Merge 5aca393303 into c4d7a13c06

man/importctl.xml

@@ -128,8 +128,7 @@
 
         <para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
         a read-only subvolume/directory in the image directory that is named after the specified URL and its
-        HTTP etag (see <ulink url="https://en.wikipedia.org/wiki/HTTP_ETag">HTTP ETag</ulink> for more
-        information). A writable snapshot is then taken from this subvolume, and named after the specified local
+        HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
         name. This behavior ensures that creating multiple instances of the same URL is efficient, as
         multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
         its writable snapshot, specify <literal>-</literal> as local name.</para>

man/pam_systemd_loadkey.xml

@@ -28,9 +28,7 @@
     <title>Description</title>
 
     <para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
-    and sets the last password in the list as the PAM authtok, which can be used by e.g.
-    <citerefentry project='man-pages'><refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
-    </para>
+    and sets the last password in the list as the PAM authtok.</para>
 
     <para>The password list is supposed to be stored in the "user" keyring of the root user,
     by an earlier call to

man/run0.xml

@@ -61,10 +61,7 @@
     <literal>systemd-run0</literal> PAM stack.</para>
 
     <para>Note that <command>run0</command> is implemented as an alternative multi-call invocation of
-    <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>. That is,
-    <command>run0</command> is a symbolic link to <command>systemd-run</command> executable file, and it
-    behaves as <command>run0</command> if it is invoked through the symbolic link, otherwise behaves as
-    <command>systemd-run</command>.</para>
+    <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
   </refsect1>
 
   <refsect1>

man/systemd-rfkill.service.xml

@@ -41,10 +41,8 @@
   <refsect1>
     <title>Kernel Command Line</title>
 
-    <para>
-      <command>systemd-rfkill</command> understands the following kernel command line parameter. See also
-      <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
-    </para>
+    <para><filename>systemd-rfkill</filename> understands the
+    following kernel command line parameter:</para>
 
     <variablelist class='kernel-commandline-options'>
       <varlistentry>

man/systemd-system.conf.xml

@@ -302,7 +302,7 @@
         and running in an initrd equivalent to true, otherwise false. This implements a restricted subset of
         the per-unit setting of the same name, see
         <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
-        details: currently, the <literal>full</literal> or <literal>strict</literal> values are not
+        details: currently, the <literal>full</literal> or <literal>struct</literal> values are not
         supported.</para>
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>

man/ukify.xml

@@ -394,9 +394,9 @@
           <listitem><para>SBAT metadata associated with the UKI or addon. SBAT policies are useful to revoke
           whole groups of UKIs or addons with a single, static policy update that does not take space in
           DBX/MOKX. If not specified manually, a default metadata entry consisting of
-          <programlisting>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</programlisting>
+          <literal>uki,1,UKI,uki,1,https://uapi-group.org/specifications/specs/unified_kernel_image/</literal>
           for UKIs and
-          <programlisting>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</programlisting>
+          <literal>uki-addon,1,UKI Addon,addon,1,https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html</literal>
           for addons will be used, to ensure it is always possible to revoke them. For more information on
           SBAT see <ulink url="https://github.com/rhboot/shim/blob/main/SBAT.md">Shim documentation</ulink>.
           </para>

src/basic/fileio.c

@@ -289,8 +289,7 @@ int write_string_file_full(
                 const char *fn,
                 const char *line,
                 WriteStringFileFlags flags,
-                const struct timespec *ts,
-                const char *label_fn) {
+                const struct timespec *ts) {
 
         bool call_label_ops_post = false, made_file = false;
         _cleanup_fclose_ FILE *f = NULL;
@@ -322,8 +321,7 @@ int write_string_file_full(
         mode_t mode = write_string_file_flags_to_mode(flags);
 
         if (FLAGS_SET(flags, WRITE_STRING_FILE_LABEL|WRITE_STRING_FILE_CREATE)) {
-                const char *lookup = label_fn ? label_fn : fn;
-                r = label_ops_pre(dir_fd, lookup, mode);
+                r = label_ops_pre(dir_fd, fn, mode);
                 if (r < 0)
                         goto fail;
 

src/basic/fileio.h

@@ -51,13 +51,12 @@ int write_string_stream_full(FILE *f, const char *line, WriteStringFileFlags fla
 static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) {
         return write_string_stream_full(f, line, flags, /* ts= */ NULL);
 }
-
-int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts, const char *label_fn);
+int write_string_file_full(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags, const struct timespec *ts);
 static inline int write_string_file(const char *fn, const char *line, WriteStringFileFlags flags) {
-        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
+        return write_string_file_full(AT_FDCWD, fn, line, flags, /* ts= */ NULL);
 }
 static inline int write_string_file_at(int dir_fd, const char *fn, const char *line, WriteStringFileFlags flags) {
-        return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL, /*label_fn=*/ NULL);
+        return write_string_file_full(dir_fd, fn, line, flags, /* ts= */ NULL);
 }
 int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4);
 

src/libsystemd/sd-varlink/sd-varlink.c

@@ -1698,8 +1698,7 @@ _public_ int sd_varlink_get_events(sd_varlink *v) {
                 ret |= EPOLLIN;
 
         if (!v->write_disconnected &&
-            (v->output_queue ||
-             v->output_buffer_size > 0))
+            v->output_buffer_size > 0)
                 ret |= EPOLLOUT;
 
         return ret;

src/sysext/sysext.c

@@ -1,6 +1,5 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
-#include <errno.h>
 #include <fcntl.h>
 #include <getopt.h>
 #include <linux/loop.h>
@@ -46,7 +45,6 @@
 #include "process-util.h"
 #include "rm-rf.h"
 #include "sort-util.h"
-#include "selinux-util.h"
 #include "string-table.h"
 #include "string-util.h"
 #include "terminal-util.h"
@@ -901,7 +899,6 @@ static int resolve_mutable_directory(
         _cleanup_free_ char *path = NULL, *resolved_path = NULL, *dir_name = NULL;
         const char *root = arg_root, *base = MUTABLE_EXTENSIONS_BASE_DIR;
         int r;
-        _cleanup_close_ int atfd = -EBADF;
 
         assert(hierarchy);
         assert(ret_resolved_mutable_directory);
@@ -946,14 +943,6 @@ static int resolve_mutable_directory(
                 r = mkdir_p(path_in_root, 0700);
                 if (r < 0)
                         return log_error_errno(r, "Failed to create a directory '%s': %m", path_in_root);
-
-                atfd = open(path_in_root, O_DIRECTORY|O_CLOEXEC);
-                if (atfd < 0)
-                        return log_error_errno(errno, "Failed to open directory '%s': %m", path_in_root);
-
-                r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", path_in_root);
         }
 
         r = chase(path, root, CHASE_PREFIX_ROOT, &resolved_path, NULL);
@@ -1300,7 +1289,6 @@ static int mount_overlayfs_with_op(
 
         int r;
         const char *top_layer = NULL;
-        _cleanup_close_ int atfd = -EBADF;
 
         assert(op);
         assert(overlay_path);
@@ -1313,28 +1301,10 @@ static int mount_overlayfs_with_op(
         if (r < 0)
                 return log_error_errno(r, "Failed to make directory '%s': %m", meta_path);
 
-        atfd = open(meta_path, O_DIRECTORY|O_CLOEXEC);
-        if (atfd < 0)
-                return log_error_errno(errno, "Failed to open directory '%s': %m", meta_path);
-
-        r = mac_selinux_fix_full(atfd, NULL, op->hierarchy, 0);
-        if (r < 0)
-                return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", meta_path);
-
         if (op->upper_dir && op->work_dir) {
                 r = mkdir_p(op->work_dir, 0700);
                 if (r < 0)
                         return log_error_errno(r, "Failed to make directory '%s': %m", op->work_dir);
-                _cleanup_close_ int dfd = -EBADF;
-
-                dfd = open(op->work_dir, O_DIRECTORY|O_CLOEXEC);
-                if (dfd < 0)
-                        return log_error_errno(errno, "Failed to open directory '%s': %m", op->work_dir);
-
-                r = mac_selinux_fix_full(dfd, NULL, op->hierarchy, 0);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", op->work_dir);
-
                 top_layer = op->upper_dir;
         } else {
                 assert(!strv_isempty(op->lower_dirs));
@@ -1355,7 +1325,7 @@ static int mount_overlayfs_with_op(
         return 0;
 }
 
-static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path, const char *hierarchy) {
+static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) {
         _cleanup_free_ char *f = NULL, *buf = NULL;
         int r;
 
@@ -1373,15 +1343,14 @@ static int write_extensions_file(ImageClass image_class, char **extensions, cons
         if (!buf)
                 return log_oom();
 
-        const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural);
-        r = write_string_file_full(AT_FDCWD,f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
+        r = write_string_file(f, buf, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755);
         if (r < 0)
                 return log_error_errno(r, "Failed to write extension meta file '%s': %m", f);
 
         return 0;
 }
 
-static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path, const char *hierarchy) {
+static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) {
         _cleanup_free_ char *f = NULL;
         struct stat st;
         int r;
@@ -1403,15 +1372,14 @@ static int write_dev_file(ImageClass image_class, const char *meta_path, const c
         /* Modifying the underlying layers while the overlayfs is mounted is technically undefined, but at
          * least it won't crash or deadlock, as per the kernel docs about overlayfs:
          * https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html#changes-to-underlying-filesystems */
-        const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, image_class_info[image_class].short_identifier_plural);
-        r = write_string_file_full(AT_FDCWD, f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
+        r = write_string_file(f, FORMAT_DEVNUM(st.st_dev), WRITE_STRING_FILE_CREATE);
         if (r < 0)
                 return log_error_errno(r, "Failed to write '%s': %m", f);
 
         return 0;
 }
 
-static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir, const char* hierarchy) {
+static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) {
         _cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL;
         char *work_dir_in_root = NULL;
         int r;
@@ -1438,8 +1406,7 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co
         escaped_work_dir_in_root = cescape(work_dir_in_root);
         if (!escaped_work_dir_in_root)
                 return log_oom();
-        const char *hierarchy_path = path_join(hierarchy, image_class_info[image_class].dot_directory_name, "work_dir");
-        r = write_string_file_full(AT_FDCWD, f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_LABEL, NULL, hierarchy_path);
+        r = write_string_file(f, escaped_work_dir_in_root, WRITE_STRING_FILE_CREATE);
         if (r < 0)
                 return log_error_errno(r, "Failed to write '%s': %m", f);
 
@@ -1451,10 +1418,8 @@ static int store_info_in_meta(
                 char **extensions,
                 const char *meta_path,
                 const char *overlay_path,
-                const char *work_dir,
-                const char *hierarchy) {
-        _cleanup_free_ char *f = NULL;
-        _cleanup_close_ int atfd = -EBADF;
+                const char *work_dir) {
+
         int r;
 
         assert(extensions);
@@ -1462,32 +1427,15 @@ static int store_info_in_meta(
         assert(overlay_path);
         /* work_dir may be NULL */
 
-        f = path_join(meta_path, image_class_info[image_class].dot_directory_name);
-        if (!f)
-                return log_oom();
-
-        r = mkdir_p(f, 0755);
+        r = write_extensions_file(image_class, extensions, meta_path);
         if (r < 0)
                 return r;
 
-        atfd = open(f, O_DIRECTORY|O_CLOEXEC);
-        if (atfd < 0)
-                return log_error_errno(errno, "Failed to open directory '%s': %m", f);
-
-        r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
-
-        if (r < 0)
-                return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", hierarchy);
-
-        r = write_extensions_file(image_class, extensions, meta_path, hierarchy);
+        r = write_dev_file(image_class, meta_path, overlay_path);
         if (r < 0)
                 return r;
 
-        r = write_dev_file(image_class, meta_path, overlay_path, hierarchy);
-        if (r < 0)
-                return r;
-
-        r = write_work_dir_file(image_class, meta_path, work_dir, hierarchy);
+        r = write_work_dir_file(image_class, meta_path, work_dir);
         if (r < 0)
                 return r;
 
@@ -1553,8 +1501,6 @@ static int merge_hierarchy(
         assert(overlay_path);
         assert(workspace_path);
 
-        mac_selinux_init();
-
         r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used);
         if (r < 0)
                 return r;
@@ -1582,7 +1528,7 @@ static int merge_hierarchy(
         if (r < 0)
                 return r;
 
-        r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir, op->hierarchy);
+        r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir);
         if (r < 0)
                 return r;
 

src/update-done/update-done.c

@@ -29,7 +29,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
                      timespec_load_nsec(ts)) < 0)
                 return log_oom();
 
-        r = write_string_file_full(AT_FDCWD, path, message, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_LABEL, ts, NULL);
+        r = write_string_file_full(AT_FDCWD, path, message, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC|WRITE_STRING_FILE_LABEL, ts);
         if (r == -EROFS)
                 log_debug_errno(r, "Cannot create \"%s\", file system is read-only.", path);
         else if (r < 0)

test/units/TEST-13-NSPAWN.machined.sh

@@ -22,11 +22,6 @@ trap at_exit EXIT
 
 systemctl service-log-level systemd-machined debug
 systemctl service-log-level systemd-importd debug
-# per request in https://github.com/systemd/systemd/pull/35117
-systemctl edit --runtime --stdin 'systemd-nspawn@.service' --drop-in=debug.conf <<EOF
-[Service]
-Environment=SYSTEMD_LOG_LEVEL=debug
-EOF
 
 # Mount temporary directory over /var/lib/machines to not pollute the image
 mkdir -p /var/lib/machines
@@ -283,13 +278,13 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List
 # sending TRAP signal
 rm -f /var/lib/machines/long-running/trap
 varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Kill '{"name":"long-running", "whom": "leader", "signal": 5}'
-timeout 120 bash -c "until test -e /var/lib/machines/long-running/trap; do sleep .5; done"
+timeout 30 bash -c "until test -e /var/lib/machines/long-running/trap; do sleep .5; done"
 
 # test io.systemd.Machine.Terminate
 long_running_machine_start
 rm -f /var/lib/machines/long-running/terminate
 varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Terminate '{"name":"long-running"}'
-timeout 30 bash -c "until test -e /var/lib/machines/long-running/terminate; do sleep .5; done"
+timeout 10 bash -c "until test -e /var/lib/machines/long-running/terminate; do sleep .5; done"
 timeout 30 bash -c "while varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{\"name\":\"long-running\"}'; do sleep 0.5; done"
 
 # test io.systemd.Machine.Register
@@ -361,7 +356,7 @@ journalctl --sync
 machinectl terminate container-without-os-release
 machinectl terminate long-running
 # wait for the container being stopped, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.
-timeout 30 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
+timeout 10 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
 systemctl kill --signal=KILL systemd-nspawn@long-running.service || :
 
 (ip addr show lo | grep -q 192.168.1.100) || ip address add 192.168.1.100/24 dev lo