machined: Skip root user namespace check for user managers

You can register whatever process you want in the user machined instance that is running in the same namespace as pid 1 as machined won't be allowed to do anything privileged anyway that could be dangerous when running as a user instance. We have to skip the check as we user machined instances don't have privileges to inspect pid1's user namespaces.
pcrextend: fix memory leak
2026-03-03 03:34:46 +01:00 · 2026-02-18 19:22:14 +01:00 · 2026-02-18 18:25:08 +01:00 · 2026-02-18 18:22:00 +01:00 · 2026-02-18 15:05:44 +00:00 · 2026-02-18 15:18:58 +01:00
15 changed files with 36 additions and 40 deletions
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@ -47,7 +47,7 @@ jobs:
          # older glibc
          - env: { COMPILER: "gcc",   COMPILER_VERSION: "12", LINKER: "bfd", CUSTOM_PYTHON: "1"  }
            runner: [ ubuntu-22.04 ]
-            python-version: '3.7'
+            python-version: '3.9'
    env: ${{ matrix.env }}
    steps:
      - name: Repository checkout
--- a/2
+++ b/2
@ -247,7 +247,7 @@ REQUIREMENTS:
        gperf
        docbook-xsl (optional, required for documentation)
        xsltproc    (optional, required for documentation)
-        python >= 3.7 (required by meson too, >= 3.9 is required for ukify)
+        python >= 3.9
        python-jinja2
        python-pefile (optional, required for ukify)
        python-lxml (optional, required to build the indices)
--- a/man/check-os-release.py
+++ b/man/check-os-release.py
@ -17,8 +17,7 @@ def read_os_release():
        line = line.rstrip()
        if not line or line.startswith('#'):
            continue
-        m = re.match(r'([A-Z][A-Z_0-9]+)=(.*)', line)
-        if m:
+        if m := re.match(r'([A-Z][A-Z_0-9]+)=(.*)', line):
            name, val = m.groups()
            if val and val[0] in '"\'':
                val = ast.literal_eval(val)
--- a/man/systemd-vmspawn.xml
+++ b/man/systemd-vmspawn.xml
@ -221,6 +221,9 @@
          when the VM shuts down. This mode is not suitable for VMs which lock disk encryption keys to the
          TPM, as these keys will be lost on every reboot. Defaults to <literal>auto</literal>.</para>

+          <para>If <option>--ephemeral</option> is specified, <literal>auto</literal> behaves like
+          <literal>off</literal>.</para>
+
          <xi:include href="version-info.xml" xpointer="v258"/></listitem>
        </varlistentry>

--- a/meson.build
+++ b/meson.build
@ -1695,7 +1695,9 @@ conf.set10('SYSTEMD_SLOW_TESTS_DEFAULT', want_slow_tests)

 pymod = import('python')
 python = pymod.find_installation('python3', required : true, modules : ['jinja2'])
-python_39 = python.language_version().version_compare('>=3.9')
+if not python.language_version().version_compare('>=3.9')
+        error('Python >= 3.9 is required')
+endif

 #####################################################################

@ -1896,9 +1898,7 @@ if have and efi_arch == 'x64' and cc.links('''
        efi_cpu_family_alt = 'x86'
 endif

-pefile = pymod.find_installation('python3', required: false, modules : ['pefile'])
-
-want_ukify = get_option('ukify').require(python_39 and (want_tests != 'true' or pefile.found()), error_message : 'Python >= 3.9 and pefile required').allowed()
+want_ukify = pymod.find_installation('python3', required: get_option('ukify'), modules : ['pefile']).found()
 conf.set10('ENABLE_UKIFY', want_ukify)

 #####################################################################
--- a/ruff.toml
+++ b/ruff.toml
@ -1,11 +1,6 @@
-target-version = "py37"
+target-version = "py39"
 line-length = 109
 lint.select = ["E", "F", "I", "UP"]

 [format]
 quote-style = "single"
-
-[per-file-target-version]
-"src/ukify/*.py" = "py39"
-"test/**/integration-test-wrapper.py" = "py39"
-"test/test-udev.py" = "py39"
--- a/rules.d/70-uaccess.rules.in
+++ b/rules.d/70-uaccess.rules.in
@ -47,6 +47,8 @@ SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
 {% if GROUP_RENDER_UACCESS %}
 # DRI render nodes
 SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess", TAG+="xaccess-render"
+# DRI accel nodes
+SUBSYSTEM=="accel", KERNEL=="accel*", TAG+="uaccess", TAG+="xaccess-accel"
 {% endif %}
 {% if DEV_KVM_UACCESS %}
 # KVM
--- a/src/basic/filesystem-sets.py
+++ b/src/basic/filesystem-sets.py
@ -308,7 +308,7 @@ def generate_fs_in_group():
    print('        switch (fs_group) {')

    for name, _, *filesystems in FILESYSTEM_SETS:
-        magics = sorted(set(sum((NAME_TO_MAGIC[fs] for fs in filesystems), [])))
+        magics = sorted(set(sum((NAME_TO_MAGIC[fs] for fs in filesystems), start=[])))
        enum = 'FILESYSTEM_SET_' + name[1:].upper().replace('-', '_')
        print(f'        case {enum}:')
        opts = '\n                    || '.join(f'F_TYPE_EQUAL(st->f_type, {magic})'
@ -355,7 +355,7 @@ def magic_defines():

 def check():
    kernel_magics = set(magic_defines())
-    our_magics = set(sum(NAME_TO_MAGIC.values(), []))
+    our_magics = set(sum(NAME_TO_MAGIC.values(), start=[]))
    extra = kernel_magics - our_magics
    if extra:
        sys.exit(f"kernel knows additional filesystem magics: {', '.join(sorted(extra))}")
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@ -275,8 +275,16 @@ EFI_STATUS linux_exec(
                if (h->SizeOfRawData == 0)
                        continue;

+                if (UINT32_MAX - h->VirtualAddress < h->SizeOfRawData)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, SizeOfRawData + VirtualAddress, overflows");
                if (h->VirtualAddress + h->SizeOfRawData > kernel_size_in_memory)
                        return log_error_status(EFI_LOAD_ERROR, "Section would write outside of memory");
+                if (h->SizeOfRawData > h->VirtualSize)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, raw data size is greater than virtual size");
+                if (UINT32_MAX - h->PointerToRawData < h->SizeOfRawData)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, PointerToRawData + SizeOfRawData overflows");
+                if (h->PointerToRawData + h->SizeOfRawData > kernel->iov_len)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, raw data extends outside of file");
                memcpy(loaded_kernel + h->VirtualAddress,
                       (const uint8_t*)kernel->iov_base + h->PointerToRawData,
                       h->SizeOfRawData);
--- a/src/core/generate-bpf-delegate-configs.py
+++ b/src/core/generate-bpf-delegate-configs.py
@ -7,7 +7,6 @@

 import re
 import sys
-import typing


 def print_usage_and_exit() -> None:
@ -27,7 +26,7 @@ if output not in ['code', 'doc']:

 with open(header) as file:
    inEnum = False
-    enumValues: typing.List[str] = []
+    enumValues: list[str] = []
    enumName = ''

    if output == 'doc':
@ -68,9 +67,7 @@ with open(header) as file:
                match = re.fullmatch(r'(\w+)\b,', line)
                if match and len(match.groups()) > 0 and not match[1].startswith('__'):
                    enumValues.append(match[1])
-        else:
-            match = re.match(r'^\s*enum\s+bpf_(cmd|map_type|prog_type|attach_type)+\s*{', line)
-            if match:
+        elif match := re.match(r'^\s*enum\s+bpf_(cmd|map_type|prog_type|attach_type)+\s*{', line):
            # Start of a new enum
            inEnum = True
            enumName = 'bpf_delegate_' + match[1]
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@ -373,7 +373,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
         * do not need to check the caller's uid, as that will be checked by polkit, and if they machine's
         * and the caller's do not match, authorization will be required. It's only the case where the
         * caller owns the machine that will be shortcut and needs to be checked here. */
-        if (m->uid != 0 && m->class != MACHINE_HOST) {
+        if (m->manager->runtime_scope != RUNTIME_SCOPE_USER && m->uid != 0 && m->class != MACHINE_HOST) {
                r = pidref_in_same_namespace(&PIDREF_MAKE_FROM_PID(1), &m->leader, NAMESPACE_USER);
                if (r < 0)
                        return log_debug_errno(
--- a/src/shared/pcrextend-util.c
+++ b/src/shared/pcrextend-util.c
@ -260,7 +260,7 @@ int pcrextend_verity_now(
        if (r < 0)
                return r;

-        _cleanup_free_ sd_varlink *vl = NULL;
+        _cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
        r = sd_varlink_connect_address(&vl, "/run/systemd/io.systemd.PCRExtend");
        if (r < 0)
                return r;
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@ -85,7 +85,7 @@

 typedef enum TpmStateMode {
        TPM_STATE_OFF,      /* keep no state around */
-        TPM_STATE_AUTO,     /* keep state around, derive path from image/directory */
+        TPM_STATE_AUTO,     /* keep state around if not ephemeral, derive path from image/directory */
        TPM_STATE_PATH,     /* explicitly specified location */
        _TPM_STATE_MODE_MAX,
        _TPM_STATE_MODE_INVALID = -EINVAL,
@ -2569,7 +2569,7 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {

        _cleanup_free_ char *swtpm = NULL;
        if (arg_tpm != 0) {
-                if (arg_tpm_state_mode == TPM_STATE_AUTO) {
+                if (arg_tpm_state_mode == TPM_STATE_AUTO && !arg_ephemeral) {
                        assert(!arg_tpm_state_path);

                        const char *p = ASSERT_PTR(arg_image ?: arg_directory);
--- a/test/test-udev.py
+++ b/test/test-udev.py
@ -17,6 +17,7 @@
 # removes the device node. After creation and removal the result is checked
 # against the expected value and the result is printed.

+import dataclasses
 import functools
 import os
 import pwd, grp
@ -30,7 +31,6 @@ from pathlib import Path
 from typing import Callable, Optional

 try:
-    import dataclasses  # requires Python >= 3.7
    import pytest
 except ImportError as e:
    print(str(e), file=sys.stderr)
--- a/tools/update-dbus-docs.py
+++ b/tools/update-dbus-docs.py
@ -19,11 +19,6 @@ try:
 except ImportError as e:
    shlex_join = e

-try:
-    from shlex import quote as shlex_quote
-except ImportError as e:
-    shlex_quote = e
-
 class NoCommand(Exception):
    pass

@ -214,9 +209,6 @@ def subst_output(document, programlisting, stats, missing_version):
    interface = programlisting.get('interface')

    argv = [f'{arguments.build_dir}/{executable}', f'--bus-introspect={interface}']
-    if isinstance(shlex_join, Exception):
-        print(f'COMMAND: {" ".join(shlex_quote(arg) for arg in argv)}')
-    else:
    print(f'COMMAND: {shlex_join(argv)}')

    try:
@ -326,7 +318,7 @@ def main():
    global arguments
    arguments = parse_args()

-    for item in (etree, shlex_quote):
+    for item in (etree, shlex_join):
        if isinstance(item, Exception):
            print(item, file=sys.stderr)
            sys.exit(77 if arguments.test else 1)
@ -348,7 +340,7 @@ def main():

    # Let's print all statistics at the end
    mlen = max(len(page) for page in stats)
-    total = sum((item['stats'] for item in stats.values()), collections.Counter())
+    total = sum((item['stats'] for item in stats.values()), start=collections.Counter())
    total = 'total', { "stats" : total, "modified" : False }
    modified = []
    classification = 'OUTDATED' if arguments.test else 'MODIFIED'
Author	SHA1	Message	Date
Daan De Meyer	db1689e69c	machined: Skip root user namespace check for user managers You can register whatever process you want in the user machined instance that is running in the same namespace as pid 1 as machined won't be allowed to do anything privileged anyway that could be dangerous when running as a user instance. We have to skip the check as we user machined instances don't have privileges to inspect pid1's user namespaces.	2026-02-18 19:22:14 +01:00
Lennart Poettering	0b7d5a2844	pcrextend: fix memory leak Follow-up for: #40648 Addresses: https://github.com/systemd/systemd/pull/40648#issuecomment-3917469644	2026-02-18 18:25:08 +01:00
Mario Limonciello (AMD)	e30c044c23	Tag accel devices for uaccess-render accel devices are used for things like NPUs and should be tagged for the logged in user just like GPUs are.	2026-02-18 18:22:00 +01:00
Luca Boccassi	1cd2ff3cca	stub: more hardening against malformed images Avoid issues with malformed images. Reported on various yeswehack.com reports YWH-PGM9780-73 YWH-PGM9780-68 YWH-PGM9780-67 YWH-PGM9780-87	2026-02-18 15:05:44 +00:00
Daan De Meyer	cec9eb5e7e	vmspawn: Don't keep tpmstate around in auto mode if ephemeral	2026-02-18 15:18:58 +01:00
Zbigniew Jędrzejewski-Szmek	ba67af7efb	Bump minimum version of python to 3.9 (#40711 )	2026-02-18 13:33:29 +01:00
Yu Watanabe	ef6c8c79dc	Revert "check-os-release.py compatible with Python < 3.8" This reverts commit ce0a056abc41168e1b45537505ca9f65bf6f5c30.	2026-02-18 18:47:15 +09:00
Yu Watanabe	08719d0e78	Revert "tools: make update-dbus-docs compatible with Python 3.7" This reverts commit 668b3a42fe9e250912bd3efa4460ed691452d9bf. Now we require Python 3.9 or newer.	2026-02-18 18:47:15 +09:00
Yu Watanabe	7ff27c8012	Revert "generate-bpf-delegate-configs: fix compatibility with Python 3.7" This reverts commit dee77ac201741709b2323cae73aeeaff60fd8521. Now we require Python 3.9 or newer.	2026-02-18 18:47:15 +09:00
Yu Watanabe	3aaa9d9882	Revert "meson: fix compatibility with Python 3.7" This reverts commit 2793d6acf063ae8fe506a1684e5a24ce83267e6d. Now we require Python 3.9 or newer.	2026-02-18 18:47:15 +09:00
Jörg Behrmann	761f1ef2f3	Bump minimum version of python to 3.9 This was announced in fd8c62075197e4f4702bb6e4537116a64cb539b7 and every still-supported distributo release provides at least 3.9, as tracked by #38608.	2026-02-18 18:47:15 +09:00
Yu Watanabe	582d499e32	meson: ukify unconditionally requires pefile module Follow-up for 3fc5eed47091363247012454df458e1a3303bf12.	2026-02-18 18:47:15 +09:00