time-util: fix typo

Fixes #17860.

NEWS

@@ -3809,7 +3809,7 @@ CHANGES WITH 237:
           by default even when owned by root and read-only. This behaviour was
           inherited from older tools, but there have been requests to remove
           it, and it's not obvious why this restriction was made in the first
-          place. Please speak up now, if you are aware of software that reqires
+          place. Please speak up now, if you are aware of software that requires
           this behaviour, otherwise we'll remove the restriction in v238.
 
         * A new environment variable $SYSTEMD_OFFLINE is now understood by
@@ -6907,7 +6907,7 @@ CHANGES WITH 220:
         * New /etc/fstab options x-systemd.requires= and
           x-systemd.requires-mounts-for= are now supported to express
           additional dependencies for mounts. This is useful for
-          journalling file systems that support external journal
+          journaling file systems that support external journal
           devices or overlay file systems that require underlying file
           systems to be mounted.
 
@@ -7521,7 +7521,7 @@ CHANGES WITH 218:
         * nspawn's --link-journal= switch gained two new values
           "try-guest" and "try-host" that work like "guest" and
           "host", but do not fail if the host has no persistent
-          journalling enabled. -j is now equivalent to
+          journaling enabled. -j is now equivalent to
           --link-journal=try-guest.
 
         * macvlan network devices created by nspawn will now have

TODO

@@ -20,6 +20,8 @@ Janitorial Clean-ups:
 
 Features:
 
+* expose MS_NOSYMFOLLOW in various places
+
 * cryptsetup: optionally, when run during boot-up and password is never
   entered, and we are on AC power (or so), power off machine again
 
@@ -1008,7 +1010,7 @@ Features:
   - logind: when the power button is pressed short, just popup a
     logout dialog. If it is pressed for 1s, do the usual
     shutdown. Inspiration are Macs here.
-  - expose "Locked" property on logind sesison objects
+  - expose "Locked" property on logind session objects
   - maybe allow configuration of the StopTimeout for session scopes
   - rename session scope so that it includes the UID. THat way
     the session scope can be arranged freely in slices and we don't have

man/org.freedesktop.resolve1.xml

@@ -329,7 +329,7 @@ node /org/freedesktop/resolve1 {
 
         <listitem><para>Alternatively, leave both the service name and type empty and specify the full
         domain name of the SRV record (i.e. prefixed with the service type) in the domain parameter. (No IDNA
-        coversion is applied in this mode.)</para></listitem>
+        conversion is applied in this mode.)</para></listitem>
       </orderedlist>
 
       <para>The <varname>family</varname> parameter of the <function>ResolveService()</function> method encodes

src/basic/time-util.c

@@ -1606,7 +1606,7 @@ TimestampStyle timestamp_style_from_string(const char *s) {
                 return t;
         if (streq_ptr(s, "µs"))
                 return TIMESTAMP_US;
-        if (streq_ptr(s, "µs+uts"))
+        if (streq_ptr(s, "µs+utc"))
                 return TIMESTAMP_US_UTC;
         return t;
 }

src/core/namespace.c

@@ -859,25 +859,15 @@ static int mount_sysfs(const MountEntry *m) {
 }
 
 static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
+        _cleanup_free_ char *opts = NULL;
         const char *entry_path;
-        int r;
+        int r, n;
 
         assert(m);
         assert(ns_info);
 
-        entry_path = mount_entry_path(m);
-
-        /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in
-         * one. i.e we don't reuse existing mounts here under any condition, we want a new instance owned by
-         * our user namespace and with our hidepid= settings applied. Hence, let's get rid of everything
-         * mounted on /proc/ first. */
-
-        (void) mkdir_p_label(entry_path, 0755);
-        (void) umount_recursive(entry_path, 0);
-
         if (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
             ns_info->proc_subset != PROC_SUBSET_ALL) {
-                _cleanup_free_ char *opts = NULL;
 
                 /* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it
                  * pretended to be per-instance but actually was per-namespace), hence let's make use of it
@@ -891,23 +881,40 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
                                ns_info->proc_subset == PROC_SUBSET_PID ? ",subset=pid" : "");
                 if (!opts)
                         return -ENOMEM;
-
-                r = mount_nofollow_verbose(LOG_DEBUG, "proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, opts);
-                if (r < 0) {
-                        if (r != -EINVAL)
-                                return r;
-
-                        /* If this failed with EINVAL then this likely means the textual hidepid= stuff is
-                         * not supported by the kernel, and thus the per-instance hidepid= neither, which
-                         * means we really don't want to use it, since it would affect our host's /proc
-                         * mount. Hence let's gracefully fallback to a classic, unrestricted version. */
-                } else
-                        return 1;
         }
 
-        r = mount_nofollow_verbose(LOG_DEBUG, "proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
-        if (r < 0)
-                return r;
+        entry_path = mount_entry_path(m);
+        (void) mkdir_p_label(entry_path, 0755);
+
+        /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in
+         * one. i.e we don't reuse existing mounts here under any condition, we want a new instance owned by
+         * our user namespace and with our hidepid= settings applied. Hence, let's get rid of everything
+         * mounted on /proc/ first. */
+
+        n = umount_recursive(entry_path, 0);
+
+        r = mount_nofollow_verbose(LOG_DEBUG, "proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, opts);
+        if (r == -EINVAL && opts)
+                /* If this failed with EINVAL then this likely means the textual hidepid= stuff is
+                 * not supported by the kernel, and thus the per-instance hidepid= neither, which
+                 * means we really don't want to use it, since it would affect our host's /proc
+                 * mount. Hence let's gracefully fallback to a classic, unrestricted version. */
+                r = mount_nofollow_verbose(LOG_DEBUG, "proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
+        if (r == -EPERM) {
+                /* When we do not have enough priviledge to mount /proc, fallback to use existing /proc. */
+
+                if (n > 0)
+                        /* /proc or some of sub-mounts are umounted in the above. Refuse incomplete tree.
+                         * Propagate the original error code returned by mount() in the above. */
+                        return -EPERM;
+
+                r = path_is_mount_point(entry_path, NULL, 0);
+                if (r < 0)
+                        return log_debug_errno(r, "Unable to determine whether /proc is already mounted: %m");
+                if (r == 0)
+                        /* /proc is not mounted. Propagate the original error code. */
+                        return -EPERM;
+        }
 
         return 1;
 }
@@ -1684,10 +1691,12 @@ int setup_namespace(
                         *(m++) = (MountEntry) {
                                 .path_const = "/proc/sys/kernel/hostname",
                                 .mode = READONLY,
+                                .ignore = true,
                         };
                         *(m++) = (MountEntry) {
                                 .path_const = "/proc/sys/kernel/domainname",
                                 .mode = READONLY,
+                                .ignore = true,
                         };
                 }
 

src/home/pam_systemd_home.c

@@ -898,7 +898,7 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt(
                 return PAM_NEW_AUTHTOK_REQD;
 
         case -EOWNERDEAD:
-                (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Password expired, change requird.");
+                (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Password expired, change required.");
                 return PAM_NEW_AUTHTOK_REQD;
 
         case -EKEYREJECTED:

src/nspawn/nspawn-seccomp.c

@@ -126,7 +126,7 @@ static int add_syscall_filters(
                  * @pkey
                  * @swap
                  *
-                 * bpf                (NB: bpffs is not namespaced!)
+                 * bpf
                  * fanotify_init
                  * fanotify_mark
                  * kexec_file_load

src/shared/calendarspec.c

@@ -27,7 +27,7 @@
 /* An arbitrary limit on the length of the chains of components. We don't want to
  * build a very long linked list, which would be slow to iterate over and might cause
  * our stack to overflow. It's unlikely that legitimate uses require more than a few
- * linked compenents anyway. */
+ * linked components anyway. */
 #define CALENDARSPEC_COMPONENTS_MAX 240
 
 /* Let's make sure that the microsecond component is safe to be stored in an 'int' */

src/shared/dissect-image.c

@@ -1672,7 +1672,7 @@ static int verity_can_reuse(
 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
         /* Ensure that, if signatures are supported, we only reuse the device if the previous mount used the
          * same settings, so that a previous unsigned mount will not be reused if the user asks to use
-         * signing for the new one, and viceversa. */
+         * signing for the new one, and vice versa. */
         if (!!verity->root_hash_sig != !!(crypt_params.flags & CRYPT_VERITY_ROOT_HASH_SIGNATURE))
                 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Error opening verity device, it already exists but signature settings are not the same.");
 #endif

src/udev/udev-builtin-net_id.c

@@ -474,8 +474,7 @@ static int names_platform(sd_device *dev, struct netnames *names, bool test) {
 
         /* Platform devices are named after ACPI table match, and instance id
          * eg. "/sys/devices/platform/HISI00C2:00");
-         * The Vendor (3 or 4 char), followed by hexdecimal model number : instance id.
-         */
+         * The Vendor (3 or 4 char), followed by hexadecimal model number : instance id. */
 
         DISABLE_WARNING_FORMAT_NONLITERAL;
         if (sscanf(syspath, pattern, vendor, &model, &instance, &ethid) != 4)

src/udev/udevadm-trigger.c

@@ -51,7 +51,7 @@ static int exec_list(sd_device_enumerator *e, const char *action, Set **settle_s
                                        "Failed to write '%s' to '%s'%s: %m",
                                        action, filename, ignore ? ", ignoring" : "");
                         if (IN_SET(r, -EACCES, -EROFS))
-                                /* Inovoked by unpriviledged user, or read only filesystem. Return earlier. */
+                                /* Inovoked by unprivileged user, or read only filesystem. Return earlier. */
                                 return r;
                         if (ret == 0 && !ignore)
                                 ret = r;

test/sd-script.py

@@ -7,7 +7,7 @@
 #
 # Run after sys-script.py
 # Usage: sd-script.py <directory> <num>
-# <num> is the number of device nodes (disks + partititions)
+# <num> is the number of device nodes (disks + partitions)
 # to create in addition to what sys-script.py already did.
 # The script can be run several times in a row if <num> is increased,
 # adding yet more device entries.