Fix pam_systemd_home's debug parameter to match man page description

https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-5

TODO

@@ -19,6 +19,14 @@ Janitorial Clean-ups:
 
 Features:
 
+* journalctl --image= which is like --root= but operates on disk images
+
+* when systemd-nspawn and suchlike dissect an OS image, and there are multiple
+  root partitions, do an strverscmp() on the partition label and boot
+  first. That is inspired how sd-boot figures out which kernel to boot, and
+  thus allows defining OS images which can be A/B updated and we default to the
+  newest version automatically, both in nspawn and in sd-boot
+
 * drop sd_bus_message_set_priority() from sd-bus API and documentation as much
   as we can, it's a kdbus left-over and unlikely to come back on AF_UNIX, since
   it's not really implementable there.

src/core/execute.c

@@ -1646,6 +1646,41 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) {
 
 #endif
 
+static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) {
+        int r;
+
+        assert(u);
+        assert(c);
+
+        if (!c->protect_hostname)
+                return 0;
+
+        if (ns_type_supported(NAMESPACE_UTS)) {
+                if (unshare(CLONE_NEWUTS) < 0) {
+                        if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
+                                *ret_exit_status = EXIT_NAMESPACE;
+                                return log_unit_error_errno(u, errno, "Failed to set up UTS namespacing: %m");
+                        }
+
+                        log_unit_warning(u, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
+                }
+        } else
+                log_unit_warning(u, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
+
+#if HAVE_SECCOMP
+        if (skip_seccomp_unavailable(u, "ProtectHostname="))
+                return 0;
+
+        r = seccomp_protect_hostname();
+        if (r < 0) {
+                *ret_exit_status = EXIT_SECCOMP;
+                return log_unit_error_errno(u, r, "Failed to apply hostname restrictions: %m");
+        }
+#endif
+
+        return 0;
+}
+
 static void do_idle_pipe_dance(int idle_pipe[static 4]) {
         assert(idle_pipe);
 
@@ -3596,25 +3631,10 @@ static int exec_child(
                 }
         }
 
-        if (context->protect_hostname) {
+        if (needs_sandboxing) {
-                if (ns_type_supported(NAMESPACE_UTS)) {
+                r = apply_protect_hostname(unit, context, exit_status);
-                        if (unshare(CLONE_NEWUTS) < 0) {
+                if (r < 0)
-                                if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
+                        return r;
-                                        *exit_status = EXIT_NAMESPACE;
-                                        return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
-                                }
-
-                                log_unit_warning(unit, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
-                        }
-                } else
-                        log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
-#if HAVE_SECCOMP
-                r = seccomp_protect_hostname();
-                if (r < 0) {
-                        *exit_status = EXIT_SECCOMP;
-                        return log_unit_error_errno(unit, r, "Failed to apply hostname restrictions: %m");
-                }
-#endif
         }
 
         /* Drop groups as early as possible.

src/home/pam_systemd_home.c

@@ -52,9 +52,12 @@ static int parse_argv(
                         else if (please_suspend)
                                 *please_suspend = k;
 
+                } else if (streq(argv[i], "debug")) {
+                        if (debug)
+                                *debug = true;
+
                 } else if ((v = startswith(argv[i], "debug="))) {
                         int k;
-
                         k = parse_boolean(v);
                         if (k < 0)
                                 pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring: %s", v);

src/libsystemd-network/dhcp6-protocol.h

@@ -82,6 +82,10 @@ enum {
         DHCP6_NTP_SUBOPTION_SRV_FQDN            = 3,
 };
 
+/*
+ * RFC 8415, RFC 5007 and RFC 7653 status codes:
+ * https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-5
+ */
 enum {
         DHCP6_STATUS_SUCCESS                      = 0,
         DHCP6_STATUS_UNSPEC_FAIL                  = 1,
@@ -90,7 +94,23 @@ enum {
         DHCP6_STATUS_NOT_ON_LINK                  = 4,
         DHCP6_STATUS_USE_MULTICAST                = 5,
         DHCP6_STATUS_NO_PREFIX_AVAIL              = 6,
-        _DHCP6_STATUS_MAX                       = 7,
+        DHCP6_STATUS_UNKNOWN_QUERY_TYPE           = 7,
+        DHCP6_STATUS_MALFORMED_QUERY              = 8,
+        DHCP6_STATUS_NOT_CONFIGURED               = 9,
+        DHCP6_STATUS_NOT_ALLOWED                  = 10,
+        DHCP6_STATUS_QUERY_TERMINATED             = 11,
+        DHCP6_STATUS_DATA_MISSING                 = 12,
+        DHCP6_STATUS_CATCHUP_COMPLETE             = 13,
+        DHCP6_STATUS_NOT_SUPPORTED                = 14,
+        DHCP6_STATUS_TLS_CONNECTION_REFUSED       = 15,
+        DHCP6_STATUS_ADDRESS_IN_USE               = 16,
+        DHCP6_STATUS_CONFIGURATION_CONFLICT       = 17,
+        DHCP6_STATUS_MISSING_BINDING_INFORMATION  = 18,
+        DHCP6_STATUS_OUTDATED_BINDING_INFORMATION = 19,
+        DHCP6_STATUS_SERVER_SHUTTING_DOWN         = 20,
+        DHCP6_STATUS_DNS_UPDATE_NOT_SUPPORTED     = 21,
+        DHCP6_STATUS_EXCESSIVE_TIME_SKEW          = 22,
+        _DHCP6_STATUS_MAX                         = 23,
 };
 
 enum {

src/libsystemd-network/sd-dhcp6-client.c

@@ -113,6 +113,22 @@ const char * dhcp6_message_status_table[_DHCP6_STATUS_MAX] = {
         [DHCP6_STATUS_NOT_ON_LINK]                  = "Not on link",
         [DHCP6_STATUS_USE_MULTICAST]                = "Use multicast",
         [DHCP6_STATUS_NO_PREFIX_AVAIL]              = "No prefix available",
+        [DHCP6_STATUS_UNKNOWN_QUERY_TYPE]           = "Unknown query type",
+        [DHCP6_STATUS_MALFORMED_QUERY]              = "Malformed query",
+        [DHCP6_STATUS_NOT_CONFIGURED]               = "Not configured",
+        [DHCP6_STATUS_NOT_ALLOWED]                  = "Not allowed",
+        [DHCP6_STATUS_QUERY_TERMINATED]             = "Query terminated",
+        [DHCP6_STATUS_DATA_MISSING]                 = "Data missing",
+        [DHCP6_STATUS_CATCHUP_COMPLETE]             = "Catch up complete",
+        [DHCP6_STATUS_NOT_SUPPORTED]                = "Not supported",
+        [DHCP6_STATUS_TLS_CONNECTION_REFUSED]       = "TLS connection refused",
+        [DHCP6_STATUS_ADDRESS_IN_USE]               = "Address in use",
+        [DHCP6_STATUS_CONFIGURATION_CONFLICT]       = "Configuration conflict",
+        [DHCP6_STATUS_MISSING_BINDING_INFORMATION]  = "Missing binding information",
+        [DHCP6_STATUS_OUTDATED_BINDING_INFORMATION] = "Outdated binding information",
+        [DHCP6_STATUS_SERVER_SHUTTING_DOWN]         = "Server shutting down",
+        [DHCP6_STATUS_DNS_UPDATE_NOT_SUPPORTED]     = "DNS update not supported",
+        [DHCP6_STATUS_EXCESSIVE_TIME_SKEW]          = "Excessive time skew",
 };
 
 DEFINE_STRING_TABLE_LOOKUP(dhcp6_message_status, int);