSER_PROTOTYPE(config_parse_bind_paths);
 CONFIG_PARSER_PROTOTYPE(config_parse_exec_keyring_mode);
+CONFIG_PARSER_PROTOTYPE(config_parse_protect_proc);
+CONFIG_PARSER_PROTOTYPE(config_parse_proc_subset);
 CONFIG_PARSER_PROTOTYPE(config_parse_job_timeout_sec);
 CONFIG_PARSER_PROTOTYPE(config_parse_job_running_timeout_sec);
 CONFIG_PARSER_PROTOTYPE(config_parse_log_extra_fields);

src/core/namespace.c

@@ -97,7 +97,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
         { "/proc/latency_stats", READONLY,           true  },
         { "/proc/mtrr",          READONLY,           true  },
         { "/proc/scsi",          READONLY,           true  },
-        { "/proc/sys",           READONLY,           false },
+        { "/proc/sys",           READONLY,           true  },
         { "/proc/sysrq-trigger", READONLY,           true  },
         { "/proc/timer_stats",   READONLY,           true  },
         { "/sys",                READONLY,           false },
@@ -863,33 +863,66 @@ static int mount_sysfs(const MountEntry *m) {
         return 1;
 }
 
-static int mount_procfs(const MountEntry *m) {
+static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
-        int r;
+        const char *entry_path;
 
         assert(m);
+        assert(ns_info);
 
-        (void) mkdir_p_label(mount_entry_path(m), 0755);
+        entry_path = mount_entry_path(m);
 
-        r = path_is_mount_point(mount_entry_path(m), NULL, 0);
+        /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in
-        if (r < 0)
+         * one. i.e we don't reuse existing mounts here under any condition, we want a new instance owned by
-                return log_debug_errno(r, "Unable to determine whether /proc is already mounted: %m");
+         * our user namespace and with our hidepid= settings applied. Hence, let's get rid of everything
-        if (r > 0) /* make this a NOP if /proc is already a mount point */
+         * mounted on /proc/ first. */
-                return 0;
 
-        /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in one */
+        (void) mkdir_p_label(entry_path, 0755);
-        if (mount("proc", mount_entry_path(m), "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) < 0)
+        (void) umount_recursive(entry_path, 0);
-                return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
+
+        if (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
+            ns_info->proc_subset != PROC_SUBSET_ALL) {
+                _cleanup_free_ char *opts = NULL;
+
+                /* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it
+                 * pretended to be per-instance but actually was per-namespace), hence let's make use of it
+                 * if requested. To make sure this logic succeeds only on kernels where hidepid= is
+                 * per-instance, we'll exclusively use the textual value for hidepid=, since support was
+                 * added in the same commit: if it's supported it is thus also per-instance. */
+
+                opts = strjoin("hidepid=",
+                               ns_info->protect_proc == PROTECT_PROC_DEFAULT ? "off" :
+                               protect_proc_to_string(ns_info->protect_proc),
+                               ns_info->proc_subset == PROC_SUBSET_PID ? ",subset=pid" : "");
+                if (!opts)
+                        return -ENOMEM;
+
+                if (mount("proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, opts) < 0) {
+                        if (errno != EINVAL)
+                                return log_debug_errno(errno, "Failed to mount %s (options=%s): %m", mount_entry_path(m), opts);
+
+                        /* If this failed with EINVAL then this likely means the textual hidepid= stuff is
+                         * not supported by the kernel, and thus the per-instance hidepid= neither, which
+                         * means we really don't want to use it, since it would affect our host's /proc
+                         * mount. Hence let's gracefully fallback to a classic, unrestricted version. */
+                } else
+                        return 1;
+        }
+
+        if (mount("proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) < 0)
+                return log_debug_errno(errno, "Failed to mount %s (no options): %m", mount_entry_path(m));
 
         return 1;
 }
 
 static int mount_tmpfs(const MountEntry *m) {
+        const char *entry_path, *inner_path;
         int r;
-        const char *entry_path = mount_entry_path(m);
-        const char *source_path = m->path_const;
 
         assert(m);
 
+        entry_path = mount_entry_path(m);
+        inner_path = m->path_const;
+
         /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */
 
         (void) mkdir_p_label(entry_path, 0755);
@@ -898,9 +931,9 @@ static int mount_tmpfs(const MountEntry *m) {
         if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0)
                 return log_debug_errno(errno, "Failed to mount %s: %m", entry_path);
 
-        r = label_fix_container(entry_path, source_path, 0);
+        r = label_fix_container(entry_path, inner_path, 0);
         if (r < 0)
-                return log_debug_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, source_path);
+                return log_debug_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, inner_path);
 
         return 1;
 }
@@ -995,7 +1028,8 @@ static int follow_symlink(
 
 static int apply_mount(
                 const char *root_directory,
-                MountEntry *m) {
+                MountEntry *m,
+                const NamespaceInfo *ns_info) {
 
         _cleanup_free_ char *inaccessible = NULL;
         bool rbind = true, make = false;
@@ -1003,6 +1037,7 @@ static int apply_mount(
         int r;
 
         assert(m);
+        assert(ns_info);
 
         log_debug("Applying namespace mount on %s", mount_entry_path(m));
 
@@ -1107,7 +1142,7 @@ static int apply_mount(
                 return mount_sysfs(m);
 
         case PROCFS:
-                return mount_procfs(m);
+                return mount_procfs(m, ns_info);
 
         case MOUNT_IMAGES:
                 return mount_images(m);
@@ -1219,7 +1254,9 @@ static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) {
 
         return ns_info->mount_apivfs ||
                 ns_info->protect_control_groups ||
-                ns_info->protect_kernel_tunables;
+                ns_info->protect_kernel_tunables ||
+                ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
+                ns_info->proc_subset != PROC_SUBSET_ALL;
 }
 
 static size_t namespace_calculate_mounts(
@@ -1233,25 +1270,23 @@ static size_t namespace_calculate_mounts(
                 size_t n_mount_images,
                 const char* tmp_dir,
                 const char* var_tmp_dir,
-                const char* log_namespace,
+                const char* log_namespace) {
-                ProtectHome protect_home,
-                ProtectSystem protect_system) {
 
         size_t protect_home_cnt;
         size_t protect_system_cnt =
-                (protect_system == PROTECT_SYSTEM_STRICT ?
+                (ns_info->protect_system == PROTECT_SYSTEM_STRICT ?
                  ELEMENTSOF(protect_system_strict_table) :
-                 ((protect_system == PROTECT_SYSTEM_FULL) ?
+                 ((ns_info->protect_system == PROTECT_SYSTEM_FULL) ?
                   ELEMENTSOF(protect_system_full_table) :
-                  ((protect_system == PROTECT_SYSTEM_YES) ?
+                  ((ns_info->protect_system == PROTECT_SYSTEM_YES) ?
                    ELEMENTSOF(protect_system_yes_table) : 0)));
 
         protect_home_cnt =
-                (protect_home == PROTECT_HOME_YES ?
+                (ns_info->protect_home == PROTECT_HOME_YES ?
                  ELEMENTSOF(protect_home_yes_table) :
-                 ((protect_home == PROTECT_HOME_READ_ONLY) ?
+                 ((ns_info->protect_home == PROTECT_HOME_READ_ONLY) ?
                   ELEMENTSOF(protect_home_read_only_table) :
-                  ((protect_home == PROTECT_HOME_TMPFS) ?
+                  ((ns_info->protect_home == PROTECT_HOME_TMPFS) ?
                    ELEMENTSOF(protect_home_tmpfs_table) : 0)));
 
         return !!tmp_dir + !!var_tmp_dir +
@@ -1355,8 +1390,6 @@ int setup_namespace(
                 const char* tmp_dir,
                 const char* var_tmp_dir,
                 const char *log_namespace,
-                ProtectHome protect_home,
-                ProtectSystem protect_system,
                 unsigned long mount_flags,
                 const void *root_hash,
                 size_t root_hash_size,
@@ -1389,10 +1422,10 @@ int setup_namespace(
 
                 /* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */
                 if (root_read_only(read_only_paths,
-                                   protect_system) &&
+                                   ns_info->protect_system) &&
                     home_read_only(read_only_paths, inaccessible_paths, empty_directories,
                                    bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems,
-                                   protect_home) &&
+                                   ns_info->protect_home) &&
                     strv_isempty(read_write_paths))
                         dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
 
@@ -1461,8 +1494,7 @@ int setup_namespace(
                         n_temporary_filesystems,
                         n_mount_images,
                         tmp_dir, var_tmp_dir,
-                        log_namespace,
+                        log_namespace);
-                        protect_home, protect_system);
 
         if (n_mounts > 0) {
                 m = mounts = new0(MountEntry, n_mounts);
@@ -1559,11 +1591,11 @@ int setup_namespace(
                         };
                 }
 
-                r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths);
+                r = append_protect_home(&m, ns_info->protect_home, ns_info->ignore_protect_paths);
                 if (r < 0)
                         goto finish;
 
-                r = append_protect_system(&m, protect_system, false);
+                r = append_protect_system(&m, ns_info->protect_system, false);
                 if (r < 0)
                         goto finish;
 
@@ -1720,7 +1752,7 @@ int setup_namespace(
                                         break;
                                 }
 
-                                r = apply_mount(root, m);
+                                r = apply_mount(root, m, ns_info);
                                 if (r < 0) {
                                         if (error_path && mount_entry_path(m))
                                                 *error_path = strdup(mount_entry_path(m));
@@ -2240,3 +2272,19 @@ static const char* const namespace_type_table[] = {
 };
 
 DEFINE_STRING_TABLE_LOOKUP(namespace_type, NamespaceType);
+
+static const char* const protect_proc_table[_PROTECT_PROC_MAX] = {
+        [PROTECT_PROC_DEFAULT]    = "default",
+        [PROTECT_PROC_NOACCESS]   = "noaccess",
+        [PROTECT_PROC_INVISIBLE]  = "invisible",
+        [PROTECT_PROC_PTRACEABLE] = "ptraceable",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(protect_proc, ProtectProc);
+
+static const char* const proc_subset_table[_PROC_SUBSET_MAX] = {
+        [PROC_SUBSET_ALL] = "all",
+        [PROC_SUBSET_PID] = "pid",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(proc_subset, ProcSubset);

src/core/namespace.h

@@ -47,6 +47,22 @@ typedef enum ProtectSystem {
         _PROTECT_SYSTEM_INVALID = -1
 } ProtectSystem;
 
+typedef enum ProtectProc {
+        PROTECT_PROC_DEFAULT,
+        PROTECT_PROC_NOACCESS,   /* hidepid=noaccess */
+        PROTECT_PROC_INVISIBLE,  /* hidepid=invisible */
+        PROTECT_PROC_PTRACEABLE, /* hidepid=ptraceable */
+        _PROTECT_PROC_MAX,
+        _PROTECT_PROC_INVALID = -1,
+} ProtectProc;
+
+typedef enum ProcSubset {
+        PROC_SUBSET_ALL,
+        PROC_SUBSET_PID, /* subset=pid */
+        _PROC_SUBSET_MAX,
+        _PROC_SUBSET_INVALID = -1,
+} ProcSubset;
+
 struct NamespaceInfo {
         bool ignore_protect_paths:1;
         bool private_dev:1;
@@ -57,6 +73,10 @@ struct NamespaceInfo {
         bool protect_kernel_logs:1;
         bool mount_apivfs:1;
         bool protect_hostname:1;
+        ProtectHome protect_home;
+        ProtectSystem protect_system;
+        ProtectProc protect_proc;
+        ProcSubset proc_subset;
 };
 
 struct BindMount {
@@ -98,8 +118,6 @@ int setup_namespace(
                 const char *tmp_dir,
                 const char *var_tmp_dir,
                 const char *log_namespace,
-                ProtectHome protect_home,
-                ProtectSystem protect_system,
                 unsigned long mount_flags,
                 const void *root_hash,
                 size_t root_hash_size,
@@ -135,6 +153,12 @@ ProtectHome protect_home_from_string(const char *s) _pure_;
 const char* protect_system_to_string(ProtectSystem p) _const_;
 ProtectSystem protect_system_from_string(const char *s) _pure_;
 
+const char* protect_proc_to_string(ProtectProc i) _const_;
+ProtectProc protect_proc_from_string(const char *s) _pure_;
+
+const char* proc_subset_to_string(ProcSubset i) _const_;
+ProcSubset proc_subset_from_string(const char *s) _pure_;
+
 void bind_mount_free_many(BindMount *b, size_t n);
 int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);
 

src/home/homework-luks.c

@@ -24,6 +24,7 @@
 #include "memory-util.h"
 #include "missing_magic.h"
 #include "mkdir.h"
+#include "mkfs-util.h"
 #include "mount-util.h"
 #include "openssl-util.h"
 #include "parse-util.h"
@@ -1371,71 +1372,6 @@ int home_trim_luks(UserRecord *h) {
         return 0;
 }
 
-static int run_mkfs(
-                const char *node,
-                const char *fstype,
-                const char *label,
-                sd_id128_t uuid,
-                bool discard) {
-
-        int r;
-
-        assert(node);
-        assert(fstype);
-        assert(label);
-
-        r = mkfs_exists(fstype);
-        if (r < 0)
-                return log_error_errno(r, "Failed to check if mkfs for file system %s exists: %m", fstype);
-        if (r == 0)
-                return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "No mkfs for file system %s installed.", fstype);
-
-        r = safe_fork("(mkfs)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_WAIT|FORK_STDOUT_TO_STDERR, NULL);
-        if (r < 0)
-                return r;
-        if (r == 0) {
-                const char *mkfs;
-                char suuid[37];
-
-                /* Child */
-
-                mkfs = strjoina("mkfs.", fstype);
-                id128_to_uuid_string(uuid, suuid);
-
-                if (streq(fstype, "ext4"))
-                        execlp(mkfs, mkfs,
-                               "-L", label,
-                               "-U", suuid,
-                               "-I", "256",
-                               "-O", "has_journal",
-                               "-m", "0",
-                               "-E", discard ? "lazy_itable_init=1,discard" : "lazy_itable_init=1,nodiscard",
-                               node, NULL);
-                else if (streq(fstype, "btrfs")) {
-                        if (discard)
-                                execlp(mkfs, mkfs, "-L", label, "-U", suuid, node, NULL);
-                        else
-                                execlp(mkfs, mkfs, "-L", label, "-U", suuid, "--nodiscard", node, NULL);
-                } else if (streq(fstype, "xfs")) {
-                        const char *j;
-
-                        j = strjoina("uuid=", suuid);
-                        if (discard)
-                                execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", node, NULL);
-                        else
-                                execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", "-K", node, NULL);
-                } else {
-                        log_error("Cannot make file system: %s", fstype);
-                        _exit(EXIT_FAILURE);
-                }
-
-                log_error_errno(errno, "Failed to execute %s: %m", mkfs);
-                _exit(EXIT_FAILURE);
-        }
-
-        return 0;
-}
-
 static struct crypt_pbkdf_type* build_good_pbkdf(struct crypt_pbkdf_type *buffer, UserRecord *hr) {
         assert(buffer);
         assert(hr);
@@ -2083,7 +2019,7 @@ int home_create_luks(
 
         log_info("Setting up LUKS device %s completed.", dm_node);
 
-        r = run_mkfs(dm_node, fstype, user_record_user_name_and_realm(h), fs_uuid, user_record_luks_discard(h));
+        r = make_filesystem(dm_node, fstype, user_record_user_name_and_realm(h), fs_uuid, user_record_luks_discard(h));
         if (r < 0)
                 goto fail;
 

src/home/pam_systemd_home.c

@@ -7,6 +7,7 @@
 
 #include "bus-common-errors.h"
 #include "bus-locator.h"
+#include "bus-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "home-util.h"
@@ -153,8 +154,7 @@ static int acquire_user_record(
 
                 r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username);
                 if (r < 0) {
-                        if (sd_bus_error_has_name(&error, SD_BUS_ERROR_SERVICE_UNKNOWN) ||
+                        if (bus_error_is_unknown_service(&error)) {
-                            sd_bus_error_has_name(&error, SD_BUS_ERROR_NAME_HAS_NO_OWNER)) {
                                 pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r));
                                 goto user_unknown;
                         }

src/kernel-install/kernel-install

@@ -85,10 +85,13 @@ fi
 KERNEL_VERSION="$1"
 KERNEL_IMAGE="$2"
 
-if [[ -f /etc/machine-id ]]; then
+# Reuse directory created without a machine ID present if it exists.
+if [[ -d /efi/Default ]] || [[ -d /boot/Default ]] || [[ -d /boot/efi/Default ]]; then
+    MACHINE_ID="Default"
+elif [[ -f /etc/machine-id ]]; then
     read MACHINE_ID < /etc/machine-id
 else
-    MACHINE_ID="Linux"
+    MACHINE_ID="Default"
 fi
 
 if [[ ! $COMMAND ]] || [[ ! $KERNEL_VERSION ]]; then

src/libsystemd/libsystemd.sym

@@ -727,3 +727,8 @@ global:
         sd_event_add_time_relative;
         sd_event_source_set_time_relative;
 } LIBSYSTEMD_246;
+
+LIBSYSTEMD_248 {
+global:
+        sd_bus_error_has_names_sentinel;
+} LIBSYSTEMD_247;

src/libsystemd/sd-bus/bus-error.c

@@ -13,6 +13,7 @@
 #include "errno-list.h"
 #include "errno-util.h"
 #include "string-util.h"
+#include "strv.h"
 #include "util.h"
 
 BUS_ERROR_MAP_ELF_REGISTER const sd_bus_error_map bus_standard_errors[] = {
@@ -355,11 +356,23 @@ _public_ int sd_bus_error_has_name(const sd_bus_error *e, const char *name) {
         return streq_ptr(e->name, name);
 }
 
-_public_ int sd_bus_error_get_errno(const sd_bus_error* e) {
+_public_ int sd_bus_error_has_names_sentinel(const sd_bus_error *e, ...) {
-        if (!e)
+        if (!e || !e->name)
                 return 0;
 
-        if (!e->name)
+        va_list ap;
+        const char *p;
+
+        va_start(ap, e);
+        while ((p = va_arg(ap, const char *)))
+                if (streq(p, e->name))
+                        break;
+        va_end(ap);
+        return !!p;
+}
+
+_public_ int sd_bus_error_get_errno(const sd_bus_error* e) {
+        if (!e || !e->name)
                 return 0;
 
         return bus_error_name_to_errno(e->name);

src/libsystemd/sd-bus/test-bus-error.c

@@ -22,6 +22,11 @@ static void test_error(void) {
         assert_se(streq(error.name, SD_BUS_ERROR_NOT_SUPPORTED));
         assert_se(streq(error.message, "xxx"));
         assert_se(sd_bus_error_has_name(&error, SD_BUS_ERROR_NOT_SUPPORTED));
+        assert_se(sd_bus_error_has_names_sentinel(&error, SD_BUS_ERROR_NOT_SUPPORTED, NULL));
+        assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_NOT_SUPPORTED));
+        assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_NOT_SUPPORTED, SD_BUS_ERROR_FILE_NOT_FOUND));
+        assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND, SD_BUS_ERROR_NOT_SUPPORTED, NULL));
+        assert_se(!sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
         assert_se(sd_bus_error_get_errno(&error) == EOPNOTSUPP);
         assert_se(sd_bus_error_is_set(&error));
         sd_bus_error_free(&error);
@@ -32,6 +37,7 @@ static void test_error(void) {
         assert_se(error.name == NULL);
         assert_se(error.message == NULL);
         assert_se(!sd_bus_error_has_name(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
+        assert_se(!sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
         assert_se(sd_bus_error_get_errno(&error) == 0);
         assert_se(!sd_bus_error_is_set(&error));
 
@@ -39,6 +45,7 @@ static void test_error(void) {
         assert_se(streq(error.name, SD_BUS_ERROR_FILE_NOT_FOUND));
         assert_se(streq(error.message, "yyy -1"));
         assert_se(sd_bus_error_has_name(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
+        assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
         assert_se(sd_bus_error_get_errno(&error) == ENOENT);
         assert_se(sd_bus_error_is_set(&error));
 
@@ -51,6 +58,7 @@ static void test_error(void) {
         assert_se(streq(error.message, second.message));
         assert_se(sd_bus_error_get_errno(&second) == ENOENT);
         assert_se(sd_bus_error_has_name(&second, SD_BUS_ERROR_FILE_NOT_FOUND));
+        assert_se(sd_bus_error_has_names(&second, SD_BUS_ERROR_FILE_NOT_FOUND));
         assert_se(sd_bus_error_is_set(&second));
 
         sd_bus_error_free(&error);

src/login/logind-dbus.c

@@ -4093,8 +4093,8 @@ int manager_stop_unit(Manager *manager, const char *unit, sd_bus_error *error, c
                         &reply,
                         "ss", unit, "fail");
         if (r < 0) {
-                if (sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT) ||
+                if (sd_bus_error_has_names(error, BUS_ERROR_NO_SUCH_UNIT,
-                    sd_bus_error_has_name(error, BUS_ERROR_LOAD_FAILED)) {
+                                                  BUS_ERROR_LOAD_FAILED)) {
 
                         *job = NULL;
                         sd_bus_error_free(error);
@@ -4129,9 +4129,9 @@ int manager_abandon_scope(Manager *manager, const char *scope, sd_bus_error *ret
                         NULL,
                         NULL);
         if (r < 0) {
-                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_UNIT) ||
+                if (sd_bus_error_has_names(&error, BUS_ERROR_NO_SUCH_UNIT,
-                    sd_bus_error_has_name(&error, BUS_ERROR_LOAD_FAILED) ||
+                                                   BUS_ERROR_LOAD_FAILED,
-                    sd_bus_error_has_name(&error, BUS_ERROR_SCOPE_NOT_RUNNING))
+                                                   BUS_ERROR_SCOPE_NOT_RUNNING))
                         return 0;
 
                 sd_bus_error_move(ret_error, &error);
@@ -4180,14 +4180,14 @@ int manager_unit_is_active(Manager *manager, const char *unit, sd_bus_error *ret
         if (r < 0) {
                 /* systemd might have dropped off momentarily, let's
                  * not make this an error */
-                if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) ||
+                if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
-                    sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED))
+                                                   SD_BUS_ERROR_DISCONNECTED))
                         return true;
 
                 /* If the unit is already unloaded then it's not
                  * active */
-                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_UNIT) ||
+                if (sd_bus_error_has_names(&error, BUS_ERROR_NO_SUCH_UNIT,
-                    sd_bus_error_has_name(&error, BUS_ERROR_LOAD_FAILED))
+                                                   BUS_ERROR_LOAD_FAILED))
                         return false;
 
                 sd_bus_error_move(ret_error, &error);
@@ -4219,8 +4219,8 @@ int manager_job_is_active(Manager *manager, const char *path, sd_bus_error *ret_
                         &reply,
                         "s");
         if (r < 0) {
-                if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) ||
+                if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
-                    sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED))
+                                                   SD_BUS_ERROR_DISCONNECTED))
                         return true;
 
                 if (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_OBJECT))

src/machine/machined-dbus.c

@@ -1464,8 +1464,8 @@ int manager_stop_unit(Manager *manager, const char *unit, sd_bus_error *error, c
 
         r = bus_call_method(manager->bus, bus_systemd_mgr, "StopUnit", error, &reply, "ss", unit, "fail");
         if (r < 0) {
-                if (sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT) ||
+                if (sd_bus_error_has_names(error, BUS_ERROR_NO_SUCH_UNIT,
-                    sd_bus_error_has_name(error, BUS_ERROR_LOAD_FAILED)) {
+                                                  BUS_ERROR_LOAD_FAILED)) {
 
                         if (job)
                                 *job = NULL;
@@ -1526,12 +1526,12 @@ int manager_unit_is_active(Manager *manager, const char *unit) {
                         &reply,
                         "s");
         if (r < 0) {
-                if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) ||
+                if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
-                    sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED))
+                                                   SD_BUS_ERROR_DISCONNECTED))
                         return true;
 
-                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_UNIT) ||
+                if (sd_bus_error_has_names(&error, BUS_ERROR_NO_SUCH_UNIT,
-                    sd_bus_error_has_name(&error, BUS_ERROR_LOAD_FAILED))
+                                                   BUS_ERROR_LOAD_FAILED))
                         return false;
 
                 return r;
@@ -1562,8 +1562,8 @@ int manager_job_is_active(Manager *manager, const char *path) {
                         &reply,
                         "s");
         if (r < 0) {
-                if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) ||
+                if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
-                    sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED))
+                                                   SD_BUS_ERROR_DISCONNECTED))
                         return true;
 
                 if (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_OBJECT))

src/network/networkctl.c

@@ -510,8 +510,8 @@ static int acquire_link_bitrates(sd_bus *bus, LinkInfo *link) {
 
         r = link_get_property(bus, link, &error, &reply, "org.freedesktop.network1.Link", "BitRates");
         if (r < 0) {
-                bool quiet = sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_PROPERTY) ||
+                bool quiet = sd_bus_error_has_names(&error, SD_BUS_ERROR_UNKNOWN_PROPERTY,
-                             sd_bus_error_has_name(&error, BUS_ERROR_SPEED_METER_INACTIVE);
+                                                            BUS_ERROR_SPEED_METER_INACTIVE);
 
                 return log_full_errno(quiet ? LOG_DEBUG : LOG_WARNING,
                                       r, "Failed to query link bit rates: %s", bus_error_message(&error, r));

src/nspawn/nspawn-seccomp.c

@@ -21,7 +21,7 @@
 
 #if HAVE_SECCOMP
 
-static int seccomp_add_default_syscall_filter(
+static int add_syscall_filters(
                 scmp_filter_ctx ctx,
                 uint32_t arch,
                 uint64_t cap_list_retain,
@@ -139,6 +139,7 @@ static int seccomp_add_default_syscall_filter(
                  */
         };
 
+        _cleanup_strv_free_ char **added = NULL;
         char **p;
         int r;
 
@@ -146,18 +147,37 @@ static int seccomp_add_default_syscall_filter(
                 if (allow_list[i].capability != 0 && (cap_list_retain & (1ULL << allow_list[i].capability)) == 0)
                         continue;
 
-                r = seccomp_add_syscall_filter_item(ctx, allow_list[i].name, SCMP_ACT_ALLOW, syscall_deny_list, false);
+                r = seccomp_add_syscall_filter_item(ctx,
+                                                    allow_list[i].name,
+                                                    SCMP_ACT_ALLOW,
+                                                    syscall_deny_list,
+                                                    false,
+                                                    &added);
                 if (r < 0)
                         return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name);
         }
 
         STRV_FOREACH(p, syscall_allow_list) {
-                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true);
+                r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, &added);
                 if (r < 0)
                         log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
                                           *p, seccomp_arch_to_string(arch));
         }
 
+        /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
+         * syscalls. */
+        r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);
+        if (r < 0)
+                log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",
+                                  seccomp_arch_to_string(arch));
+
+#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
+        /* We have a large filter here, so let's turn on the binary tree mode if possible. */
+        r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+        if (r < 0)
+                return r;
+#endif
+
         return 0;
 }
 
@@ -175,11 +195,13 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
 
                 log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch));
 
-                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
+                /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
+                 * in the @known set, see above. */
+                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
                 if (r < 0)
                         return log_error_errno(r, "Failed to allocate seccomp object: %m");
 
-                r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);
+                r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);
                 if (r < 0)
                         return r;
 

src/nss-resolve/nss-resolve.c

@@ -23,12 +23,14 @@ NSS_GETHOSTBYNAME_PROTOTYPES(resolve);
 NSS_GETHOSTBYADDR_PROTOTYPES(resolve);
 
 static bool bus_error_shall_fallback(sd_bus_error *e) {
-        return sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) ||
+        return sd_bus_error_has_names(e,
-               sd_bus_error_has_name(e, SD_BUS_ERROR_NAME_HAS_NO_OWNER) ||
+                                      SD_BUS_ERROR_SERVICE_UNKNOWN,
-               sd_bus_error_has_name(e, SD_BUS_ERROR_NO_REPLY) ||
+                                      SD_BUS_ERROR_NAME_HAS_NO_OWNER,
-               sd_bus_error_has_name(e, SD_BUS_ERROR_ACCESS_DENIED) ||
+                                      SD_BUS_ERROR_NO_REPLY,
-               sd_bus_error_has_name(e, SD_BUS_ERROR_DISCONNECTED) ||
+                                      SD_BUS_ERROR_ACCESS_DENIED,
-               sd_bus_error_has_name(e, SD_BUS_ERROR_TIMEOUT);
+                                      SD_BUS_ERROR_DISCONNECTED,
+                                      SD_BUS_ERROR_TIMEOUT,
+                                      BUS_ERROR_NO_SUCH_UNIT);
 }
 
 static int count_addresses(sd_bus_message *m, int af, const char **canonical) {

src/partition/makefs.c

@@ -11,40 +11,15 @@
 #include "dissect-image.h"
 #include "fd-util.h"
 #include "main-func.h"
+#include "mkfs-util.h"
 #include "process-util.h"
 #include "signal-util.h"
 #include "string-util.h"
 
-static int makefs(const char *type, const char *device) {
-        const char *mkfs;
-        pid_t pid;
-        int r;
-
-        if (streq(type, "swap"))
-                mkfs = "/sbin/mkswap";
-        else
-                mkfs = strjoina("/sbin/mkfs.", type);
-        if (access(mkfs, X_OK) != 0)
-                return log_error_errno(errno, "%s is not executable: %m", mkfs);
-
-        r = safe_fork("(mkfs)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_RLIMIT_NOFILE_SAFE|FORK_LOG, &pid);
-        if (r < 0)
-                return r;
-        if (r == 0) {
-                const char *cmdline[3] = { mkfs, device, NULL };
-
-                /* Child */
-
-                execv(cmdline[0], (char**) cmdline);
-                _exit(EXIT_FAILURE);
-        }
-
-        return wait_for_terminate_and_check(mkfs, pid, WAIT_LOG);
-}
-
 static int run(int argc, char *argv[]) {
-        _cleanup_free_ char *device = NULL, *type = NULL, *detected = NULL;
+        _cleanup_free_ char *device = NULL, *fstype = NULL, *detected = NULL;
         _cleanup_close_ int lock_fd = -1;
+        sd_id128_t uuid;
         struct stat st;
         int r;
 
@@ -55,8 +30,8 @@ static int run(int argc, char *argv[]) {
                                        "This program expects two arguments.");
 
         /* type and device must be copied because makefs calls safe_fork, which clears argv[] */
-        type = strdup(argv[1]);
+        fstype = strdup(argv[1]);
-        if (!type)
+        if (!fstype)
                 return log_oom();
 
         device = strdup(argv[2]);
@@ -85,7 +60,11 @@ static int run(int argc, char *argv[]) {
                 return 0;
         }
 
-        return makefs(type, device);
+        r = sd_id128_randomize(&uuid);
+        if (r < 0)
+                return log_error_errno(r, "Failed to generate UUID for file system: %m");
+
+        return make_filesystem(device, fstype, basename(device), uuid, true);
 }
 
 DEFINE_MAIN_FUNCTION(run);

src/partition/test-repart.sh

@@ -154,6 +154,57 @@ EOF
 
 cmp --bytes=41943040 --ignore-initial=0:$((512*4194264)) $D/block-copy $D/zzz
 
+if [ `id -u` == 0 ] && type -P cryptsetup diff losetup > /dev/null ; then
+    echo "### Testing Format=/Encrypt=/CopyFiles="
+
+    # These tests require privileges unfortunately
+
+    cat >$D/definitions/extra3.conf <<EOF
+[Partition]
+Type=linux-generic
+Label=luks-format-copy
+UUID=7b93d1f2-595d-4ce3-b0b9-837fbd9e63b0
+Format=ext4
+Encrypt=yes
+CopyFiles=$D/definitions:/def
+SizeMinBytes=48M
+EOF
+
+    $repart $D/zzz --size=auto --dry-run=no --seed=$SEED --definitions=$D/definitions
+
+    sfdisk -d $D/zzz | grep -v -e 'sector-size' -e '^$' >$D/populated5
+
+    cmp $D/populated5 - <<EOF
+label: gpt
+label-id: EF7F7EE2-47B3-4251-B1A1-09EA8BF12D5D
+device: $D/zzz
+unit: sectors
+first-lba: 2048
+last-lba: 6389726
+$D/zzz1 : start=        2048, size=      591856, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=A6005774-F558-4330-A8E5-D6D2C01C01D6, name="home-first"
+$D/zzz2 : start=      593904, size=      591856, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, uuid=CE9C76EB-A8F1-40FF-813C-11DCA6C0A55B, name="root-x86-64"
+$D/zzz3 : start=     1185760, size=      591864, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, uuid=AC60A837-550C-43BD-B5C4-9CB73B884E79, name="root-x86-64-2"
+$D/zzz4 : start=     1777624, size=      131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=2AA78CDB-59C7-4173-AF11-C7453737A5D1, name="swap"
+$D/zzz5 : start=     1908696, size=     2285568, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=A0A1A2A3-A4A5-A6A7-A8A9-AAABACADAEAF, name="custom_label"
+$D/zzz6 : start=     4194264, size=     2097152, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=2A1D97E1-D0A3-46CC-A26E-ADC643926617, name="block-copy"
+$D/zzz7 : start=     6291416, size=       98304, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name="luks-format-copy"
+EOF
+
+    LOOP=`losetup -P --show --find $D/zzz`
+    VOLUME=test-repart-$RANDOM
+
+    touch $D/empty-password
+    cryptsetup open --type=luks2 --key-file=$D/empty-password ${LOOP}p7 $VOLUME
+    mkdir $D/mount
+    mount -t ext4 /dev/mapper/$VOLUME $D/mount
+    diff -r $D/mount/def $D/definitions > /dev/null
+    umount $D/mount
+    cryptsetup close $VOLUME
+    losetup -d $LOOP
+else
+    echo "### Skipping Format=/Encrypt=/CopyFiles= test, lacking privileges or missing cryptsetup/diff/losetup"
+fi
+
 echo "### Testing json output ###"
 $repart $D/zzz --size=3G --dry-run=no --seed=$SEED --definitions=$D/definitions --json=help
 $repart $D/zzz --size=3G --dry-run=no --seed=$SEED --definitions=$D/definitions --json=pretty

src/shared/bus-polkit.c

@@ -3,6 +3,7 @@
 #include "bus-internal.h"
 #include "bus-message.h"
 #include "bus-polkit.h"
+#include "bus-util.h"
 #include "strv.h"
 #include "user-util.h"
 
@@ -123,7 +124,7 @@ int bus_test_polkit(
                 r = sd_bus_call(call->bus, request, 0, ret_error, &reply);
                 if (r < 0) {
                         /* Treat no PK available as access denied */
-                        if (sd_bus_error_has_name(ret_error, SD_BUS_ERROR_SERVICE_UNKNOWN)) {
+                        if (bus_error_is_unknown_service(ret_error)) {
                                 sd_bus_error_free(ret_error);
                                 return -EACCES;
                         }
@@ -296,8 +297,7 @@ int bus_verify_polkit_async(
                         e = sd_bus_message_get_error(q->reply);
 
                         /* Treat no PK available as access denied */
-                        if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) ||
+                        if (bus_error_is_unknown_service(e))
-                            sd_bus_error_has_name(e, SD_BUS_ERROR_NAME_HAS_NO_OWNER))
                                 return -EACCES;
 
                         /* Copy error from polkit reply */

src/shared/bus-unit-util.c

@@ -855,6 +855,8 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
                               "RuntimeDirectoryPreserve",
                               "Personality",
                               "KeyringMode",
+                              "ProtectProc",
+                              "ProcSubset",
                               "NetworkNamespacePath",
                               "LogNamespace"))
                 return bus_append_string(m, field, eq);

src/shared/bus-util.c

@@ -14,14 +14,13 @@
 #include "sd-event.h"
 #include "sd-id128.h"
 
-/* #include "alloc-util.h" */
+#include "bus-common-errors.h"
 #include "bus-internal.h"
 #include "bus-label.h"
 #include "bus-util.h"
 #include "path-util.h"
 #include "socket-util.h"
 #include "stdio-util.h"
-/* #include "string-util.h" */
 
 static int name_owner_change_callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
         sd_event *e = userdata;
@@ -153,6 +152,13 @@ int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error) {
         return has_owner;
 }
 
+bool bus_error_is_unknown_service(const sd_bus_error *error) {
+        return sd_bus_error_has_names(error,
+                                      SD_BUS_ERROR_SERVICE_UNKNOWN,
+                                      SD_BUS_ERROR_NAME_HAS_NO_OWNER,
+                                      BUS_ERROR_NO_SUCH_UNIT);
+}
+
 int bus_check_peercred(sd_bus *c) {
         struct ucred ucred;
         int fd, r;

src/shared/bus-util.h

@@ -28,6 +28,7 @@ typedef bool (*check_idle_t)(void *userdata);
 int bus_event_loop_with_idle(sd_event *e, sd_bus *bus, const char *name, usec_t timeout, check_idle_t check_idle, void *userdata);
 
 int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error);
+bool bus_error_is_unknown_service(const sd_bus_error *error);
 
 int bus_check_peercred(sd_bus *c);
 

src/shared/dissect-image.c

@@ -1017,6 +1017,13 @@ static int mount_partition(
         }
 
         if (directory) {
+                if (!FLAGS_SET(flags, DISSECT_IMAGE_READ_ONLY)) {
+                        /* Automatically create missing mount points, if necessary. */
+                        r = mkdir_p_root(where, directory, uid_shift, (gid_t) uid_shift, 0755);
+                        if (r < 0)
+                                return r;
+                }
+
                 r = chase_symlinks(directory, where, CHASE_PREFIX_ROOT, &chased, NULL);
                 if (r < 0)
                         return r;
@@ -1062,7 +1069,7 @@ static int mount_partition(
 }
 
 int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift, DissectImageFlags flags) {
-        int r, boot_mounted;
+        int r, xbootldr_mounted;
 
         assert(m);
         assert(where);
@@ -1116,29 +1123,47 @@ int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift,
         if (r < 0)
                 return r;
 
-        boot_mounted = mount_partition(m->partitions + PARTITION_XBOOTLDR, where, "/boot", uid_shift, flags);
+        xbootldr_mounted = mount_partition(m->partitions + PARTITION_XBOOTLDR, where, "/boot", uid_shift, flags);
-        if (boot_mounted < 0)
+        if (xbootldr_mounted < 0)
-                return boot_mounted;
+                return xbootldr_mounted;
 
         if (m->partitions[PARTITION_ESP].found) {
+                int esp_done = false;
+
                 /* Mount the ESP to /efi if it exists. If it doesn't exist, use /boot instead, but only if it
                  * exists and is empty, and we didn't already mount the XBOOTLDR partition into it. */
 
                 r = chase_symlinks("/efi", where, CHASE_PREFIX_ROOT, NULL, NULL);
-                if (r >= 0) {
+                if (r < 0) {
+                        if (r != -ENOENT)
+                                return r;
+
+                        /* /efi doesn't exist. Let's see if /boot is suitable then */
+
+                        if (!xbootldr_mounted) {
+                                _cleanup_free_ char *p = NULL;
+
+                                r = chase_symlinks("/boot", where, CHASE_PREFIX_ROOT, &p, NULL);
+                                if (r < 0) {
+                                        if (r != -ENOENT)
+                                                return r;
+                                } else if (dir_is_empty(p) > 0) {
+                                        /* It exists and is an empty directory. Let's mount the ESP there. */
+                                        r = mount_partition(m->partitions + PARTITION_ESP, where, "/boot", uid_shift, flags);
+                                        if (r < 0)
+                                                return r;
+
+                                        esp_done = true;
+                                }
+                        }
+                }
+
+                if (!esp_done) {
+                        /* OK, let's mount the ESP now to /efi (possibly creating the dir if missing) */
+
                         r = mount_partition(m->partitions + PARTITION_ESP, where, "/efi", uid_shift, flags);
                         if (r < 0)
                                 return r;
-
-                } else if (boot_mounted <= 0) {
-                        _cleanup_free_ char *p = NULL;
-
-                        r = chase_symlinks("/boot", where, CHASE_PREFIX_ROOT, &p, NULL);
-                        if (r >= 0 && dir_is_empty(p) > 0) {
-                                r = mount_partition(m->partitions + PARTITION_ESP, where, "/boot", uid_shift, flags);
-                                if (r < 0)
-                                        return r;
-                        }
                 }
         }
 

src/shared/generate-syscall-list.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python3
+import sys
+import os
+
+s390 = 's390' in os.uname().machine
+arm = 'arm' in os.uname().machine
+
+for line in open(sys.argv[1]):
+    if line.startswith('s390_') and not s390:
+        continue
+    if line.startswith('arm_') and not arm:
+        continue
+
+    print('"{}\\0"'.format(line.strip()))

src/shared/install.c

@@ -76,12 +76,10 @@ static bool unit_file_install_info_has_also(const UnitFileInstallInfo *i) {
 }
 
 void unit_file_presets_freep(UnitFilePresets *p) {
-        size_t i;
-
         if (!p)
                 return;
 
-        for (i = 0; i < p->n_rules; i++) {
+        for (size_t i = 0; i < p->n_rules; i++) {
                 free(p->rules[i].pattern);
                 strv_free(p->rules[i].instances);
         }
@@ -290,11 +288,9 @@ int unit_file_changes_add(
 }
 
 void unit_file_changes_free(UnitFileChange *changes, size_t n_changes) {
-        size_t i;
-
         assert(changes || n_changes == 0);
 
-        for (i = 0; i < n_changes; i++) {
+        for (size_t i = 0; i < n_changes; i++) {
                 free(changes[i].path);
                 free(changes[i].source);
         }
@@ -303,14 +299,13 @@ void unit_file_changes_free(UnitFileChange *changes, size_t n_changes) {
 }
 
 void unit_file_dump_changes(int r, const char *verb, const UnitFileChange *changes, size_t n_changes, bool quiet) {
-        size_t i;
         bool logged = false;
 
         assert(changes || n_changes == 0);
         /* If verb is not specified, errors are not allowed! */
         assert(verb || r >= 0);
 
-        for (i = 0; i < n_changes; i++) {
+        for (size_t i = 0; i < n_changes; i++) {
                 assert(verb || changes[i].type >= 0);
 
                 switch(changes[i].type) {
@@ -3055,20 +3050,17 @@ static int pattern_match_multiple_instances(
 
         /* Compose a list of specified instances when unit name is a template  */
         if (unit_name_is_valid(unit_name, UNIT_NAME_TEMPLATE)) {
-                _cleanup_free_ char *prefix = NULL;
                 _cleanup_strv_free_ char **out_strv = NULL;
+
                 char **iter;
-
-                r = unit_name_to_prefix(unit_name, &prefix);
-                if (r < 0)
-                        return r;
-
                 STRV_FOREACH(iter, rule.instances) {
                         _cleanup_free_ char *name = NULL;
-                        r = unit_name_build(prefix, *iter, ".service", &name);
+
+                        r = unit_name_replace_instance(unit_name, *iter, &name);
                         if (r < 0)
                                 return r;
-                        r = strv_extend(&out_strv, name);
+
+                        r = strv_consume(&out_strv, TAKE_PTR(name));
                         if (r < 0)
                                 return r;
                 }
@@ -3091,12 +3083,11 @@ static int pattern_match_multiple_instances(
 
 static int query_presets(const char *name, const UnitFilePresets *presets, char ***instance_name_list) {
         PresetAction action = PRESET_UNKNOWN;
-        size_t i;
+
-        char **s;
         if (!unit_name_is_valid(name, UNIT_NAME_ANY))
                 return -EINVAL;
 
-        for (i = 0; i < presets->n_rules; i++)
+        for (size_t i = 0; i < presets->n_rules; i++)
                 if (pattern_match_multiple_instances(presets->rules[i], name, instance_name_list) > 0 ||
                     fnmatch(presets->rules[i].pattern, name, FNM_NOESCAPE) == 0) {
                         action = presets->rules[i].action;
@@ -3108,10 +3099,11 @@ static int query_presets(const char *name, const UnitFilePresets *presets, char
                 log_debug("Preset files don't specify rule for %s. Enabling.", name);
                 return 1;
         case PRESET_ENABLE:
-                if (instance_name_list && *instance_name_list)
+                if (instance_name_list && *instance_name_list) {
+                        char **s;
                         STRV_FOREACH(s, *instance_name_list)
                                 log_debug("Preset files say enable %s.", *s);
-                else
+                } else
                         log_debug("Preset files say enable %s.", name);
                 return 1;
         case PRESET_DISABLE:

src/shared/loop-util.c

@@ -47,18 +47,42 @@ static int loop_configure(int fd, const struct loop_config *c) {
                 if (!ERRNO_IS_NOT_SUPPORTED(errno) && errno != EINVAL)
                         return -errno;
         } else {
-                if (!FLAGS_SET(c->info.lo_flags, LO_FLAGS_PARTSCAN))
+                bool good = true;
+
+                if (c->info.lo_sizelimit != 0) {
+                        /* Kernel 5.8 vanilla doesn't properly propagate the size limit into the block
+                         * device. If it's used, let's immediately check if it had the desired effect
+                         * hence. And if not use classic LOOP_SET_STATUS64. */
+                        uint64_t z;
+
+                        if (ioctl(fd, BLKGETSIZE64, &z) < 0) {
+                                r = -errno;
+                                goto fail;
+                        }
+
+                        if (z != c->info.lo_sizelimit) {
+                                log_debug("LOOP_CONFIGURE is broken, doesn't honour .lo_sizelimit. Falling back to LOOP_SET_STATUS64.");
+                                good = false;
+                        }
+                }
+
+                if (FLAGS_SET(c->info.lo_flags, LO_FLAGS_PARTSCAN)) {
+                        /* Kernel 5.8 vanilla doesn't properly propagate the partition scanning flag into the
+                         * block device. Let's hence verify if things work correctly here before
+                         * returning. */
+
+                        r = blockdev_partscan_enabled(fd);
+                        if (r < 0)
+                                goto fail;
+                        if (r == 0) {
+                                log_debug("LOOP_CONFIGURE is broken, doesn't honour LO_FLAGS_PARTSCAN. Falling back to LOOP_SET_STATUS64.");
+                                good = false;
+                        }
+                }
+
+                if (good)
                         return 0;
 
-                /* Kernel 5.8 vanilla doesn't properly propagate the partition scanning flag into the
-                 * block device. Let's hence verify if things work correctly here before returning. */
-
-                r = blockdev_partscan_enabled(fd);
-                if (r < 0)
-                        goto fail;
-                if (r > 0)
-                        return 0; /* All is good. */
-
                 /* Otherwise, undo the attachment and use the old APIs */
                 (void) ioctl(fd, LOOP_CLR_FD);
         }
@@ -472,3 +496,18 @@ int loop_device_flock(LoopDevice *d, int operation) {
 
         return 0;
 }
+
+int loop_device_sync(LoopDevice *d) {
+        assert(d);
+
+        /* We also do this implicitly in loop_device_unref(). Doing this explicitly here has the benefit that
+         * we can check the return value though. */
+
+        if (d->fd < 0)
+                return -EBADF;
+
+        if (fsync(d->fd) < 0)
+                return -errno;
+
+        return 0;
+}

src/shared/loop-util.h

@@ -26,3 +26,4 @@ void loop_device_relinquish(LoopDevice *d);
 int loop_device_refresh_size(LoopDevice *d, uint64_t offset, uint64_t size);
 
 int loop_device_flock(LoopDevice *d, int operation);
+int loop_device_sync(LoopDevice *d);

src/shared/meson.build

@@ -166,6 +166,8 @@ shared_sources = files('''
         macvlan-util.c
         macvlan-util.h
         main-func.h
+        mkfs-util.c
+        mkfs-util.h
         module-util.h
         mount-util.c
         mount-util.h
@@ -264,6 +266,16 @@ endif
 test_tables_h = files('test-tables.h')
 shared_sources += test_tables_h
 
+generate_syscall_list = find_program('generate-syscall-list.py')
+fname = 'syscall-list.h'
+syscall_list_h = custom_target(
+        fname,
+        input : 'syscall-names.text',
+        output : fname,
+        command : [generate_syscall_list,
+                   '@INPUT@'],
+        capture : true)
+
 if conf.get('HAVE_ACL') == 1
         shared_sources += files('acl-util.c')
 endif
@@ -274,6 +286,7 @@ endif
 
 if conf.get('HAVE_SECCOMP') == 1
         shared_sources += files('seccomp-util.c')
+        shared_sources += syscall_list_h
 endif
 
 if conf.get('HAVE_LIBIPTC') == 1
@@ -378,3 +391,9 @@ libshared = shared_library(
         dependencies : libshared_deps,
         install : true,
         install_dir : rootlibexecdir)
+
+############################################################
+
+run_target(
+        'syscall-names-update',
+        command : [syscall_names_update_sh, meson.current_source_dir()])

src/shared/mkfs-util.c

@@ -0,0 +1,135 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "id128-util.h"
+#include "mkfs-util.h"
+#include "path-util.h"
+#include "process-util.h"
+#include "stdio-util.h"
+#include "string-util.h"
+
+int mkfs_exists(const char *fstype) {
+        const char *mkfs;
+        int r;
+
+        assert(fstype);
+
+        if (STR_IN_SET(fstype, "auto", "swap")) /* these aren't real file system types, refuse early */
+                return -EINVAL;
+
+        mkfs = strjoina("mkfs.", fstype);
+        if (!filename_is_valid(mkfs)) /* refuse file system types with slashes and similar */
+                return -EINVAL;
+
+        r = find_binary(mkfs, NULL);
+        if (r == -ENOENT)
+                return false;
+        if (r < 0)
+                return r;
+
+        return true;
+}
+
+int make_filesystem(
+                const char *node,
+                const char *fstype,
+                const char *label,
+                sd_id128_t uuid,
+                bool discard) {
+
+        _cleanup_free_ char *mkfs = NULL;
+        int r;
+
+        assert(node);
+        assert(fstype);
+        assert(label);
+
+        if (streq(fstype, "swap")) {
+                r = find_binary("mkswap", &mkfs);
+                if (r == -ENOENT)
+                        return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "mkswap binary not available.");
+                if (r < 0)
+                        return log_error_errno(r, "Failed to determine whether mkswap binary exists: %m");
+        } else {
+                r = mkfs_exists(fstype);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to determine whether mkfs binary for %s exists: %m", fstype);
+                if (r == 0)
+                        return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "mkfs binary for %s is not available.", fstype);
+
+                mkfs = strjoin("mkfs.", fstype);
+                if (!mkfs)
+                        return log_oom();
+        }
+
+        r = safe_fork("(mkfs)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_WAIT|FORK_STDOUT_TO_STDERR, NULL);
+        if (r < 0)
+                return r;
+        if (r == 0) {
+                char suuid[ID128_UUID_STRING_MAX];
+
+                /* Child */
+                id128_to_uuid_string(uuid, suuid);
+
+                if (streq(fstype, "ext4"))
+                        (void) execlp(mkfs, mkfs,
+                               "-L", label,
+                               "-U", suuid,
+                               "-I", "256",
+                               "-O", "has_journal",
+                               "-m", "0",
+                               "-E", discard ? "lazy_itable_init=1,discard" : "lazy_itable_init=1,nodiscard",
+                               node, NULL);
+
+                else if (streq(fstype, "btrfs")) {
+                        if (discard)
+                                (void) execlp(mkfs, mkfs, "-L", label, "-U", suuid, node, NULL);
+                        else
+                                (void) execlp(mkfs, mkfs, "-L", label, "-U", suuid, "--nodiscard", node, NULL);
+
+                } else if (streq(fstype, "xfs")) {
+                        const char *j;
+
+                        j = strjoina("uuid=", suuid);
+                        if (discard)
+                                (void) execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", node, NULL);
+                        else
+                                (void) execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", "-K", node, NULL);
+
+                } else if (streq(fstype, "vfat")) {
+                        char mangled_label[8 + 3 + 1], vol_id[8 + 1];
+
+                        /* Classic FAT only allows 11 character uppercase labels */
+                        strncpy(mangled_label, label, sizeof(mangled_label)-1);
+                        mangled_label[sizeof(mangled_label)-1] = 0;
+                        ascii_strupper(mangled_label);
+
+                        xsprintf(vol_id, "%08" PRIx32,
+                                 ((uint32_t) uuid.bytes[0] << 24) |
+                                 ((uint32_t) uuid.bytes[1] << 16) |
+                                 ((uint32_t) uuid.bytes[2] << 8) |
+                                 ((uint32_t) uuid.bytes[3])); /* Take first 32 byte of UUID */
+
+                        (void) execlp(mkfs, mkfs,
+                                      "-i", vol_id,
+                                      "-n", mangled_label,
+                                      "-F", "32",  /* yes, we force FAT32 here */
+                                      node, NULL);
+
+                } else if (streq(fstype, "swap")) {
+
+                        (void) execlp(mkfs, mkfs,
+                               "-L", label,
+                               "-U", suuid,
+                               node, NULL);
+
+                } else
+                        /* Generic fallback for all other file systems */
+                        (void) execlp(mkfs, mkfs, node, NULL);
+
+                log_error_errno(errno, "Failed to execute %s: %m", mkfs);
+
+                _exit(EXIT_FAILURE);
+        }
+
+        return 0;
+}

src/shared/mkfs-util.h

@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+#include <stdbool.h>
+
+#include "sd-id128.h"
+
+int mkfs_exists(const char *fstype);
+
+int make_filesystem(const char *node, const char *fstype, const char *label, sd_id128_t uuid, bool discard);

src/shared/seccomp-util.c

@@ -902,30 +902,50 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "timerfd_settime64\0"
                 "times\0"
         },
+        [SYSCALL_FILTER_SET_KNOWN] = {
+                .name = "@known",
+                .help = "All known syscalls declared in the kernel",
+                .value =
+#include "syscall-list.h"
+        },
 };
 
 const SyscallFilterSet *syscall_filter_set_find(const char *name) {
-        unsigned i;
-
         if (isempty(name) || name[0] != '@')
                 return NULL;
 
-        for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
+        for (unsigned i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
                 if (streq(syscall_filter_sets[i].name, name))
                         return syscall_filter_sets + i;
 
         return NULL;
 }
 
-static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing);
+static int add_syscall_filter_set(
+                scmp_filter_ctx seccomp,
+                const SyscallFilterSet *set,
+                uint32_t action,
+                char **exclude,
+                bool log_missing,
+                char ***added);
+
+int seccomp_add_syscall_filter_item(
+                scmp_filter_ctx *seccomp,
+                const char *name,
+                uint32_t action,
+                char **exclude,
+                bool log_missing,
+                char ***added) {
 
-int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
         assert(seccomp);
         assert(name);
 
         if (strv_contains(exclude, name))
                 return 0;
 
+        /* Any syscalls that are handled are added to the *added strv. The pointer
+         * must be either NULL or point to a valid pre-initialized possibly-empty strv. */
+
         if (name[0] == '@') {
                 const SyscallFilterSet *other;
 
@@ -935,7 +955,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
                                                "Filter set %s is not known!",
                                                name);
 
-                return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing);
+                return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added);
 
         } else {
                 int id, r;
@@ -959,25 +979,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
                                 return r;
                 }
 
+                if (added) {
+                        r = strv_extend(added, name);
+                        if (r < 0)
+                                return r;
+                }
+
                 return 0;
         }
 }
 
-static int seccomp_add_syscall_filter_set(
+static int add_syscall_filter_set(
                 scmp_filter_ctx seccomp,
                 const SyscallFilterSet *set,
                 uint32_t action,
                 char **exclude,
-                bool log_missing) {
+                bool log_missing,
+                char ***added) {
 
         const char *sys;
         int r;
 
+        /* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
+
         assert(seccomp);
         assert(set);
 
         NULSTR_FOREACH(sys, set->value) {
-                r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing);
+                r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added);
                 if (r < 0)
                         return r;
         }
@@ -1003,7 +1032,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
                 if (r < 0)
                         return r;
 
-                r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
+                r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL);
                 if (r < 0)
                         return log_debug_errno(r, "Failed to add filter set: %m");
 
@@ -1160,7 +1189,6 @@ int seccomp_restrict_namespaces(unsigned long retain) {
 
         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
-                unsigned i;
 
                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
 
@@ -1190,7 +1218,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
                         continue;
                 }
 
-                for (i = 0; namespace_flag_map[i].name; i++) {
+                for (unsigned i = 0; namespace_flag_map[i].name; i++) {
                         unsigned long f;
 
                         f = namespace_flag_map[i].flag;
@@ -1384,7 +1412,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
                         return r;
 
                 if (allow_list) {
-                        int af, first = 0, last = 0;
+                        int first = 0, last = 0;
                         void *afp;
 
                         /* If this is an allow list, we first block the address families that are out of
@@ -1392,7 +1420,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
                          * highest address family in the set. */
 
                         SET_FOREACH(afp, address_families, i) {
-                                af = PTR_TO_INT(afp);
+                                int af = PTR_TO_INT(afp);
 
                                 if (af <= 0 || af >= af_max())
                                         continue;
@@ -1446,7 +1474,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
                                 }
 
                                 /* Block everything between the first and last entry */
-                                for (af = 1; af < af_max(); af++) {
+                                for (int af = 1; af < af_max(); af++) {
 
                                         if (set_contains(address_families, INT_TO_PTR(af)))
                                                 continue;
@@ -1473,7 +1501,6 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
                          * then combined in OR checks. */
 
                         SET_FOREACH(af, address_families, i) {
-
                                 r = seccomp_rule_add_exact(
                                                 seccomp,
                                                 SCMP_ACT_ERRNO(EAFNOSUPPORT),

src/shared/seccomp-util.h

@@ -21,7 +21,7 @@ typedef struct SyscallFilterSet {
 } SyscallFilterSet;
 
 enum {
-        /* Please leave DEFAULT first, but sort the rest alphabetically */
+        /* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */
         SYSCALL_FILTER_SET_DEFAULT,
         SYSCALL_FILTER_SET_AIO,
         SYSCALL_FILTER_SET_BASIC_IO,
@@ -50,6 +50,7 @@ enum {
         SYSCALL_FILTER_SET_SYNC,
         SYSCALL_FILTER_SET_SYSTEM_SERVICE,
         SYSCALL_FILTER_SET_TIMER,
+        SYSCALL_FILTER_SET_KNOWN,
         _SYSCALL_FILTER_SET_MAX
 };
 
@@ -59,7 +60,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
 
 int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
 
-int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
+int seccomp_add_syscall_filter_item(
+                scmp_filter_ctx *ctx,
+                const char *name,
+                uint32_t action,
+                char **exclude,
+                bool log_missing,
+                char ***added);
 
 int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
 int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);

src/shared/syscall-names.text

@@ -0,0 +1,597 @@
+_llseek
+_newselect
+_sysctl
+accept
+accept4
+access
+acct
+add_key
+adjtimex
+alarm
+arc_gettls
+arc_settls
+arc_usr_cmpxchg
+arch_prctl
+arm_fadvise64_64
+arm_sync_file_range
+atomic_barrier
+atomic_cmpxchg_32
+bdflush
+bfin_spinlock
+bind
+bpf
+brk
+cache_sync
+cachectl
+cacheflush
+capget
+capset
+chdir
+chmod
+chown
+chown32
+chroot
+clock_adjtime
+clock_adjtime64
+clock_getres
+clock_getres_time64
+clock_gettime
+clock_gettime64
+clock_nanosleep
+clock_nanosleep_time64
+clock_settime
+clock_settime64
+clone
+clone2
+clone3
+close
+close_range
+connect
+copy_file_range
+creat
+create_module
+delete_module
+dipc
+dup
+dup2
+dup3
+epoll_create
+epoll_create1
+epoll_ctl
+epoll_ctl_old
+epoll_pwait
+epoll_wait
+epoll_wait_old
+eventfd
+eventfd2
+exec_with_loader
+execv
+execve
+execveat
+exit
+exit_group
+faccessat
+faccessat2
+fadvise64
+fadvise64_64
+fallocate
+fanotify_init
+fanotify_mark
+fchdir
+fchmod
+fchmodat
+fchown
+fchown32
+fchownat
+fcntl
+fcntl64
+fdatasync
+fgetxattr
+finit_module
+flistxattr
+flock
+fork
+fp_udfiex_crtl
+fremovexattr
+fsconfig
+fsetxattr
+fsmount
+fsopen
+fspick
+fstat
+fstat64
+fstatat64
+fstatfs
+fstatfs64
+fsync
+ftruncate
+ftruncate64
+futex
+futex_time64
+futimesat
+get_kernel_syms
+get_mempolicy
+get_robust_list
+get_thread_area
+getcpu
+getcwd
+getdents
+getdents64
+getdomainname
+getdtablesize
+getegid
+getegid32
+geteuid
+geteuid32
+getgid
+getgid32
+getgroups
+getgroups32
+gethostname
+getitimer
+getpagesize
+getpeername
+getpgid
+getpgrp
+getpid
+getpmsg
+getppid
+getpriority
+getrandom
+getresgid
+getresgid32
+getresuid
+getresuid32
+getrlimit
+getrusage
+getsid
+getsockname
+getsockopt
+gettid
+gettimeofday
+getuid
+getuid32
+getunwind
+getxattr
+getxgid
+getxpid
+getxuid
+idle
+init_module
+inotify_add_watch
+inotify_init
+inotify_init1
+inotify_rm_watch
+io_cancel
+io_destroy
+io_getevents
+io_pgetevents
+io_pgetevents_time64
+io_setup
+io_submit
+io_uring_enter
+io_uring_register
+io_uring_setup
+ioctl
+ioperm
+iopl
+ioprio_get
+ioprio_set
+ipc
+kcmp
+kern_features
+kexec_file_load
+kexec_load
+keyctl
+kill
+lchown
+lchown32
+lgetxattr
+link
+linkat
+listen
+listxattr
+llistxattr
+lookup_dcookie
+lremovexattr
+lseek
+lsetxattr
+lstat
+lstat64
+madvise
+mbind
+membarrier
+memfd_create
+memory_ordering
+migrate_pages
+mincore
+mkdir
+mkdirat
+mknod
+mknodat
+mlock
+mlock2
+mlockall
+mmap
+mmap2
+modify_ldt
+mount
+move_mount
+move_pages
+mprotect
+mq_getsetattr
+mq_notify
+mq_open
+mq_timedreceive
+mq_timedreceive_time64
+mq_timedsend
+mq_timedsend_time64
+mq_unlink
+mremap
+msgctl
+msgget
+msgrcv
+msgsnd
+msync
+multiplexer
+munlock
+munlockall
+munmap
+name_to_handle_at
+nanosleep
+newfstatat
+nfsservctl
+ni_syscall
+nice
+old_adjtimex
+old_getpagesize
+oldfstat
+oldlstat
+oldolduname
+oldstat
+oldumount
+olduname
+open
+open_by_handle_at
+open_tree
+openat
+openat2
+or1k_atomic
+osf_adjtime
+osf_afs_syscall
+osf_alt_plock
+osf_alt_setsid
+osf_alt_sigpending
+osf_asynch_daemon
+osf_audcntl
+osf_audgen
+osf_chflags
+osf_execve
+osf_exportfs
+osf_fchflags
+osf_fdatasync
+osf_fpathconf
+osf_fstat
+osf_fstatfs
+osf_fstatfs64
+osf_fuser
+osf_getaddressconf
+osf_getdirentries
+osf_getdomainname
+osf_getfh
+osf_getfsstat
+osf_gethostid
+osf_getitimer
+osf_getlogin
+osf_getmnt
+osf_getrusage
+osf_getsysinfo
+osf_gettimeofday
+osf_kloadcall
+osf_kmodcall
+osf_lstat
+osf_memcntl
+osf_mincore
+osf_mount
+osf_mremap
+osf_msfs_syscall
+osf_msleep
+osf_mvalid
+osf_mwakeup
+osf_naccept
+osf_nfssvc
+osf_ngetpeername
+osf_ngetsockname
+osf_nrecvfrom
+osf_nrecvmsg
+osf_nsendmsg
+osf_ntp_adjtime
+osf_ntp_gettime
+osf_old_creat
+osf_old_fstat
+osf_old_getpgrp
+osf_old_killpg
+osf_old_lstat
+osf_old_open
+osf_old_sigaction
+osf_old_sigblock
+osf_old_sigreturn
+osf_old_sigsetmask
+osf_old_sigvec
+osf_old_stat
+osf_old_vadvise
+osf_old_vtrace
+osf_old_wait
+osf_oldquota
+osf_pathconf
+osf_pid_block
+osf_pid_unblock
+osf_plock
+osf_priocntlset
+osf_profil
+osf_proplist_syscall
+osf_reboot
+osf_revoke
+osf_sbrk
+osf_security
+osf_select
+osf_set_program_attributes
+osf_set_speculative
+osf_sethostid
+osf_setitimer
+osf_setlogin
+osf_setsysinfo
+osf_settimeofday
+osf_shmat
+osf_signal
+osf_sigprocmask
+osf_sigsendset
+osf_sigstack
+osf_sigwaitprim
+osf_sstk
+osf_stat
+osf_statfs
+osf_statfs64
+osf_subsys_info
+osf_swapctl
+osf_swapon
+osf_syscall
+osf_sysinfo
+osf_table
+osf_uadmin
+osf_usleep_thread
+osf_uswitch
+osf_utc_adjtime
+osf_utc_gettime
+osf_utimes
+osf_utsname
+osf_wait4
+osf_waitid
+pause
+pciconfig_iobase
+pciconfig_read
+pciconfig_write
+perf_event_open
+perfctr
+perfmonctl
+personality
+pidfd_getfd
+pidfd_open
+pidfd_send_signal
+pipe
+pipe2
+pivot_root
+pkey_alloc
+pkey_free
+pkey_mprotect
+poll
+ppoll
+ppoll_time64
+prctl
+pread64
+preadv
+preadv2
+prlimit64
+process_vm_readv
+process_vm_writev
+pselect6
+pselect6_time64
+ptrace
+pwrite64
+pwritev
+pwritev2
+query_module
+quotactl
+read
+readahead
+readdir
+readlink
+readlinkat
+readv
+reboot
+recv
+recvfrom
+recvmmsg
+recvmmsg_time64
+recvmsg
+remap_file_pages
+removexattr
+rename
+renameat
+renameat2
+request_key
+restart_syscall
+riscv_flush_icache
+rmdir
+rseq
+rt_sigaction
+rt_sigpending
+rt_sigprocmask
+rt_sigqueueinfo
+rt_sigreturn
+rt_sigsuspend
+rt_sigtimedwait
+rt_sigtimedwait_time64
+rt_tgsigqueueinfo
+rtas
+s390_guarded_storage
+s390_pci_mmio_read
+s390_pci_mmio_write
+s390_runtime_instr
+s390_sthyi
+sched_get_affinity
+sched_get_priority_max
+sched_get_priority_min
+sched_getaffinity
+sched_getattr
+sched_getparam
+sched_getscheduler
+sched_rr_get_interval
+sched_rr_get_interval_time64
+sched_set_affinity
+sched_setaffinity
+sched_setattr
+sched_setparam
+sched_setscheduler
+sched_yield
+seccomp
+select
+semctl
+semget
+semop
+semtimedop
+semtimedop_time64
+send
+sendfile
+sendfile64
+sendmmsg
+sendmsg
+sendto
+set_mempolicy
+set_robust_list
+set_thread_area
+set_tid_address
+setdomainname
+setfsgid
+setfsgid32
+setfsuid
+setfsuid32
+setgid
+setgid32
+setgroups
+setgroups32
+sethae
+sethostname
+setitimer
+setns
+setpgid
+setpgrp
+setpriority
+setregid
+setregid32
+setresgid
+setresgid32
+setresuid
+setresuid32
+setreuid
+setreuid32
+setrlimit
+setsid
+setsockopt
+settimeofday
+setuid
+setuid32
+setxattr
+sgetmask
+shmat
+shmctl
+shmdt
+shmget
+shutdown
+sigaction
+sigaltstack
+signal
+signalfd
+signalfd4
+sigpending
+sigprocmask
+sigreturn
+sigsuspend
+socket
+socketcall
+socketpair
+splice
+spu_create
+spu_run
+ssetmask
+stat
+stat64
+statfs
+statfs64
+statx
+stime
+subpage_prot
+swapcontext
+swapoff
+swapon
+switch_endian
+symlink
+symlinkat
+sync
+sync_file_range
+sync_file_range2
+syncfs
+sys_debug_setcontext
+syscall
+sysfs
+sysinfo
+syslog
+sysmips
+tee
+tgkill
+time
+timer_create
+timer_delete
+timer_getoverrun
+timer_gettime
+timer_gettime64
+timer_settime
+timer_settime64
+timerfd
+timerfd_create
+timerfd_gettime
+timerfd_gettime64
+timerfd_settime
+timerfd_settime64
+times
+tkill
+truncate
+truncate64
+udftrap
+ugetrlimit
+umask
+umount
+umount2
+uname
+unlink
+unlinkat
+unshare
+uselib
+userfaultfd
+ustat
+utime
+utimensat
+utimensat_time64
+utimes
+utimesat
+utrap_install
+vfork
+vhangup
+vm86
+vm86old
+vmsplice
+wait4
+waitid
+waitpid
+write
+writev

src/sleep/sleep.c

@@ -160,11 +160,8 @@ static int lock_all_homes(void) {
 
         r = sd_bus_call(bus, m, DEFAULT_TIMEOUT_USEC, &error, NULL);
         if (r < 0) {
-                if (sd_bus_error_has_name(&error, SD_BUS_ERROR_SERVICE_UNKNOWN) ||
+                if (bus_error_is_unknown_service(&error))
-                    sd_bus_error_has_name(&error, SD_BUS_ERROR_NAME_HAS_NO_OWNER)) {
+                        return log_debug("systemd-homed is not running, skipping locking of home directories.");
-                        log_debug("systemd-homed is not running, skipping locking of home directories.");
-                        return 0;
-                }
 
                 return log_error_errno(r, "Failed to lock home directories: %s", bus_error_message(&error, r));
         }

src/systemctl/systemctl.c

@@ -279,17 +279,17 @@ static int translate_bus_error_to_exit_status(int r, const sd_bus_error *error)
         if (!sd_bus_error_is_set(error))
                 return r;
 
-        if (sd_bus_error_has_name(error, SD_BUS_ERROR_ACCESS_DENIED) ||
+        if (sd_bus_error_has_names(error, SD_BUS_ERROR_ACCESS_DENIED,
-            sd_bus_error_has_name(error, BUS_ERROR_ONLY_BY_DEPENDENCY) ||
+                                          BUS_ERROR_ONLY_BY_DEPENDENCY,
-            sd_bus_error_has_name(error, BUS_ERROR_NO_ISOLATION) ||
+                                          BUS_ERROR_NO_ISOLATION,
-            sd_bus_error_has_name(error, BUS_ERROR_TRANSACTION_IS_DESTRUCTIVE))
+                                          BUS_ERROR_TRANSACTION_IS_DESTRUCTIVE))
                 return EXIT_NOPERMISSION;
 
         if (sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT))
                 return EXIT_NOTINSTALLED;
 
-        if (sd_bus_error_has_name(error, BUS_ERROR_JOB_TYPE_NOT_APPLICABLE) ||
+        if (sd_bus_error_has_names(error, BUS_ERROR_JOB_TYPE_NOT_APPLICABLE,
-            sd_bus_error_has_name(error, SD_BUS_ERROR_NOT_SUPPORTED))
+                                          SD_BUS_ERROR_NOT_SUPPORTED))
                 return EXIT_NOTIMPLEMENTED;
 
         if (sd_bus_error_has_name(error, BUS_ERROR_LOAD_FAILED))
@@ -552,8 +552,8 @@ static int get_unit_list(
                 return bus_log_create_error(r);
 
         r = sd_bus_call(bus, m, 0, &error, &reply);
-        if (r < 0 && (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_METHOD) ||
+        if (r < 0 && (sd_bus_error_has_names(&error, SD_BUS_ERROR_UNKNOWN_METHOD,
-                      sd_bus_error_has_name(&error, SD_BUS_ERROR_ACCESS_DENIED))) {
+                                                     SD_BUS_ERROR_ACCESS_DENIED))) {
                 /* Fallback to legacy ListUnitsFiltered method */
                 fallback = true;
                 log_debug_errno(r, "Failed to list units: %s Falling back to ListUnitsFiltered method.", bus_error_message(&error, r));
@@ -2945,9 +2945,9 @@ fail:
 
         log_error_errno(r, "Failed to %s %s: %s", job_type, name, bus_error_message(error, r));
 
-        if (!sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT) &&
+        if (!sd_bus_error_has_names(error, BUS_ERROR_NO_SUCH_UNIT,
-            !sd_bus_error_has_name(error, BUS_ERROR_UNIT_MASKED) &&
+                                           BUS_ERROR_UNIT_MASKED,
-            !sd_bus_error_has_name(error, BUS_ERROR_JOB_TYPE_NOT_APPLICABLE))
+                                           BUS_ERROR_JOB_TYPE_NOT_APPLICABLE))
                 log_error("See %s logs and 'systemctl%s status%s %s' for details.",
                           arg_scope == UNIT_FILE_SYSTEM ? "system" : "user",
                           arg_scope == UNIT_FILE_SYSTEM ? "" : " --user",

src/systemd/sd-bus.h

@@ -458,6 +458,8 @@ int sd_bus_error_copy(sd_bus_error *dest, const sd_bus_error *e);
 int sd_bus_error_move(sd_bus_error *dest, sd_bus_error *e);
 int sd_bus_error_is_set(const sd_bus_error *e);
 int sd_bus_error_has_name(const sd_bus_error *e, const char *name);
+int sd_bus_error_has_names_sentinel(const sd_bus_error *e, ...) _sd_sentinel_;
+#define sd_bus_error_has_names(e, ...) sd_bus_error_has_names_sentinel(e, __VA_ARGS__, NULL)
 
 #define SD_BUS_ERROR_MAP(_name, _code)          \
         {                                       \

src/test/test-namespace.c

@@ -163,8 +163,6 @@ static void test_protect_kernel_logs(void) {
                                     NULL,
                                     NULL,
                                     NULL,
-                                    PROTECT_HOME_NO,
-                                    PROTECT_SYSTEM_NO,
                                     0,
                                     NULL,
                                     0,

src/test/test-ns.c

@@ -36,6 +36,8 @@ int main(int argc, char *argv[]) {
                 .protect_control_groups = true,
                 .protect_kernel_tunables = true,
                 .protect_kernel_modules = true,
+                .protect_proc = PROTECT_PROC_NOACCESS,
+                .proc_subset = PROC_SUBSET_PID,
         };
 
         char *root_directory;
@@ -76,8 +78,6 @@ int main(int argc, char *argv[]) {
                             tmp_dir,
                             var_tmp_dir,
                             NULL,
-                            PROTECT_HOME_NO,
-                            PROTECT_SYSTEM_NO,
                             0,
                             NULL,
                             0,

src/test/test-seccomp.c

@@ -124,7 +124,9 @@ static void test_filter_sets(void) {
                         int fd, r;
 
                         /* If we look at the default set (or one that includes it), allow-list instead of deny-list */
-                        if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE))
+                        if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT,
+                                      SYSCALL_FILTER_SET_SYSTEM_SERVICE,
+                                      SYSCALL_FILTER_SET_KNOWN))
                                 r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true);
                         else
                                 r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true);
@@ -148,22 +150,25 @@ static void test_filter_sets(void) {
 }
 
 static void test_filter_sets_ordered(void) {
-        size_t i;
-
         log_info("/* %s */", __func__);
 
         /* Ensure "@default" always remains at the beginning of the list */
         assert_se(SYSCALL_FILTER_SET_DEFAULT == 0);
         assert_se(streq(syscall_filter_sets[0].name, "@default"));
 
-        for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
+        /* Ensure "@known" always remains at the end of the list */
+        assert_se(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX - 1);
+        assert_se(streq(syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].name, "@known"));
+
+        for (size_t i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
                 const char *k, *p = NULL;
 
                 /* Make sure each group has a description */
                 assert_se(!isempty(syscall_filter_sets[0].help));
 
-                /* Make sure the groups are ordered alphabetically, except for the first entry */
+                /* Make sure the groups are ordered alphabetically, except for the first and last entries */
-                assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
+                assert_se(i < 2 || i == _SYSCALL_FILTER_SET_MAX - 1 ||
+                          strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
 
                 NULSTR_FOREACH(k, syscall_filter_sets[i].value) {
 

test/fuzz/fuzz-unit-file/directives.service

@@ -782,6 +782,8 @@ KEYMAP=
 KEYMAP_TOGGLE=
 KeepFree=
 KeyringMode=
+ProtectProc=
+ProcSubset=
 KillExcludeUsers=
 KillOnlyUsers=
 KillSignal=

tools/syscall-names-update.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eu
+
+cd "$1"
+
+curl -L -o syscall-names.text 'https://raw.githubusercontent.com/hrw/syscalls-table/master/syscall-names.text'

units/systemd-hostnamed.service.in

@@ -23,11 +23,12 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 ProtectSystem=strict
 ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX

units/systemd-journal-gatewayd.service.in

@@ -19,12 +19,13 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 PrivateDevices=yes
 PrivateNetwork=yes
+ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes

units/systemd-journal-remote.service.in

@@ -21,13 +21,14 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes

units/systemd-journal-upload.service.in

@@ -19,12 +19,13 @@ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 PrivateDevices=yes
+ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes

units/systemd-localed.service.in

@@ -23,12 +23,13 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 ProtectSystem=strict
 ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX

units/systemd-logind.service.in

@@ -28,7 +28,6 @@ DeviceAllow=char-drm rw
 DeviceAllow=char-input rw
 DeviceAllow=char-tty rw
 DeviceAllow=char-vcs rw
-# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
 ExecStart=@rootlibexecdir@/systemd-logind
 FileDescriptorStoreMax=512
 IPAddressDeny=any
@@ -36,12 +35,13 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
-ProtectKernelModules=yes
 ProtectKernelLogs=yes
+ProtectKernelModules=yes
 ProtectSystem=strict
 ReadWritePaths=/etc /run
 Restart=always

units/systemd-networkd.service.in

@@ -26,13 +26,15 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
-ProtectKernelModules=yes
 ProtectKernelLogs=yes
+ProtectKernelModules=yes
 ProtectSystem=strict
 Restart=on-failure
+RestartKillSignal=SIGUSR2
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG
 RestrictNamespaces=yes
@@ -44,7 +46,6 @@ SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
 Type=notify
-RestartKillSignal=SIGUSR2
 User=systemd-network
 @SERVICE_WATCHDOG@
 

units/systemd-resolved.service.in

@@ -28,12 +28,13 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 ProtectSystem=strict
 Restart=always
 RestartSec=0

units/systemd-timedated.service.in

@@ -22,12 +22,13 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 ProtectSystem=strict
 ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX

units/systemd-timesyncd.service.in

@@ -27,12 +27,13 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
-ProtectKernelLogs=yes
 ProtectSystem=strict
 Restart=always
 RestartSec=0

units/systemd-userdbd.service.in

@@ -24,6 +24,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
+ProtectProc=invisible
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes