2025-10-07 20:54:45 +02:00
59 changed files with 208 additions and 281 deletions
--- a/126
+++ b/126
@ -86,10 +86,9 @@ CHANGES WITH 258 in spe:
          keyboard mapping hardware database (hwdb.d/60-keyboard.hwdb) so far
          mapped the microphone mute and touchpad on/off/toggle keys to the
          function keys F20, F21, F22, F23 instead of their correct key codes.
-          This key code mangling has been removed from udev.
+          This key code mangling has been removed.
          To maintain compatibility with X11 applications that rely on the old
-          function key code mappings, this mangling has now been added to the
+          function key code mappings, this mangling has now been moved to the
          relevant X11 keyboard driver modules. In order to ensure these keys
          continue to work, update to xf86-input-evdev >= 2.11.0 and
          xf86-input-libinput >= 1.5.0 before updating to systemd >= 258.
@ -551,8 +550,8 @@ CHANGES WITH 258 in spe:
        * The generic "io.systemd.service" Varlink service that various of our
          long-running services implement, gained a new GetEnvironment() call
          that returns the current environment block of the service's main
-          process. In addition, this service interface has been implemented in
+          process. In addition, this service interface has been implemented in many
-          many more long-running services.
+          more long-running services.
        * A new sd-varlink call sd_varlink_get_description() has been added
          that returns the string previously set via
@ -636,15 +635,15 @@ CHANGES WITH 258 in spe:
        * resolved.conf gained a new setting RefuseRecordTypes= which takes a
          list of RR types for which to refuse lookup attempts. This may be
-          used to for example block A or AAAA lookups on IPv4- or IPv6-only
+          used to for example block A or AAAA lookups on IPv4 or IPv6 only
          hosts.
        * A new DNS "delegate zone" concept has been introduced, which are
          additional lookup scopes (on top of the existing per-interface and
          the one global scope so far supported in resolved), which carry one
          or more DNS server addresses and a DNS search/routing domain. It
-          allows routing requests to specific domains to specific servers.
+          allows routing requests to specific domains to specific
-          Delegate zones can be configured via drop-ins below
+          servers. Delegate zones can be configured via drop-ins below
          /etc/systemd/dns-delegate.d/*.dns-delegate.
        * "resolvectl query -t sshfp" will now decode the returned RR
@ -707,13 +706,13 @@ CHANGES WITH 258 in spe:
          variables can be forced now in environments where we'd previously
          automatically turn this off (e.g. in choot() contexts).
-        * systemd-stub gained support for a couple of "extension" CHIDs, that
+        * systemd-stub learnt support for a couple of "extension" CHIDs, that
          are not part of the Microsoft's original spec, and which include EDID
          display identification information in the hash. This may be used to
          match Devicetree blobs in UKIs. "systemd-analyze chid" has been
          updated to support these extension CHIDs, too. (They are clearly
          marked as extensions CHIDs, to emphasize they are systemd's own
-          invention, and not based on the Windows CHID spec.)
+          invention, and not based on the Windows CHID spec)
        * systemd-boot's loader.conf configuration file gained a new
          secure-boot-enroll-action setting which controls the action to take
@ -783,11 +782,11 @@ CHANGES WITH 258 in spe:
          systemd-nsresourced, even if run privileged.
        * If systemd-nspawn is used interactively, two new special key
-          sequences can be used to trigger an immediate clean shutdown or
+          sequences can be entered to trigger an immediate clean shutdown or
-          reboot of the container with systemd running as PID 1: '^]^]p' for
+          reboot of the container (under the assumption it runs systemd as PID
-          shutdown and '^]^]r' for reboot. This is in addition to the
+          1): ^]^]p will shutdown and ^]^]r will reboot. This is in addition to
-          previously supported '^]^]^]' which triggers immediate shutdown
+          the previously supported ^]^]^] which will immediately shut it down,
-          without going through the usual shutdown logic.
+          without going through the clean shutdown logic.
        * systemd-nspawn will now invoke the TTY password agent if invoked
          interactively and without privileges. This makes sure unprivileged
@ -890,27 +889,26 @@ CHANGES WITH 258 in spe:
          filtering by UID/GID min/max, fuzzy name matching and user
          disposition. Previously this was supported by the userdbctl
          client-side only. With this, userdb providers may now optionally
-          implement this server-side too in order to optimize the lookups.
+          implement this server side too in order to optimize the lookups.
        * User records now support a concept of home "areas",
          i.e. subdirectories of the primary $HOME directory that a user can
          log into. This is useful to maintain separate development
          environments or configuration contexts, but within the ownership of
          the same user. Support for this is implemented in systemd-homed, but
-          is conceptually open to other backends, too.
+          is conceptually open to other backends, too. New home areas can be
-
+          created via "mkdir -p ~/Areas/ && cp /etc/skel ~/Areas/foo", or
-          New home areas can be created via "mkdir -p ~/Areas/ && cp /etc/skel
+          removed by "rm -rf ~/Areas/foo". Whenever prompted for login and a
-          ~/Areas/foo", or removed by "rm -rf ~/Areas/foo". Whenever prompted
+          user name is requested, it is possible to enter a username suffixed
-          for login and a user name is requested, it is possible to enter a
+          by "%" and the area name in order to log into the specified area of
-          username suffixed by "%" and the area name in order to log into the
+          the user. (e.g. "bar%foo"). Effectively this ensures that $HOME and
-          specified area of the user. (e.g. "bar%foo"). Effectively this
+          $XDG_RUNTIME_DIR include the area choice after login. Note that at
-          ensures that $HOME and $XDG_RUNTIME_DIR include the area choice after
+          this moment it's not possible to log into a fully graphical session
-          login. Note that at this moment it's not possible to log into a full
+          with this, since we'd have to start a per-area user service manager
-          graphical session with this, since we'd have to start a per-area user
+          for that, and we currently do not do this. But we hope to provide
-          service manager for that, and we currently do not do this. But we
+          this in one of the next releases. In order to implement all this user
-          hope to provide this in one of the next releases. In order to
+          records gained a new "defaultArea" field, which is configurable with
-          implement all this user records gained a new "defaultArea" field,
+          homectl's --default-area= switch.
          which is configurable with homectl's --default-area= switch.
        * An explicit MIME type application/x.systemd-home is now used for all
          LUKS *.home files managed by systemd.
@ -1041,24 +1039,25 @@ CHANGES WITH 258 in spe:
        * There's now a per-user counterpart of /var/lib/machines/ defined as
          ~/.local/state/machines/. Various tools such as systemd-nspawn +
          systemd-vmspawn now will search this directory when looking for a
-          disk image, when invoked in unprivileged user context.
+          disk image, when invoked in unprivileged user
-          systemd-dissect's --discover command may now be combined with --user
+          context. systemd-dissect's --discover command may now be combined
-          or --system to choose in which of the directory scopes to look for
+          with --user or --system to choose in which of the directory scopes to
-          images.
+          look for images.
        * systemd-dissect gained a new --all switch. If specified the tool will
          not just discover DDIs (i.e. disk images) but also images stored in
          regular directories.
        * systemd-dissect gained a new "--shift" switch for recursively
-          re-chown()ing a directory tree from one set of UID/GIDs to another.
+          re-chown()ing a directory tree from one set of UID/GIDs to
-          This may be used to shift a tree from the base-0-UID range to the
+          another. This may be used to shift a tree from the base-0-UID range
-          foreign UID range or back.
+          to the foreign UID range or back.
-        * systemd-dissect gained new --usr-hash= and --usr-hash-sig= options,
+        * systemd-dissect gained a new --usr-hash= option (and
-          that are similar to the existing --root-hash=/--root-hash-sig=
+          --usr-hash-sig=), that is what the existing --root-hash= switch does
-          options, but for the /usr/ partition. This allows the root hash of
+          (and --root-hash-sig=), but for the /usr/ partition. Or in other words,
-          the /usr/ Verity volume and its signature to be specified.
+          it allows specifying the root hash of the /usr/ Verity volume, and
          possible its signature.
        * When dissecting/mounting a DDI disk image, and no Verity root hash or
          signature is provided, suitable values are now automatically
@ -1163,8 +1162,8 @@ CHANGES WITH 258 in spe:
        * systemd-repart gained a new switch --append-fstab= for controlling
          how to write or append automatically generated /etc/fstab entries.
-        * CopyFiles= lines can now contain an "fsverity=copy" flag to preserve
+        * `CopyFiles=` lines can now contain an `fsverity=copy` flag to
-          the fs-verity status of the source files when populating the
+          preserve the fs-verity status of the source files when populating the
          filesystem.
        * systemd-repart has been updated to automatically generate the
@ -2963,9 +2962,9 @@ CHANGES WITH 256:
          controlled via the --register= switch.
        * machinectl's start command (and related) can now invoke images either
-          as containers via systemd-nspawn (specified as '--runner=nspawn', the
+          as containers via `systemd-nspawn` (switch is --runner=nspawn, the
-          default) or as VMs via systemd-vmspawn (specified as
+          default) or as VMs via `systemd-vmspawn` (switch is --runner=vmspawn,
-          '--runner=vmspawn' or '-V').
+          or short -V).
        * systemd-vmspawn now supports two switches --pass-ssh-key= and
          --ssh-key-type= to optionally set up transient SSH keys to pass to the
@ -3871,7 +3870,7 @@ CHANGES WITH 255:
          sd_id128_get_machine_app_specific() and
          sd_id128_get_boot_app_specific() but takes the ID to base calculation
          on as input. This new functionality is also exposed in the
-          systemd-id128 tool where you can now combine --app= with 'show'.
+          "systemd-id128" tool where you can now combine --app= with `show`.
        * All tools that parse timestamps now can also parse RFC3339 style
          timestamps that include the "T" and Z" characters.
@ -6178,7 +6177,7 @@ CHANGES WITH 251:
          compatibility reasons, but nonetheless apparently commonplace). Note
          that this mapping is mapped 1:1 in a pass-through fashion, i.e. the
          UID assignments from the range are not managed or mapped by
-          systemd-homed, and must be managed with other mechanisms, in the
+          `systemd-homed`, and must be managed with other mechanisms, in the
          context of the local system.
          Typically, a better approach to user namespacing in relevant
@ -6323,15 +6322,15 @@ CHANGES WITH 251:
        * PID 1 will now automatically pick up system credentials from qemu's
          fw_cfg interface, thus allowing passing arbitrary data into VM
          systems similar to how this is already supported for passing them
-          into systemd-nspawn containers. Credentials may now also be passed in
+          into `systemd-nspawn` containers. Credentials may now also be passed
-          via the new kernel command line option "systemd.set_credential="
+          in via the new kernel command line option `systemd.set_credential=`
          (note that kernel command line options are world-readable during
          runtime, and only useful for credentials that require no
          confidentiality). The credentials that can be passed to unified
-          kernels that use the systemd-stub UEFI stub are now similarly
+          kernels that use the `systemd-stub` UEFI stub are now similarly
          picked up automatically. Automatic importing of system credentials
          this way can be turned off via the new
-          "systemd.import_credentials=no" kernel command line option.
+          `systemd.import_credentials=no` kernel command line option.
        * LoadCredential= will now automatically look for credentials in the
          /etc/credstore/, /run/credstore/, /usr/lib/credstore/ directories if
@ -10840,7 +10839,7 @@ CHANGES WITH 242:
          Hint: the log output from udev (at debug level) was enhanced to
          clarify what policy is followed and which attributes are used.
-          'SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>'
+          `SYSTEMD_LOG_LEVEL=debug udevadm test-builtin net_setup_link /sys/class/net/<name>`
          may be used to view this.
          Hint: if a bridge interface is created without any slaves, and gains
@ -10870,7 +10869,7 @@ CHANGES WITH 242:
          configured with PIDFile= for processes of that service.
        * The fallback DNS server list was augmented with Cloudflare public DNS
-          servers. Use '-Ddns-servers=' to set a different fallback.
+          servers. Use `-Ddns-servers=` to set a different fallback.
        * A new special target usb-gadget.target will be started automatically
          when a USB Device Controller is detected (which means that the system
@ -11006,7 +11005,7 @@ CHANGES WITH 242:
          system tree, --console=/--pipe may be used to configure how standard
          input, output, and error are set up.
-        * busctl learned the 'emit' verb to generate D-Bus signals.
+        * busctl learned the `emit` verb to generate D-Bus signals.
        * systemd-analyze cat-config may be used to gather and display
          configuration spread over multiple files, for example system and user
@ -11057,14 +11056,14 @@ CHANGES WITH 242:
          This makes it easier to use kernel-install with plugins which support
          a different layout of the bootloader partitions (for example grub2).
-        * During package installation (with 'ninja install'), we would create
+        * During package installation (with `ninja install`), we would create
          symlinks for getty@tty1.service, systemd-networkd.service,
          systemd-networkd.socket, systemd-resolved.service,
          remote-cryptsetup.target, remote-fs.target,
          systemd-networkd-wait-online.service, and systemd-timesyncd.service
-          in /etc, as if 'systemctl enable' was called for those units, to make
+          in /etc, as if `systemctl enable` was called for those units, to make
          the system usable immediately after installation. Now this is not
-          done anymore, and instead calling 'systemctl preset-all' is
+          done anymore, and instead calling `systemctl preset-all` is
          recommended after the first installation of systemd.
        * A new boolean sandboxing option RestrictSUIDSGID= has been added that
@ -11828,12 +11827,11 @@ CHANGES WITH 239:
          "systemd-resolve" user on such systems, so that nss-ldap won't be
          triggered; or use a different NSS package that doesn't do networking
          in-process but provides a local asynchronous name cache; or configure
-          the NSS package to avoid lookups for UIDs in the range between the
+          the NSS package to avoid lookups for UIDs in the range `pkg-config
-          values returned by the commands
+          systemd --variable=dynamicuidmin` … `pkg-config systemd
-          'pkg-config systemd --variable=dynamicuidmin' and
+          --variable=dynamicuidmax`, so that it does not consider itself
-          'pkg-config systemd --variable=dynamicuidmax', so that it does not
+          authoritative for the same UID range systemd allocates dynamic users
-          consider itself authoritative for the same UID range systemd
+          from.
          allocates dynamic users from.
        * The systemd-resolve tool has been renamed to resolvectl (it also
          remains available under the old name, for compatibility), and its
--- a/man/kernel-install.xml
+++ b/man/kernel-install.xml
@ -321,23 +321,6 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--entry-type=type1|type2|all</option></term>
        <listitem>
          <para>
            Controls the type of entries handled by the command. This is typically useful when multiple types
            of boot entries with the same kernel version are installed, and only one should be removed. When
            <literal>type1</literal> or <literal>type2</literal> is specified, each plugin is invoked with
            <varname>$KERNEL_INSTALL_BOOT_ENTRY_TYPE</varname> environment variable with the specified
            value. When <literal>all</literal> is specified, the environment variable will not be set.
            Defaults to <literal>all</literal>.
          </para>
          <xi:include href="version-info.xml" xpointer="v258"/>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--entry-token=</option></term>
--- a/man/systemd-run.xml
+++ b/man/systemd-run.xml
@ -565,16 +565,6 @@
      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />
      <xi:include href="standard-options.xml" xpointer="json" />
      <varlistentry id='no-pager'>
        <term><option>--no-pager</option></term>
        <listitem><para>Do not pipe output into a pager. This currently only applies to
        <option>--help</option>. (The pager is not started during normal operation.)</para>
        <xi:include href="version-info.xml" xpointer="v258"/>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>All command line arguments after the first non-option argument become part of the command line of
--- a/mkosi/mkosi.conf.d/centos/mkosi.conf
+++ b/mkosi/mkosi.conf.d/centos/mkosi.conf
@ -5,7 +5,7 @@ Distribution=centos
 [Distribution]
 Release=10
-Repositories=epel
+Repositories=epel,epel-next
 [Build]
 Environment=
--- a/mkosi/mkosi.images/build/mkosi.conf.d/centos/mkosi.conf.d/rpmautospec-rpm-macros.conf
+++ b/mkosi/mkosi.images/build/mkosi.conf.d/centos/mkosi.conf.d/rpmautospec-rpm-macros.conf
@ -2,7 +2,8 @@
 [Match]
 Repositories=epel
 Release=9
 [Content]
-Packages=rpmautospec-rpm-macros
+Packages=
        erofs-utils
        rpmautospec-rpm-macros
--- a/mkosi/mkosi.images/build/mkosi.conf.d/centos/mkosi.conf.d/erofs-utils.conf
+++ b/mkosi/mkosi.images/build/mkosi.conf.d/centos/mkosi.conf.d/erofs-utils.conf
@ -1,11 +0,0 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 [TriggerMatch]
 Repositories=epel
 Release=9
 [TriggerMatch]
 Release=10
 [Content]
 Packages=erofs-utils
--- a/shell-completion/bash/systemd-run
+++ b/shell-completion/bash/systemd-run
@ -40,8 +40,7 @@ _systemd_run() {
        --path-property --socket-property --timer-property -H --host -M --machine --expand-environment
        --background --json --job-mode
    )
-    local OPTS="${opts_with_values[*]} --no-ask-password --no-pager
+    local OPTS="${opts_with_values[*]} --no-ask-password --scope -u --slice-inherit -r --remain-after-exit
                --scope -u --slice-inherit -r --remain-after-exit
                --send-sighup -d --same-dir -t --pty -P --pipe -S --shell -q --quiet --ignore-failure
                --on-clock-change --on-timezone-change --no-block --wait -G --collect --user --system -h --help --version -v --verbose"
    local mode=--system
--- a/shell-completion/zsh/_systemd-run
+++ b/shell-completion/zsh/_systemd-run
@ -47,7 +47,6 @@ _arguments \
    '(-C --capsule)'{-C,--capsule=}'[Operate on capsule]:capsule' \
    '--nice=[Nice level]:nice level' \
    '--no-ask-password[Do not query the user for authentication]' \
    '--no-pager[Do not spawn a pager]' \
    '(--wait)--no-block[Do not synchronously wait for the unit start operation to finish]' \
    '--on-active=[Run after SEC seconds]:SEC' \
    '--on-boot=[Run SEC seconds after machine was booted up]:SEC' \
--- a/src/analyze/analyze-capability.c
+++ b/src/analyze/analyze-capability.c
@ -2,7 +2,7 @@
 #include "analyze.h"
 #include "analyze-capability.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "format-table.h"
 #include "log.h"
--- a/src/basic/capability-list.c
+++ b/src/basic/capability-list.c
@ -4,7 +4,7 @@
 #include "alloc-util.h"
 #include "bitfield.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "extract-word.h"
 #include "log.h"
@ -14,8 +14,8 @@
 static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len);
-#include "capability-from-name.inc"
+#include "cap-from-name.inc"
-#include "capability-to-name.inc"
+#include "cap-to-name.inc"
 const char* capability_to_name(int id) {
        if (id < 0)
--- a/src/basic/capability-list.h
+++ b/src/basic/capability-list.h
--- a/src/basic/capability-to-name.awk
+++ b/src/basic/capability-to-name.awk
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@ -8,7 +8,7 @@
 #include "alloc-util.h"
 #include "bitfield.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "fd-util.h"
 #include "fileio.h"
--- a/src/basic/generate-capability-list.sh
+++ b/src/basic/generate-capability-list.sh
--- a/src/basic/meson.build
+++ b/src/basic/meson.build
@ -14,7 +14,7 @@ basic_sources = files(
        'build.c',
        'build-path.c',
        'bus-label.c',
-        'capability-list.c',
+        'cap-list.c',
        'capability-util.c',
        'capsule-util.c',
        'cgroup-util.c',
@ -122,11 +122,11 @@ sources += basic_sources
 generated_gperf_headers = []
 foreach item : [
-        # name,        source,             prefix,    headers
+        # name,    source,         struct name,  prefix,    headers
-        ['af',         af_sources,         '',        ['<sys/socket.h>'],       ],
+        ['af',     af_sources,     'af',         '',        ['<sys/socket.h>'],       ],
-        ['arphrd',     arphrd_sources,     'ARPHRD_', ['<linux/if_arp.h>'],     ],
+        ['arphrd', arphrd_sources, 'arphrd',     'ARPHRD_', ['<linux/if_arp.h>'],     ],
-        ['capability', capability_sources, '',        ['<linux/capability.h>'], ],
+        ['cap',    cap_sources,    'capability', '',        ['<linux/capability.h>'], ],
-        ['errno',      [],                 '',        ['<errno.h>'],            ],
+        ['errno',  [],             'errno',      '',        ['<errno.h>'],            ],
 ]
        fname = '@0@-list.txt'.format(item[0])
@ -141,7 +141,7 @@ foreach item : [
        gperf_file = custom_target(
                input : list_txt,
                output : fname,
-                command : [generate_gperfs, item[0], item[2], '@INPUT@'] + item[3],
+                command : [generate_gperfs, item[2], item[3], '@INPUT@'] + item[4],
                capture : true)
        fname = '@0@-from-name.inc'.format(item[0])
@ -150,8 +150,8 @@ foreach item : [
                output : fname,
                command : [gperf,
                           '-L', 'ANSI-C', '-t', '--ignore-case',
-                           '-N', 'lookup_@0@'.format(item[0]),
+                           '-N', 'lookup_@0@'.format(item[2]),
-                           '-H', 'hash_@0@_name'.format(item[0]),
+                           '-H', 'hash_@0@_name'.format(item[2]),
                           '-p', '-C',
                           '@INPUT@'],
                capture : true)
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@ -475,7 +475,8 @@ Virtualization detect_vm(void) {
                   VIRTUALIZATION_ORACLE,
                   VIRTUALIZATION_XEN,
                   VIRTUALIZATION_AMAZON,
-                   VIRTUALIZATION_PARALLELS)) {
+                   VIRTUALIZATION_PARALLELS,
                   VIRTUALIZATION_GOOGLE)) {
                v = dmi;
                goto finish;
        }
@ -514,10 +515,6 @@ Virtualization detect_vm(void) {
                hyperv = true;
        else if (v == VIRTUALIZATION_VM_OTHER)
                other = true;
        else if (v == VIRTUALIZATION_KVM && dmi == VIRTUALIZATION_GOOGLE)
                /* The DMI vendor tables in /sys/class/dmi/id don't help us distinguish between GCE
                 * virtual machines and bare-metal instances, so we need to look at hypervisor. */
                return VIRTUALIZATION_GOOGLE;
        else if (v != VIRTUALIZATION_NONE)
                goto finish;
@ -530,9 +527,7 @@ Virtualization detect_vm(void) {
                return dmi;
        if (dmi == VIRTUALIZATION_VM_OTHER)
                other = true;
-        else if (!IN_SET(dmi, VIRTUALIZATION_NONE, VIRTUALIZATION_GOOGLE)) {
+        else if (dmi != VIRTUALIZATION_NONE) {
                /* At this point if GCE has been detected in dmi, do not report as a VM. It should
                 * be a bare-metal machine */
                v = dmi;
                goto finish;
        }
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@ -9,7 +9,7 @@
 #include "bpf-restrict-fs.h"
 #include "bus-get-properties.h"
 #include "bus-unit-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "cpu-set-util.h"
 #include "creds-util.h"
 #include "dbus-execute.h"
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -14,7 +14,7 @@
 #include "alloc-util.h"
 #include "async.h"
 #include "bitfield.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "cgroup-setup.h"
 #include "coredump-util.h"
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -17,7 +17,7 @@
 #include "bpf-restrict-fs.h"
 #include "bus-error.h"
 #include "calendarspec.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "cgroup-setup.h"
 #include "condition.h"
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@ -12,7 +12,7 @@
 #include "bus-error.h"
 #include "bus-locator.h"
 #include "bus-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "cgroup-util.h"
 #include "creds-util.h"
--- a/src/include/meson.build
+++ b/src/include/meson.build
@ -13,7 +13,7 @@ arphrd_sources = files(
 )
 # Source files that provides CAP_XYZ
-capability_sources = files(
+cap_sources = files(
        'uapi/linux/capability.h',
 )
--- a/src/include/override/sys/generate-syscall.py
+++ b/src/include/override/sys/generate-syscall.py
@ -44,10 +44,6 @@ HEADER = '''\
 #include_next <sys/syscall.h>
 #ifdef ARCH_MIPS
 #include <asm/sgidefs.h>
 #endif
 #include <assert.h>
 '''
--- a/src/include/override/sys/syscall.h
+++ b/src/include/override/sys/syscall.h
@ -8,10 +8,6 @@
 #include_next <sys/syscall.h>
 #ifdef ARCH_MIPS
 #include <asm/sgidefs.h>
 #endif
 #include <assert.h>
 /* Note: if this code looks strange, this is because it is derived from the same
--- a/src/kernel-install/50-depmod.install
+++ b/src/kernel-install/50-depmod.install
@ -33,12 +33,11 @@ case "$COMMAND" in
        exec depmod -a "$KERNEL_VERSION"
        ;;
    remove)
-        if [ -n "$KERNEL_INSTALL_BOOT_ENTRY_TYPE" ] && [ -d "/lib/modules/$KERNEL_VERSION/kernel" ]; then
+        [ "$KERNEL_INSTALL_BOOT_ENTRY_TYPE" = "type2" ] || \
-            [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \
+        [ "$KERNEL_INSTALL_BOOT_ENTRY_TYPE" = "type1" ] && \
-                echo "Multiple entry types may exist, not removing modules.dep or associated files."
+        [ -d "/lib/modules/$KERNEL_VERSION/kernel" ] && \
            echo "Multiple entry types exist, not removing modules.dep or associated files." && \
            exit 0
        fi
        [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \
            echo "Removing /lib/modules/${KERNEL_VERSION}/modules.dep and associated files"
        exec rm -f \
--- a/src/kernel-install/kernel-install.c
+++ b/src/kernel-install/kernel-install.c
@ -1496,17 +1496,17 @@ static int help(void) {
               "     --boot-path=PATH          Path to the $BOOT partition\n"
               "     --make-entry-directory=yes|no|auto\n"
               "                               Create $BOOT/ENTRY-TOKEN/ directory\n"
               "     --entry-type=type1|type2|all\n"
               "                               Operate only on the specified bootloader\n"
               "                               entry type\n"
               "     --entry-token=machine-id|os-id|os-image-id|auto|literal:…\n"
-               "                               Entry token to be used for this installation\n"
+               "                               Entry token to use for this installation\n"
               "     --no-pager                Do not pipe inspect output into a pager\n"
               "     --json=pretty|short|off   Generate JSON output\n"
               "     --no-legend               Do not show the headers and footers\n"
               "     --root=PATH               Operate on an alternate filesystem root\n"
               "     --image=PATH              Operate on disk image as filesystem root\n"
               "     --image-policy=POLICY     Specify disk image dissection policy\n"
               "     --entry-type=type1|type2|all\n"
               "                               Operate only on the specified bootloader\n"
               "                               entry type\n"
               "\n"
               "This program may also be invoked as 'installkernel':\n"
               "  installkernel  [OPTIONS...] VERSION VMLINUZ [MAP] [INSTALLATION-DIR]\n"
--- a/src/kernel-install/meson.build
+++ b/src/kernel-install/meson.build
@ -41,10 +41,8 @@ if want_kernel_install
        install_data('install.conf',
                     install_dir : kerneldir)
-        if want_ukify
+        install_data('uki.conf',
-                install_data('uki.conf',
+                     install_dir : kerneldir)
                             install_dir : kerneldir)
        endif
        if install_sysconfdir
                install_emptydir(sysconfdir / 'kernel/install.d')
--- a/src/libsystemd/sd-bus/bus-dump.c
+++ b/src/libsystemd/sd-bus/bus-dump.c
@ -8,7 +8,7 @@
 #include "bus-internal.h"
 #include "bus-message.h"
 #include "bus-type.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "fileio.h"
 #include "format-util.h"
--- a/src/libsystemd/sd-device/device-enumerator-private.h
+++ b/src/libsystemd/sd-device/device-enumerator-private.h
@ -20,9 +20,9 @@ int device_enumerator_add_parent_devices(sd_device_enumerator *enumerator, sd_de
 int device_enumerator_add_match_is_initialized(sd_device_enumerator *enumerator, MatchInitializedType type);
 int device_enumerator_add_match_parent_incremental(sd_device_enumerator *enumerator, sd_device *parent);
 int device_enumerator_add_prioritized_subsystem(sd_device_enumerator *enumerator, const char *subsystem);
-sd_device* device_enumerator_get_first(sd_device_enumerator *enumerator);
+sd_device *device_enumerator_get_first(sd_device_enumerator *enumerator);
-sd_device* device_enumerator_get_next(sd_device_enumerator *enumerator);
+sd_device *device_enumerator_get_next(sd_device_enumerator *enumerator);
-sd_device** device_enumerator_get_devices(sd_device_enumerator *enumerator, size_t *ret_n_devices);
+sd_device **device_enumerator_get_devices(sd_device_enumerator *enumerator, size_t *ret_n_devices);
 #define FOREACH_DEVICE_AND_SUBSYSTEM(enumerator, device)       \
        for (device = device_enumerator_get_first(enumerator); \
--- a/src/libsystemd/sd-device/device-enumerator.c
+++ b/src/libsystemd/sd-device/device-enumerator.c
@ -98,7 +98,7 @@ static void device_enumerator_unref_devices(sd_device_enumerator *enumerator) {
        enumerator->n_devices = 0;
 }
-static sd_device_enumerator* device_enumerator_free(sd_device_enumerator *enumerator) {
+static sd_device_enumerator *device_enumerator_free(sd_device_enumerator *enumerator) {
        assert(enumerator);
        device_enumerator_unref_devices(enumerator);
@ -1021,7 +1021,7 @@ int device_enumerator_scan_devices(sd_device_enumerator *enumerator) {
        return r;
 }
-_public_ sd_device* sd_device_enumerator_get_device_first(sd_device_enumerator *enumerator) {
+_public_ sd_device *sd_device_enumerator_get_device_first(sd_device_enumerator *enumerator) {
        assert_return(enumerator, NULL);
        if (device_enumerator_scan_devices(enumerator) < 0)
@ -1038,7 +1038,7 @@ _public_ sd_device* sd_device_enumerator_get_device_first(sd_device_enumerator *
        return enumerator->devices[0];
 }
-_public_ sd_device* sd_device_enumerator_get_device_next(sd_device_enumerator *enumerator) {
+_public_ sd_device *sd_device_enumerator_get_device_next(sd_device_enumerator *enumerator) {
        assert_return(enumerator, NULL);
        if (!enumerator->scan_uptodate ||
@ -1088,7 +1088,7 @@ int device_enumerator_scan_subsystems(sd_device_enumerator *enumerator) {
        return r;
 }
-_public_ sd_device* sd_device_enumerator_get_subsystem_first(sd_device_enumerator *enumerator) {
+_public_ sd_device *sd_device_enumerator_get_subsystem_first(sd_device_enumerator *enumerator) {
        assert_return(enumerator, NULL);
        if (device_enumerator_scan_subsystems(enumerator) < 0)
@ -1105,7 +1105,7 @@ _public_ sd_device* sd_device_enumerator_get_subsystem_first(sd_device_enumerato
        return enumerator->devices[0];
 }
-_public_ sd_device* sd_device_enumerator_get_subsystem_next(sd_device_enumerator *enumerator) {
+_public_ sd_device *sd_device_enumerator_get_subsystem_next(sd_device_enumerator *enumerator) {
        assert_return(enumerator, NULL);
        if (!enumerator->scan_uptodate ||
@ -1161,7 +1161,7 @@ int device_enumerator_scan_devices_and_subsystems(sd_device_enumerator *enumerat
        return r;
 }
-sd_device* device_enumerator_get_first(sd_device_enumerator *enumerator) {
+sd_device *device_enumerator_get_first(sd_device_enumerator *enumerator) {
        assert_return(enumerator, NULL);
        if (!enumerator->scan_uptodate)
@ -1178,7 +1178,7 @@ sd_device* device_enumerator_get_first(sd_device_enumerator *enumerator) {
        return enumerator->devices[0];
 }
-sd_device* device_enumerator_get_next(sd_device_enumerator *enumerator) {
+sd_device *device_enumerator_get_next(sd_device_enumerator *enumerator) {
        assert_return(enumerator, NULL);
        if (!enumerator->scan_uptodate ||
@ -1189,7 +1189,7 @@ sd_device* device_enumerator_get_next(sd_device_enumerator *enumerator) {
        return enumerator->devices[++enumerator->current_device_index];
 }
-sd_device** device_enumerator_get_devices(sd_device_enumerator *enumerator, size_t *ret_n_devices) {
+sd_device **device_enumerator_get_devices(sd_device_enumerator *enumerator, size_t *ret_n_devices) {
        assert(enumerator);
        assert(ret_n_devices);
--- a/src/libsystemd/sd-device/device-monitor.c
+++ b/src/libsystemd/sd-device/device-monitor.c
@ -412,13 +412,13 @@ _public_ int sd_device_monitor_attach_event(sd_device_monitor *m, sd_event *even
        return 0;
 }
-_public_ sd_event* sd_device_monitor_get_event(sd_device_monitor *m) {
+_public_ sd_event *sd_device_monitor_get_event(sd_device_monitor *m) {
        assert_return(m, NULL);
        return m->event;
 }
-_public_ sd_event_source* sd_device_monitor_get_event_source(sd_device_monitor *m) {
+_public_ sd_event_source *sd_device_monitor_get_event_source(sd_device_monitor *m) {
        assert_return(m, NULL);
        return m->event_source;
@ -447,7 +447,7 @@ _public_ int sd_device_monitor_get_description(sd_device_monitor *m, const char
        return 0;
 }
-static sd_device_monitor* device_monitor_free(sd_device_monitor *m) {
+static sd_device_monitor *device_monitor_free(sd_device_monitor *m) {
        assert(m);
        (void) sd_device_monitor_detach_event(m);
--- a/src/libsystemd/sd-device/sd-device.c
+++ b/src/libsystemd/sd-device/sd-device.c
@ -52,7 +52,7 @@ int device_new_aux(sd_device **ret) {
        return 0;
 }
-static sd_device* device_free(sd_device *device) {
+static sd_device *device_free(sd_device *device) {
        assert(device);
        sd_device_unref(device->parent);
@ -1051,7 +1051,7 @@ static int device_enumerate_children(sd_device *device) {
        return 1; /* Enumerated. */
 }
-_public_ sd_device* sd_device_get_child_first(sd_device *device, const char **ret_suffix) {
+_public_ sd_device *sd_device_get_child_first(sd_device *device, const char **ret_suffix) {
        int r;
        assert(device);
@ -1069,7 +1069,7 @@ _public_ sd_device* sd_device_get_child_first(sd_device *device, const char **re
        return sd_device_get_child_next(device, ret_suffix);
 }
-_public_ sd_device* sd_device_get_child_next(sd_device *device, const char **ret_suffix) {
+_public_ sd_device *sd_device_get_child_next(sd_device *device, const char **ret_suffix) {
        sd_device *child;
        assert(device);
@ -1922,7 +1922,7 @@ _public_ int sd_device_get_usec_since_initialized(sd_device *device, uint64_t *r
        return 0;
 }
-_public_ const char* sd_device_get_tag_first(sd_device *device) {
+_public_ const char *sd_device_get_tag_first(sd_device *device) {
        void *v;
        assert_return(device, NULL);
@ -1936,7 +1936,7 @@ _public_ const char* sd_device_get_tag_first(sd_device *device) {
        return v;
 }
-_public_ const char* sd_device_get_tag_next(sd_device *device) {
+_public_ const char *sd_device_get_tag_next(sd_device *device) {
        void *v;
        assert_return(device, NULL);
@ -1962,7 +1962,7 @@ static bool device_database_supports_current_tags(sd_device *device) {
        return device->database_version >= 1;
 }
-_public_ const char* sd_device_get_current_tag_first(sd_device *device) {
+_public_ const char *sd_device_get_current_tag_first(sd_device *device) {
        void *v;
        assert_return(device, NULL);
@ -1979,7 +1979,7 @@ _public_ const char* sd_device_get_current_tag_first(sd_device *device) {
        return v;
 }
-_public_ const char* sd_device_get_current_tag_next(sd_device *device) {
+_public_ const char *sd_device_get_current_tag_next(sd_device *device) {
        void *v;
        assert_return(device, NULL);
@ -1996,7 +1996,7 @@ _public_ const char* sd_device_get_current_tag_next(sd_device *device) {
        return v;
 }
-_public_ const char* sd_device_get_devlink_first(sd_device *device) {
+_public_ const char *sd_device_get_devlink_first(sd_device *device) {
        void *v;
        assert_return(device, NULL);
@ -2010,7 +2010,7 @@ _public_ const char* sd_device_get_devlink_first(sd_device *device) {
        return v;
 }
-_public_ const char* sd_device_get_devlink_next(sd_device *device) {
+_public_ const char *sd_device_get_devlink_next(sd_device *device) {
        void *v;
        assert_return(device, NULL);
@ -2083,7 +2083,7 @@ int device_properties_prepare(sd_device *device) {
        return 0;
 }
-_public_ const char* sd_device_get_property_first(sd_device *device, const char **_value) {
+_public_ const char *sd_device_get_property_first(sd_device *device, const char **_value) {
        const char *key;
        int r;
@ -2100,7 +2100,7 @@ _public_ const char* sd_device_get_property_first(sd_device *device, const char
        return key;
 }
-_public_ const char* sd_device_get_property_next(sd_device *device, const char **_value) {
+_public_ const char *sd_device_get_property_next(sd_device *device, const char **_value) {
        const char *key;
        int r;
@ -2217,14 +2217,19 @@ static int device_sysattrs_read_all(sd_device *device) {
        return 0;
 }
-_public_ const char* sd_device_get_sysattr_first(sd_device *device) {
+_public_ const char *sd_device_get_sysattr_first(sd_device *device) {
        void *v;
        int r;
        assert_return(device, NULL);
-        if (!device->sysattrs_read &&
+        if (!device->sysattrs_read) {
-            device_sysattrs_read_all(device) < 0)
+                r = device_sysattrs_read_all(device);
-                return NULL;
+                if (r < 0) {
                        errno = -r;
                        return NULL;
                }
        }
        device->sysattrs_iterator = ITERATOR_FIRST;
@ -2232,7 +2237,7 @@ _public_ const char* sd_device_get_sysattr_first(sd_device *device) {
        return v;
 }
-_public_ const char* sd_device_get_sysattr_next(sd_device *device) {
+_public_ const char *sd_device_get_sysattr_next(sd_device *device) {
        void *v;
        assert_return(device, NULL);
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@ -22,7 +22,7 @@
 #include "bus-error.h"
 #include "bus-internal.h"
 #include "bus-locator.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "cgroup-setup.h"
 #include "chase.h"
--- a/src/network/networkd-address.c
+++ b/src/network/networkd-address.c
@ -1345,7 +1345,7 @@ int link_drop_ipv6ll_addresses(Link *link) {
        /* IPv6LL address may be in the tentative state, and in that case networkd has not received it.
         * So, we need to dump all IPv6 addresses. */
-        if (link_ipv6ll_enabled_harder(link))
+        if (link_may_have_ipv6ll(link, /* check_multicast = */ false))
                return 0;
        r = sd_rtnl_message_new_addr(link->manager->rtnl, &req, RTM_GETADDR, link->ifindex, AF_INET6);
--- a/src/network/networkd-ipv6ll.c
+++ b/src/network/networkd-ipv6ll.c
@ -43,26 +43,41 @@ bool link_ipv6ll_enabled(Link *link) {
        return link->network->link_local & ADDRESS_FAMILY_IPV6;
 }
-bool link_ipv6ll_enabled_harder(Link *link) {
+bool link_may_have_ipv6ll(Link *link, bool check_multicast) {
        assert(link);
-        /* This is mostly equivalent to link_ipv6ll_enabled(), but also checks if an IPv6LL address is
+        /*
-         * manually configured. */
+         * This is equivalent to link_ipv6ll_enabled() for non-WireGuard interfaces.
         *
         * For WireGuard interface, the kernel does not assign any IPv6LL addresses, but we can assign
         * it manually. It is necessary to set an IPv6LL address manually to run NDisc or RADV on
         * WireGuard interface. Note, also Multicast=yes must be set. See #17380.
         *
         * TODO: May be better to introduce GenerateIPv6LinkLocalAddress= setting, and use algorithms
         *       used in networkd-address-generation.c
         */
        if (link_ipv6ll_enabled(link))
                return true;
-        if (!link->network)
+        /* IPv6LL address can be manually assigned on WireGuard interface. */
-                return false;
+        if (streq_ptr(link->kind, "wireguard")) {
                Address *a;
-        Address *a;
+                if (!link->network)
-        ORDERED_HASHMAP_FOREACH(a, link->network->addresses_by_section) {
+                        return false;
-                if (a->family != AF_INET6)
+
-                        continue;
+                if (check_multicast && !FLAGS_SET(link->flags, IFF_MULTICAST) && link->network->multicast <= 0)
-                if (in6_addr_is_set(&a->in_addr_peer.in6))
+                        return false;
-                        continue;
+
-                if (in6_addr_is_link_local(&a->in_addr.in6))
+                ORDERED_HASHMAP_FOREACH(a, link->network->addresses_by_section) {
-                        return true;
+                        if (a->family != AF_INET6)
                                continue;
                        if (in6_addr_is_set(&a->in_addr_peer.in6))
                                continue;
                        if (in6_addr_is_link_local(&a->in_addr.in6))
                                return true;
                }
        }
        return false;
--- a/src/network/networkd-ipv6ll.h
+++ b/src/network/networkd-ipv6ll.h
@ -15,7 +15,7 @@ typedef enum IPv6LinkLocalAddressGenMode {
 } IPv6LinkLocalAddressGenMode;
 bool link_ipv6ll_enabled(Link *link);
-bool link_ipv6ll_enabled_harder(Link *link);
+bool link_may_have_ipv6ll(Link *link, bool check_multicast);
 IPv6LinkLocalAddressGenMode link_get_ipv6ll_addrgen_mode(Link *link);
 int ipv6ll_addrgen_mode_fill_message(sd_netlink_message *message, IPv6LinkLocalAddressGenMode mode);
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@ -133,7 +133,7 @@ bool link_ipv6_enabled(Link *link) {
        if (link->network->bond)
                return false;
-        if (link_ipv6ll_enabled(link))
+        if (link_may_have_ipv6ll(link, /* check_multicast = */ false))
                return true;
        if (network_has_static_ipv6_configurations(link->network))
@ -2126,17 +2126,6 @@ bool link_has_carrier(Link *link) {
        return netif_has_carrier(link->kernel_operstate, link->flags);
 }
 bool link_multicast_enabled(Link *link) {
        assert(link);
        /* If Multicast= is specified, use the value. */
        if (link->network && link->network->multicast >= 0)
                return link->network->multicast;
        /* Otherwise, return the current state. */
        return FLAGS_SET(link->flags, IFF_MULTICAST);
 }
 #define FLAG_STRING(string, flag, old, new)                      \
        (((old ^ new) & flag)                                    \
         ? ((old & flag) ? (" -" string) : (" +" string))        \
--- a/src/network/networkd-link.h
+++ b/src/network/networkd-link.h
@ -229,7 +229,6 @@ void link_check_ready(Link *link);
 void link_update_operstate(Link *link, bool also_update_bond_master);
 bool link_has_carrier(Link *link);
 bool link_multicast_enabled(Link *link);
 bool link_ipv6_enabled(Link *link);
 int link_ipv6ll_gained(Link *link);
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@ -65,10 +65,7 @@ bool link_ndisc_enabled(Link *link) {
        if (!link->network)
                return false;
-        if (!link_multicast_enabled(link))
+        if (!link_may_have_ipv6ll(link, /* check_multicast = */ true))
                return false;
        if (!link_ipv6ll_enabled_harder(link))
                return false;
        /* Honor explicitly specified value. */
--- a/src/network/networkd-radv.c
+++ b/src/network/networkd-radv.c
@ -31,10 +31,10 @@
 bool link_radv_enabled(Link *link) {
        assert(link);
-        if (!link_multicast_enabled(link))
+        if (!link_may_have_ipv6ll(link, /* check_multicast = */ true))
                return false;
-        if (!link_ipv6ll_enabled_harder(link))
+        if (link->hw_addr.length != ETH_ALEN)
                return false;
        return link->network->router_prefix_delegation;
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@ -8,7 +8,7 @@
 #include "alloc-util.h"
 #include "bus-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "cgroup-util.h"
 #include "cpu-set-util.h"
 #include "device-util.h"
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@ -3,7 +3,7 @@
 #include "sd-bus.h"
 #include "alloc-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "conf-parser.h"
 #include "cpu-set-util.h"
 #include "extract-word.h"
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -32,7 +32,7 @@
 #include "bus-error.h"
 #include "bus-locator.h"
 #include "bus-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "cgroup-setup.h"
 #include "cgroup-util.h"
--- a/src/run/run.c
+++ b/src/run/run.c
@ -42,7 +42,6 @@
 #include "log.h"
 #include "main-func.h"
 #include "osc-context.h"
 #include "pager.h"
 #include "parse-argument.h"
 #include "parse-util.h"
 #include "path-util.h"
@ -111,7 +110,6 @@ static char **arg_cmdline = NULL;
 static char *arg_exec_path = NULL;
 static bool arg_ignore_failure = false;
 static char *arg_background = NULL;
 static PagerFlags arg_pager_flags = 0;
 static sd_json_format_flags_t arg_json_format_flags = SD_JSON_FORMAT_OFF;
 static char *arg_shell_prompt_prefix = NULL;
 static int arg_lightweight = -1;
@ -135,8 +133,6 @@ static int help(void) {
        _cleanup_free_ char *link = NULL;
        int r;
        pager_open(arg_pager_flags);
        r = terminal_urlify_man("systemd-run", "1", &link);
        if (r < 0)
                return log_oom();
@ -181,7 +177,6 @@ static int help(void) {
               "                                  when queueing a new job\n"
               "     --ignore-failure             Ignore the exit status of the invoked process\n"
               "     --background=COLOR           Set ANSI color for background\n"
               "     --no-pager                   Do not pipe output into a pager\n"
               "\n%3$sPath options:%4$s\n"
               "     --path-property=NAME=VALUE   Set path unit property\n"
               "\n%3$sSocket options:%4$s\n"
@ -323,7 +318,6 @@ static int parse_argv(int argc, char *argv[]) {
                ARG_JOB_MODE,
                ARG_IGNORE_FAILURE,
                ARG_BACKGROUND,
                ARG_NO_PAGER,
                ARG_JSON,
        };
@ -376,7 +370,6 @@ static int parse_argv(int argc, char *argv[]) {
                { "job-mode",           required_argument, NULL, ARG_JOB_MODE           },
                { "ignore-failure",     no_argument,       NULL, ARG_IGNORE_FAILURE     },
                { "background",         required_argument, NULL, ARG_BACKGROUND         },
                { "no-pager",           no_argument,       NULL, ARG_NO_PAGER           },
                { "json",               required_argument, NULL, ARG_JSON               },
                {},
        };
@ -691,10 +684,6 @@ static int parse_argv(int argc, char *argv[]) {
                                return r;
                        break;
                case ARG_NO_PAGER:
                        arg_pager_flags |= PAGER_DISABLE;
                        break;
                case ARG_JSON:
                        r = parse_json_argument(optarg, &arg_json_format_flags);
                        if (r <= 0)
--- a/src/shared/base-filesystem.c
+++ b/src/shared/base-filesystem.c
@ -5,10 +5,6 @@
 #include <syslog.h>
 #include <unistd.h>
 #ifdef ARCH_MIPS
 #include <asm/sgidefs.h>
 #endif
 #include "alloc-util.h"
 #include "base-filesystem.h"
 #include "errno-util.h"
--- a/src/shared/bus-print-properties.c
+++ b/src/shared/bus-print-properties.c
@ -4,7 +4,7 @@
 #include "alloc-util.h"
 #include "bus-print-properties.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "cgroup-util.h"
 #include "escape.h"
 #include "log.h"
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@ -11,7 +11,7 @@
 #include "bus-locator.h"
 #include "bus-unit-util.h"
 #include "bus-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "cgroup-setup.h"
 #include "cgroup-util.h"
 #include "condition.h"
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@ -16,7 +16,7 @@
 #include "battery-util.h"
 #include "bitfield.h"
 #include "blockdev-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "cgroup-util.h"
 #include "compare-operator.h"
--- a/src/shared/quota-util.h
+++ b/src/shared/quota-util.h
@ -1,8 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include <linux/quota.h>        /* IWYU pragma: export */
+#include <sys/quota.h> /* IWYU pragma: export */
 #include <sys/quota.h>          /* IWYU pragma: export */
 #include "forward.h"
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -8,10 +8,6 @@
 #include <sys/shm.h>
 #include <sys/stat.h>
 #ifdef ARCH_MIPS
 #include <asm/sgidefs.h>
 #endif
 #include "af-list.h"
 #include "alloc-util.h"
 #include "env-util.h"
--- a/src/shared/user-record-show.c
+++ b/src/shared/user-record-show.c
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #include "alloc-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "format-util.h"
 #include "glyph-util.h"
 #include "hashmap.h"
--- a/src/shared/user-record.c
+++ b/src/shared/user-record.c
@ -4,7 +4,7 @@
 #include "alloc-util.h"
 #include "bitfield.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "cgroup-util.h"
 #include "dns-domain.h"
 #include "glyph-util.h"
--- a/src/systemd/sd-device.h
+++ b/src/systemd/sd-device.h
@ -50,8 +50,8 @@ typedef int (*sd_device_monitor_handler_t)(sd_device_monitor *m, sd_device *devi
 /* device */
-sd_device* sd_device_ref(sd_device *device);
+sd_device *sd_device_ref(sd_device *device);
-sd_device* sd_device_unref(sd_device *device);
+sd_device *sd_device_unref(sd_device *device);
 int sd_device_new_from_syspath(sd_device **ret, const char *syspath);
 int sd_device_new_from_devnum(sd_device **ret, char type, dev_t devnum);
@ -98,8 +98,8 @@ const char* sd_device_get_property_first(sd_device *device, const char **value);
 const char* sd_device_get_property_next(sd_device *device, const char **value);
 const char* sd_device_get_sysattr_first(sd_device *device);
 const char* sd_device_get_sysattr_next(sd_device *device);
-sd_device* sd_device_get_child_first(sd_device *device, const char **ret_suffix);
+sd_device *sd_device_get_child_first(sd_device *device, const char **ret_suffix);
-sd_device* sd_device_get_child_next(sd_device *device, const char **ret_suffix);
+sd_device *sd_device_get_child_next(sd_device *device, const char **ret_suffix);
 int sd_device_has_tag(sd_device *device, const char *tag);
 int sd_device_has_current_tag(sd_device *device, const char *tag);
@ -117,13 +117,13 @@ int sd_device_open(sd_device *device, int flags);
 /* device enumerator */
 int sd_device_enumerator_new(sd_device_enumerator **ret);
-sd_device_enumerator* sd_device_enumerator_ref(sd_device_enumerator *enumerator);
+sd_device_enumerator *sd_device_enumerator_ref(sd_device_enumerator *enumerator);
-sd_device_enumerator* sd_device_enumerator_unref(sd_device_enumerator *enumerator);
+sd_device_enumerator *sd_device_enumerator_unref(sd_device_enumerator *enumerator);
-sd_device* sd_device_enumerator_get_device_first(sd_device_enumerator *enumerator);
+sd_device *sd_device_enumerator_get_device_first(sd_device_enumerator *enumerator);
-sd_device* sd_device_enumerator_get_device_next(sd_device_enumerator *enumerator);
+sd_device *sd_device_enumerator_get_device_next(sd_device_enumerator *enumerator);
-sd_device* sd_device_enumerator_get_subsystem_first(sd_device_enumerator *enumerator);
+sd_device *sd_device_enumerator_get_subsystem_first(sd_device_enumerator *enumerator);
-sd_device* sd_device_enumerator_get_subsystem_next(sd_device_enumerator *enumerator);
+sd_device *sd_device_enumerator_get_subsystem_next(sd_device_enumerator *enumerator);
 int sd_device_enumerator_add_match_subsystem(sd_device_enumerator *enumerator, const char *subsystem, int match);
 int sd_device_enumerator_add_match_sysattr(sd_device_enumerator *enumerator, const char *sysattr, const char *value, int match);
@ -139,8 +139,8 @@ int sd_device_enumerator_add_all_parents(sd_device_enumerator *enumerator);
 /* device monitor */
 int sd_device_monitor_new(sd_device_monitor **ret);
-sd_device_monitor* sd_device_monitor_ref(sd_device_monitor *m);
+sd_device_monitor *sd_device_monitor_ref(sd_device_monitor *m);
-sd_device_monitor* sd_device_monitor_unref(sd_device_monitor *m);
+sd_device_monitor *sd_device_monitor_unref(sd_device_monitor *m);
 int sd_device_monitor_get_fd(sd_device_monitor *m);
 int sd_device_monitor_get_events(sd_device_monitor *m);
@ -148,8 +148,8 @@ int sd_device_monitor_get_timeout(sd_device_monitor *m, uint64_t *ret);
 int sd_device_monitor_set_receive_buffer_size(sd_device_monitor *m, size_t size);
 int sd_device_monitor_attach_event(sd_device_monitor *m, sd_event *event);
 int sd_device_monitor_detach_event(sd_device_monitor *m);
-sd_event* sd_device_monitor_get_event(sd_device_monitor *m);
+sd_event *sd_device_monitor_get_event(sd_device_monitor *m);
-sd_event_source* sd_device_monitor_get_event_source(sd_device_monitor *m);
+sd_event_source *sd_device_monitor_get_event_source(sd_device_monitor *m);
 int sd_device_monitor_set_description(sd_device_monitor *m, const char *description);
 int sd_device_monitor_get_description(sd_device_monitor *m, const char **ret);
 int sd_device_monitor_is_running(sd_device_monitor *m);
--- a/src/test/meson.build
+++ b/src/test/meson.build
@ -249,11 +249,11 @@ executables += [
                'type' : 'manual',
        },
        test_template + {
-                'sources' : files('test-capability-list.c'),
+                'sources' : files('test-cap-list.c'),
                'dependencies' : libcap,
        },
        test_template + {
-                'sources' : files('test-capability-util.c'),
+                'sources' : files('test-capability.c'),
                'dependencies' : libcap,
        },
        test_template + {
--- a/src/test/test-capability-list.c
+++ b/src/test/test-capability-list.c
@ -3,7 +3,7 @@
 #include <stdio.h>
 #include "alloc-util.h"
-#include "capability-list.h"
+#include "cap-list.h"
 #include "capability-util.h"
 #include "parse-util.h"
 #include "random-util.h"
--- a/src/test/test-capability-util.c
+++ b/src/test/test-capability-util.c
--- a/src/udev/udevadm-util.c
+++ b/src/udev/udevadm-util.c
@ -305,7 +305,7 @@ static int search_rules_file(const char *s, const char *root, ConfFile ***files,
        if (!GREEDY_REALLOC_APPEND(*files, *n_files, f, n))
                return log_oom();
-        f = mfree(f); /* The array elements are owned by 'files'. So, conf_file_free_many() must not be called. */
+        TAKE_PTR(f);
        n = 0;
        return 0;
 }
--- a/test/integration-tests/integration-test-wrapper.py
+++ b/test/integration-tests/integration-test-wrapper.py
@ -572,8 +572,6 @@ def main() -> None:
    else:
        firmware = args.firmware
    vm = args.vm or os.getuid() != 0 or os.getenv('TEST_PREFER_QEMU', '0') == '1'
    cmd = [
        args.mkosi,
        '--directory', os.fspath(args.mkosi_dir),
@ -618,8 +616,9 @@ def main() -> None:
        ),
        '--credential', f"journal.storage={'persistent' if sys.stdin.isatty() else args.storage}",
        *(['--runtime-build-sources=no', '--register=no'] if not sys.stdin.isatty() else []),
-        'vm' if vm else 'boot',
+        'vm' if args.vm or os.getuid() != 0 or os.getenv('TEST_PREFER_QEMU', '0') == '1' else 'boot',
-        *(['--', '--capability=CAP_BPF'] if not vm else []),
+        *(['--', '--capability=CAP_BPF'] \
            if not args.vm and os.getenv('TEST_PREFER_QEMU', '0') == '0' else []),
    ]  # fmt: skip
    try:
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@ -6,12 +6,12 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh
-if [[ ! -f /usr/lib/systemd/system/systemd-mountfsd.socket ]] ||
+if [[ ! -f /usr/lib/systemd/system/systemd-mountfsd.socket ]] || \
-   [[ ! -f /usr/lib/systemd/system/systemd-nsresourced.socket ]] ||
+   [[ ! -f /usr/lib/systemd/system/systemd-nsresourced.socket ]] || \
-   ! command -v mksquashfs ||
+   ! command -v mksquashfs || \
   ! grep -q bpf /sys/kernel/security/lsm ||
-   ! find /usr/lib* -name libbpf.so.1 2>/dev/null | grep . ||
+   ! find /usr/lib* -name libbpf.so.1 2>/dev/null | grep . || \
-   systemd-analyze compare-versions "$(uname -r)" lt 6.5 ||
+   systemd-analyze compare-versions "$(uname -r)" lt 6.5 || \
   systemd-analyze compare-versions "$(pkcheck --version | awk '{print $3}')" lt 124; then
    echo "Skipping mountfsd/nsresourced tests"
    exit 0
--- a/test/units/TEST-60-MOUNT-RATELIMIT.sh
+++ b/test/units/TEST-60-MOUNT-RATELIMIT.sh
@ -243,9 +243,9 @@ EOF
        sleep 1
-        if [[ "$(systemctl is-failed tmp-hoge.mount)" == "failed" ]] ||
+        if [[ "$(systemctl is-failed tmp-hoge.mount)" == "failed" ]] || \
           journalctl --since="$since" -u tmp-hoge.mount -q --grep "but there is no mount"; then
-            exit 1
+                exit 1
        fi
        systemctl stop tmp-hoge.mount