meson.build

@@ -485,7 +485,6 @@ possible_link_flags = [
         '-Wl,--fatal-warnings',
         '-Wl,-z,now',
         '-Wl,-z,relro',
-        '-Wl,-z,gcs-report-dynamic=none',
         '-Wl,--gc-sections',
 ]
 

src/shared/generator.c

@@ -26,14 +26,6 @@
 #include "tmpfile-util.h"
 #include "unit-name.h"
 
-static int symlink_unless_exists(const char *to, const char *from) {
-        (void) mkdir_parents(from, 0755);
-
-        if (symlink(to, from) < 0 && errno != EEXIST)
-                return log_error_errno(errno, "Failed to create symlink %s: %m", from);
-        return 0;
-}
-
 int generator_open_unit_file_full(
                 const char *dir,
                 const char *source,
@@ -142,7 +134,12 @@ int generator_add_symlink_full(
         if (!to)
                 return log_oom();
 
-        return symlink_unless_exists(from, to);
+        (void) mkdir_parents_label(to, 0755);
+
+        if (symlink(from, to) < 0 && errno != EEXIST)
+                return log_error_errno(errno, "Failed to create symlink \"%s\": %m", to);
+
+        return 0;
 }
 
 static int generator_add_ordering(
@@ -334,16 +331,19 @@ int generator_write_fsck_deps(
         }
 
         if (path_equal(where, "/")) {
+                const char *lnk;
+
                 /* We support running the fsck instance for the root fs while it is already mounted, for
                  * compatibility with non-initrd boots. It's ugly, but it is how it is. Since – unlike for
                  * regular file systems – this means the ordering is reversed (i.e. mount *before* fsck) we
                  * have a separate fsck unit for this, independent of systemd-fsck@.service. */
 
-                const char *lnk = strjoina(dir, "/" SPECIAL_LOCAL_FS_TARGET ".wants/" SPECIAL_FSCK_ROOT_SERVICE);
+                lnk = strjoina(dir, "/" SPECIAL_LOCAL_FS_TARGET ".wants/" SPECIAL_FSCK_ROOT_SERVICE);
+
+                (void) mkdir_parents(lnk, 0755);
+                if (symlink(SYSTEM_DATA_UNIT_DIR "/" SPECIAL_FSCK_ROOT_SERVICE, lnk) < 0)
+                        return log_error_errno(errno, "Failed to create symlink %s: %m", lnk);
 
-                r = symlink_unless_exists(SYSTEM_DATA_UNIT_DIR "/" SPECIAL_FSCK_ROOT_SERVICE, lnk);
-                if (r < 0)
-                        return r;
         } else {
                 _cleanup_free_ char *_fsck = NULL;
                 const char *fsck, *dep;

test/run-unit-tests.py

@@ -35,6 +35,12 @@ def argument_parser():
 
 opts = argument_parser().parse_args()
 
+env = {}
+if 'SYSTEMD_LOG_LEVEL' in os.environ:
+    env['SYSTEMD_LOG_LEVEL'] = os.environ['SYSTEMD_LOG_LEVEL']
+if 'SYSTEMD_LOG_TARGET' in os.environ:
+    env['SYSTEMD_LOG_TARGET'] = os.environ['SYSTEMD_LOG_TARGET']
+
 unittestdir = pathlib.Path(__file__).parent.absolute() / 'unit-tests'
 
 tests = list(unittestdir.glob('test-*'))
@@ -53,7 +59,7 @@ for test in sorted(tests):
         total.skip += 1
         continue
 
-    ex = subprocess.run(test, stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+    ex = subprocess.run(test, stdin=subprocess.DEVNULL, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=env)
     if ex.returncode == 0:
         print(f'{GREEN}PASS: {name}{RESET_ALL}')
         total.good += 1

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -1208,6 +1208,28 @@ EOF
     rm -fr "$root"
 }
 
+can_do_rootless_nspawn() {
+    # Our create_dummy_ddi() uses squashfs and openssl.
+    command -v mksquashfs &&
+    command -v openssl &&
+
+    # mountfsd must be enabled...
+    [[ -S /run/systemd/io.systemd.MountFileSystem ]] &&
+    # ...and have pidfd support for unprivileged operation.
+    systemd-analyze compare-versions "$(uname -r)" ge 6.5 &&
+    systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 &&
+
+    # nsresourced must be enabled...
+    [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] &&
+    # ...and must support the UserNamespaceInterface.
+    ! (SYSTEMD_LOG_TARGET=console varlinkctl call \
+           /run/systemd/userdb/io.systemd.NamespaceResource \
+           io.systemd.NamespaceResource.AllocateUserRange \
+           '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \
+           2>&1 || true) |
+        grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported"
+}
+
 create_dummy_ddi() {
     local outdir="${1:?}"
     local container_name="${2:?}"

test/units/TEST-13-NSPAWN.unpriv.sh

@@ -7,7 +7,12 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
 
-if ! can_do_rootless_nspawn; then
+if [[ ! -f /usr/lib/systemd/system/systemd-mountfsd.socket ]] ||
+   [[ ! -f /usr/lib/systemd/system/systemd-nsresourced.socket ]] ||
+   ! grep -q bpf /sys/kernel/security/lsm ||
+   ! find /usr/lib* -name libbpf.so.1 2>/dev/null | grep . ||
+   systemd-analyze compare-versions "$(uname -r)" lt 6.5 ||
+   systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" lt 124; then
     echo "Skipping unpriv nspawn test"
     exit 0
 fi
@@ -20,6 +25,8 @@ at_exit() {
 
 trap at_exit EXIT
 
+systemctl start systemd-mountfsd.socket systemd-nsresourced.socket
+
 run0 -u testuser mkdir -p .local/state/machines
 
 create_dummy_container /home/testuser/.local/state/machines/zurps

test/units/TEST-50-DISSECT.dissect.sh

@@ -371,7 +371,7 @@ systemctl start testservice-50d.service
 
 # Mount twice to exercise mount-beneath (on kernel 6.5+, on older kernels it will just overmount)
 mkdir -p /tmp/wrong/foo
-mksquashfs /tmp/wrong/foo /tmp/wrong.raw -noappend
+mksquashfs /tmp/wrong/foo /tmp/wrong.raw
 systemctl mount-image --mkdir testservice-50d.service /tmp/wrong.raw /tmp/img
 test "$(systemctl show -P SubState testservice-50d.service)" = "running"
 systemctl mount-image --mkdir testservice-50d.service "$MINIMAL_IMAGE.raw" /tmp/img root:nosuid
@@ -638,14 +638,14 @@ ExecStart=bash -x -c ' \\
     while true; do sleep 1; done; \\
 '
 EOF
-mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw" -noappend
+mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
 systemctl start testservice-50h.service
 systemctl is-active testservice-50h.service
 # First reload should pick up the v1 marker
 systemctl reload testservice-50h.service
 grep -q -F "${VBASE}_1.marker" /tmp/markers/50h
 # Second reload should pick up the v2 marker
-mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw" -noappend
+mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw"
 systemctl reload testservice-50h.service
 grep -q -F "${VBASE}_2.marker" /tmp/markers/50h
 # Test that removing all the extensions don't cause any issues
@@ -750,11 +750,11 @@ if [ "$verity_sig_supported" -eq 1 ]; then
     veritysetup status "$(cat "$MINIMAL_IMAGE.roothash")-verity" | grep -q "verified (with signature)"
 fi
 # First reload should pick up the v1 marker
-mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw" -noappend
+mksquashfs "$VDIR/${VBASE}_1" "$VDIR2/${VBASE}_1.raw"
 systemctl reload testservice-50k.service
 grep -q -F "${VBASE}_1.marker" /tmp/markers/50k
 # Second reload should pick up the v2 marker
-mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw" -noappend
+mksquashfs "$VDIR/${VBASE}_2" "$VDIR2/${VBASE}_2.raw"
 systemctl reload testservice-50k.service
 grep -q -F "${VBASE}_2.marker" /tmp/markers/50k
 # Test that removing all the extensions don't cause any issues
@@ -917,7 +917,7 @@ mkdir -p /run/extensions/ testkit/usr/lib/extension-release.d/
 echo "ID=_any" >testkit/usr/lib/extension-release.d/extension-release.testkit
 echo "ARCHITECTURE=_any" >>testkit/usr/lib/extension-release.d/extension-release.testkit
 echo "MARKER_SYSEXT_123" >testkit/usr/lib/testfile
-mksquashfs testkit/ testkit.raw -noappend
+mksquashfs testkit/ testkit.raw
 cp testkit.raw /run/extensions/
 unsquashfs -l /run/extensions/testkit.raw
 systemd-dissect --no-pager /run/extensions/testkit.raw | grep -q '✓ sysext for portable service'
@@ -933,7 +933,7 @@ mkdir -p /run/confexts/ testjob/etc/extension-release.d/
 echo "ID=_any" >testjob/etc/extension-release.d/extension-release.testjob
 echo "ARCHITECTURE=_any" >>testjob/etc/extension-release.d/extension-release.testjob
 echo "MARKER_CONFEXT_123" >testjob/etc/testfile
-mksquashfs testjob/ testjob.raw -noappend
+mksquashfs testjob/ testjob.raw
 cp testjob.raw /run/confexts/
 unsquashfs -l /run/confexts/testjob.raw
 systemd-dissect --no-pager /run/confexts/testjob.raw | grep -q '✓ confext for system'

test/units/util.sh

@@ -186,36 +186,6 @@ create_dummy_container() {
     coverage_create_nspawn_dropin "$root"
 }
 
-can_do_rootless_nspawn() {
-    # Our create_dummy_ddi() uses squashfs and openssl.
-    command -v mksquashfs &&
-    command -v openssl &&
-
-    # Need to have bpf-lsm
-    grep -q bpf /sys/kernel/security/lsm &&
-    # ...and libbpf installed
-    find /usr/lib* -name "libbpf.so.*" 2>/dev/null | grep -q . &&
-
-    # Ensure mountfsd/nsresourced are listening
-    systemctl start systemd-mountfsd.socket systemd-nsresourced.socket &&
-
-    # mountfsd must be enabled...
-    [[ -S /run/systemd/io.systemd.MountFileSystem ]] &&
-    # ...and have pidfd support for unprivileged operation.
-    systemd-analyze compare-versions "$(uname -r)" ge 6.5 &&
-    systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" ge 124 &&
-
-    # nsresourced must be enabled...
-    [[ -S /run/systemd/userdb/io.systemd.NamespaceResource ]] &&
-    # ...and must support the UserNamespaceInterface.
-    ! (SYSTEMD_LOG_TARGET=console varlinkctl call \
-           /run/systemd/userdb/io.systemd.NamespaceResource \
-           io.systemd.NamespaceResource.AllocateUserRange \
-           '{"name":"test-supported","size":65536,"userNamespaceFileDescriptor":0}' \
-           2>&1 || true) |
-        grep -q "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported"
-}
-
 # Bump the reboot counter and call systemctl with the given arguments
 systemctl_final() {
     local counter