hwdb: fix unstable button triggering on Mipad 2 under GNOME (#40071 )

Change unknown key mappings to reserved. A KEY_RESERVED button is marked as reserved and passed to the kernel. This will stop the kernel from passing this keystroke event to user space. If unknown, the key is set to KEY_UNKNOWN and the event is passed to user space, which we want to avoid.
meson: fix BPF build warnings due to MS extensions
2026-03-25 08:14:54 +01:00 · 2025-12-17 13:26:47 +00:00 · 2025-12-17 12:58:33 +00:00 · 2025-12-17 11:56:52 +01:00 · 2025-12-17 18:41:59 +09:00 · 2025-12-17 18:41:23 +09:00
13 changed files with 64 additions and 30 deletions
--- a/hwdb.d/60-keyboard.hwdb
+++ b/hwdb.d/60-keyboard.hwdb
@ -2132,8 +2132,8 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnINET:pnP325J:*
 # Home: LeftCtrl + Esc -> LeftMeta  (ignore LeftCtrl, map Esc to LeftMeta)
 # Back: Backspace      -> back      (map backspace to back)
 evdev:name:FTSC1000:00 2808:509C Keyboard:dmi:*:svnXiaomiInc:pnMipad2:*
- KEYBOARD_KEY_700e0=unknown                             # LeftCtrl -> ignore
+ KEYBOARD_KEY_700e0=reserved                            # LeftCtrl -> ignore
- KEYBOARD_KEY_700e3=unknown                             # LeftMeta -> ignore
+ KEYBOARD_KEY_700e3=reserved                            # LeftMeta -> ignore
 KEYBOARD_KEY_70016=menu                                # S -> menu
 KEYBOARD_KEY_70029=leftmeta                            # Esc -> LeftMeta (Windows key / Win8 tablets home)
 KEYBOARD_KEY_7002a=back                                # Backspace -> back
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -3195,10 +3195,11 @@ SystemCallErrorNumber=EPERM</programlisting>
        ignored; both the backslash and the following character are preserved verbatim. Leading and trailing
        whitespace outside of the double quotes is discarded.</para>
-        <para>The argument passed should be an absolute filename or wildcard expression, optionally prefixed with
+        <para>The argument passed should be an absolute filename or wildcard expression. If the file does not
-        <literal>-</literal>, which indicates that if the file does not exist, it will not be read and no error or
+        exist, cannot be read, or contains invalid content, the service will fail to start. To make the file
-        warning message is logged. This option may be specified more than once in which case all specified files are
+        optional, prefix the path with <literal>-</literal>, which causes all errors related to the file to be
-        read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments
+        silently ignored. This option may be specified more than once in which case all specified files are read.
        If the empty string is assigned to this option, the list of files to read is reset, all prior assignments
        have no effect.</para>
        <para>The files listed with this directive will be read shortly before the process is executed (more
--- a/meson.build
+++ b/meson.build
@ -1746,6 +1746,8 @@ if conf.get('BPF_FRAMEWORK') == 1
        bpf_clang_flags = [
                '-std=gnu17',
                '-Wno-compare-distinct-pointer-types',
                '-Wno-microsoft-anon-tag',
                '-fms-extensions',
                '-fno-stack-protector',
                '-O2',
                '-target',
@ -1756,6 +1758,7 @@ if conf.get('BPF_FRAMEWORK') == 1
        bpf_gcc_flags = [
                '-std=gnu17',
                '-fms-extensions',
                '-fno-stack-protector',
                '-fno-ssa-phiopt',
                '-O2',
--- a/src/basic/basic-forward.h
+++ b/src/basic/basic-forward.h
@ -86,6 +86,7 @@ typedef enum CGroupFlags CGroupFlags;
 typedef enum CGroupMask CGroupMask;
 typedef enum ChaseFlags ChaseFlags;
 typedef enum ExtractFlags ExtractFlags;
 typedef enum ForkFlags ForkFlags;
 typedef enum Glyph Glyph;
 typedef enum ImageClass ImageClass;
 typedef enum JobMode JobMode;
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@ -8,6 +8,7 @@
 #include <sys/mount.h>
 #include <unistd.h>
 #include "dlfcn-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
@ -217,6 +218,9 @@ int namespace_open(
 int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd) {
        int r;
        /* Block dlopen() now, to avoid us inadvertently loading shared library from another namespace */
        block_dlopen();
        if (userns_fd >= 0) {
                /* Can't setns to your own userns, since then you could escalate from non-root to root in
                 * your own namespace, so check if namespaces are equal before attempting to enter. */
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@ -1703,6 +1703,7 @@ int pidref_safe_fork_full(
         * foreign environment. Note that this has no effect on NSS! (i.e. it only has effect on uses of our
         * dlopen_safe(), which we use comprehensively in our codebase, but glibc NSS doesn't bother, of
         * course.) */
        if (!FLAGS_SET(flags, FORK_ALLOW_DLOPEN))
                block_dlopen();
        if (flags & (FORK_DEATHSIG_SIGTERM|FORK_DEATHSIG_SIGINT|FORK_DEATHSIG_SIGKILL))
@ -1906,6 +1907,7 @@ int namespace_fork(
        /* This is much like safe_fork(), but forks twice, and joins the specified namespaces in the middle
         * process. This ensures that we are fully a member of the destination namespace, with pidns an all, so that
         * /proc/self/fd works correctly. */
        assert(!FLAGS_SET(flags, FORK_ALLOW_DLOPEN)); /* never allow loading shared library from another ns */
        r = safe_fork_full(outer_name,
                           NULL,
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@ -187,8 +187,9 @@ typedef enum ForkFlags {
        FORK_NEW_NETNS          = 1 << 20, /* Run child in its own network namespace                             💣 DO NOT USE IN THREADED PROGRAMS! 💣 */
        FORK_NEW_PIDNS          = 1 << 21, /* Run child in its own PID namespace                                 💣 DO NOT USE IN THREADED PROGRAMS! 💣 */
        FORK_FREEZE             = 1 << 22, /* Don't return in child, just call freeze() instead */
        FORK_ALLOW_DLOPEN       = 1 << 23, /* Do not block dlopen() in child */
-        _FORK_PID_ONLY          = 1 << 23, /* Don't open a pidfd referencing the child process */
+        _FORK_PID_ONLY          = 1 << 24, /* Don't open a pidfd referencing the child process */
 } ForkFlags;
 int pidref_safe_fork_full(
--- a/src/boot/stub.c
+++ b/src/boot/stub.c
@ -627,16 +627,19 @@ static EFI_STATUS load_addons(
                        return log_error_status(err, "Failed to find protocol in %ls: %m", items[i]);
                err = pe_memory_locate_sections(loaded_addon->ImageBase, unified_sections, sections);
-                if (err != EFI_SUCCESS ||
+                if (err != EFI_SUCCESS) {
-                    (!PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_CMDLINE) &&
+                        log_error_status(err,
                                         "Unable to locate embedded .cmdline/.dtb/.dtbauto/.initrd/.ucode sections in %ls, ignoring: %m",
                                         items[i]);
                        continue;
                }
                if (!PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_CMDLINE) &&
                    !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_DTB) &&
                    !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_DTBAUTO) &&
                    !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_INITRD) &&
-                     !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_UCODE))) {
+                    !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_UCODE)) {
-                        if (err == EFI_SUCCESS)
+                        log_debug("No applicable .cmdline/.dtb/.dtbauto/.initrd/.ucode sections found in %ls, ignoring.",
                                err = EFI_NOT_FOUND;
                        log_error_status(err,
                                         "Unable to locate embedded .cmdline/.dtb/.dtbauto/.initrd/.ucode sections in %ls, ignoring: %m",
                                  items[i]);
                        continue;
                }
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -13,6 +13,7 @@
 #include "base-filesystem.h"
 #include "bitfield.h"
 #include "chase.h"
 #include "cryptsetup-util.h"
 #include "dev-setup.h"
 #include "devnum-util.h"
 #include "dissect-image.h"
@ -3852,6 +3853,8 @@ int refresh_extensions_in_namespace(
        if (r > 0)
                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Target namespace is not separate, cannot reload extensions");
        (void) dlopen_cryptsetup();
        extension_dir = path_join(p->private_namespace_dir, "unit-extensions");
        if (!extension_dir)
                return log_oom_debug();
--- a/src/core/service.c
+++ b/src/core/service.c
@ -14,7 +14,6 @@
 #include "bus-error.h"
 #include "bus-util.h"
 #include "chase.h"
 #include "cryptsetup-util.h"
 #include "dbus-service.h"
 #include "dbus-unit.h"
 #include "devnum-util.h"
@ -2882,7 +2881,9 @@ static void service_enter_refresh_extensions(Service *s) {
        /* Given we are running from PID1, avoid doing potentially heavy I/O operations like opening images
         * directly, and instead fork a worker process. */
-        r = unit_fork_helper_process(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false, &worker);
+        r = unit_fork_helper_process_full(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false,
                                          FORK_ALLOW_DLOPEN, /* permit dlopen() to avoid load of libcryptsetup in pid1 */
                                          &worker);
        if (r < 0) {
                log_unit_error_errno(UNIT(s), r, "Failed to fork process to refresh extensions in unit's namespace: %m");
                goto fail;
@ -5562,8 +5563,6 @@ static int service_live_mount(
                                u->id);
        }
        (void) dlopen_cryptsetup();
        service_unwatch_control_pid(s);
        s->live_mount_result = SERVICE_SUCCESS;
        s->control_command = NULL;
@ -5584,7 +5583,9 @@ static int service_live_mount(
         * directly, and instead fork a worker process. We record the D-Bus message, so that we can reply
         * after the operation has finished. This way callers can wait on the message and know that the new
         * resource is available (or the operation failed) once they receive the response. */
-        r = unit_fork_helper_process(u, "(sd-mount-in-ns)", /* into_cgroup= */ false, &worker);
+        r = unit_fork_helper_process_full(u, "(sd-mount-in-ns)", /* into_cgroup= */ false,
                                          FORK_ALLOW_DLOPEN,
                                          &worker);
        if (r < 0) {
                log_unit_error_errno(u, r,
                                     "Failed to fork process to mount '%s' on '%s' in unit's namespace: %m",
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -5539,12 +5539,13 @@ int unit_set_exec_params(Unit *u, ExecParameters *p) {
        return 0;
 }
-int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef *ret) {
+int unit_fork_helper_process_full(Unit *u, const char *name, bool into_cgroup, ForkFlags flags, PidRef *ret) {
        CGroupRuntime *crt = NULL;
        pid_t pid;
        int r;
        assert(u);
        assert((flags & (FORK_RESET_SIGNALS|FORK_DETACH|FORK_WAIT)) == 0); /* these don't really make sense for manager */
        assert(ret);
        /* Forks off a helper process and makes sure it is a member of the unit's cgroup, if configured to
@ -5559,7 +5560,7 @@ int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef
                crt = unit_get_cgroup_runtime(u);
        }
-        r = safe_fork(name, FORK_REOPEN_LOG|FORK_DEATHSIG_SIGTERM, &pid);
+        r = safe_fork(name, FORK_REOPEN_LOG|FORK_DEATHSIG_SIGTERM|flags, &pid);
        if (r < 0)
                return r;
        if (r > 0) {
@ -5592,6 +5593,10 @@ int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef
        return 0;
 }
 int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef *ret) {
        return unit_fork_helper_process_full(u, name, into_cgroup, /* flags = */ 0, ret);
 }
 int unit_fork_and_watch_rm_rf(Unit *u, char **paths, PidRef *ret_pid) {
        _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
        int r;
--- a/src/core/unit.h
+++ b/src/core/unit.h
@ -1005,6 +1005,7 @@ int unit_acquire_invocation_id(Unit *u);
 int unit_set_exec_params(Unit *u, ExecParameters *p);
 int unit_fork_helper_process_full(Unit *u, const char *name, bool into_cgroup, ForkFlags flags, PidRef *ret);
 int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef *ret);
 int unit_fork_and_watch_rm_rf(Unit *u, char **paths, PidRef *ret);
--- a/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/reload-timeout.sh
+++ b/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/reload-timeout.sh
@ -12,8 +12,20 @@ sync_in() {
 }
 wait_for_signal() {
    local notify="${1:?}"
    local p
    sleep infinity &
-    wait "$!" || :
+    p=$!
    # Notify readiness after 'sleep' is running to avoid race
    # condition where the SIGHUP is sent before 'sleep' is ready to
    # receive it and we get stuck
    if [ "$notify" -eq 1 ]; then
        systemd-notify --ready
    fi
    wait "$p" || :
 }
 sighup_handler() {
@ -24,17 +36,14 @@ trap sighup_handler SIGHUP
 export SYSTEMD_LOG_LEVEL=debug
-systemd-notify --ready
+wait_for_signal 1
 wait_for_signal
 systemd-notify --reloading
-wait_for_signal
+wait_for_signal 0
 systemd-notify --reloading
 sync_in ready
 systemd-notify --ready
-wait_for_signal
+wait_for_signal 1
 systemd-notify --reloading --ready
 exec sleep infinity
Author	SHA1	Message	Date
QuickSwift315490	f9425092c6	hwdb: fix unstable button triggering on Mipad 2 under GNOME (#40071 ) Change unknown key mappings to reserved. A KEY_RESERVED button is marked as reserved and passed to the kernel. This will stop the kernel from passing this keystroke event to user space. If unknown, the key is set to KEY_UNKNOWN and the event is passed to user space, which we want to avoid.	2025-12-17 13:26:47 +00:00
Haiyue Wang	568fe0294d	meson: fix BPF build warnings due to MS extensions Fix BPF program build warnings on Linux-6.19.0-rc1, more detail is [1]: A). clang-bpf [781/2458] Generating src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.unstripped.o with a custom command In file included from ../src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.c:3: ./vmlinux.h:60263:3: warning: declaration does not declare anything [-Wmissing-declarations] 60263 \| struct ns_tree; \| ^~~~~~~~~~~~~~ ./vmlinux.h:80251:2: warning: declaration does not declare anything [-Wmissing-declarations] 80251 \| struct __fs_path; \| ^~~~~~~~~~~~~~~~ ./vmlinux.h:96184:2: warning: declaration does not declare anything [-Wmissing-declarations] 96184 \| struct freelist_tid; \| ^~~~~~~~~~~~~~~~~~~ ./vmlinux.h:114441:2: warning: declaration does not declare anything [-Wmissing-declarations] 114441 \| struct renamedata; \| ^~~~~~~~~~~~~~~~~ ./vmlinux.h:118480:2: warning: declaration does not declare anything [-Wmissing-declarations] 118480 \| union pipe_index; \| ^~~~~~~~~~~~~~~~ ./vmlinux.h:130452:4: warning: declaration does not declare anything [-Wmissing-declarations] 130452 \| struct freelist_counters; \| ^~~~~~~~~~~~~~~~~~~~~~~~ 6 warnings generated. B). gcc-bpf meson setup -Dbpf-compiler=gcc build [1040/2458] Generating src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.unstripped.o with a custom command In file included from ../src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.c:3: ./vmlinux.h:60263:31: warning: declaration does not declare anything 60263 \| struct ns_tree; \| ^ ./vmlinux.h:80251:25: warning: declaration does not declare anything 80251 \| struct __fs_path; \| ^ ./vmlinux.h:96184:28: warning: declaration does not declare anything 96184 \| struct freelist_tid; \| ^ ./vmlinux.h:114441:26: warning: declaration does not declare anything 114441 \| struct renamedata; \| ^ ./vmlinux.h:118480:25: warning: declaration does not declare anything 118480 \| union pipe_index; \| ^ ./vmlinux.h:130452:49: warning: declaration does not declare anything 130452 \| struct freelist_counters; \| ^ [1] https://git.kernel.org/torvalds/c/639f58a0f480 "bpftool: Fix build warnings due to MS extensions" Signed-off-by: Haiyue Wang <haiyuewa@163.com>	2025-12-17 12:58:33 +00:00
Andrew Halaney	0927356f8e	man/systemd.exec: Make EnvironmentFile error conditions more explicit It is not entirely clear what happens when EnvironmentFile fails in the prior wording. With the new wording it should now be clear that if it fails to process the file the service will fail, and if it is prefixed with "-" all errors are silently ignored. Signed-off-by: Andrew Halaney <ahalaney@netflix.com>	2025-12-17 11:56:52 +01:00
Luca Boccassi	8fba2ed258	test: fix race condition in TEST-80-NOTIFYACCESS In some cases systemd is faster to send the SIGHUP than the script is to start the 'sleep' and background it, so it never gets interrupted later and the test is left hanging waiting for it. [ 5028.410588] systemd[1]: Starting reload-timeout.service... [ 5028.429544] reload-timeout.sh[165]: + set -o pipefail [ 5028.429544] reload-timeout.sh[165]: + COUNTER=0 [ 5028.429841] reload-timeout.sh[165]: + trap sighup_handler SIGHUP [ 5028.429841] reload-timeout.sh[165]: + export SYSTEMD_LOG_LEVEL=debug [ 5028.429841] reload-timeout.sh[165]: + SYSTEMD_LOG_LEVEL=debug [ 5028.429841] reload-timeout.sh[165]: + systemd-notify --ready [ 5028.432891] systemd[1]: reload-timeout.service: Got notification message from PID 165: READY=1 [ 5028.432908] systemd[1]: reload-timeout.service: Changed start -> running [ 5028.432983] systemd[1]: reload-timeout.service: Job 409 reload-timeout.service/start finished, result=done [ 5028.432997] systemd[1]: Started reload-timeout.service. [ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Job for reload-timeout.service finished. [ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Got result done/Success for job reload-timeout.service. [ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Bus n/a: changing state RUNNING → CLOSED [ 5028.436949] TEST-80-NOTIFYACCESS.sh[99]: + systemctl reload --no-block reload-timeout.service [ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state UNSET → OPENING [ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: sd-bus: starting bus by connecting to /run/systemd/private... [ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state OPENING → AUTHENTICATING [ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Executing dbus call org.freedesktop.systemd1.Manager ReloadUnit(reload-timeout.service, replace) [ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state AUTHENTICATING → RUNNING [ 5028.445202] reload-timeout.sh[165]: + wait_for_signal [ 5028.445586] reload-timeout.sh[169]: + sleep infinity [ 5028.447285] reload-timeout.sh[165]: ++ sighup_handler [ 5028.447285] reload-timeout.sh[165]: ++ echo hup1 [ 5028.444886] systemd[1]: reload-timeout.service: Trying to enqueue job reload-timeout.service/reload/replace [ 5028.445228] systemd[1]: reload-timeout.service: Installed new job reload-timeout.service/reload as 491 [ 5028.445240] systemd[1]: reload-timeout.service: Enqueued job reload-timeout.service/reload as 491 [ 5028.446601] systemd[1]: reload-timeout.service: Service has no extensions to reload. [ 5028.446799] systemd[1]: reload-timeout.service: Changed running -> reload-signal [ 5028.446881] systemd[1]: Reloading reload-timeout.service... [ 5028.451343] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state RUNNING → CLOSED [ 5028.452421] TEST-80-NOTIFYACCESS.sh[99]: + timeout 10 bash -c 'until [[ $(systemctl show reload-timeout.service -P SubState) == "reload-signal" ]]; do sleep .5; done' [ 5028.460676] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state UNSET → OPENING [ 5028.460676] TEST-80-NOTIFYACCESS.sh[172]: sd-bus: starting bus by connecting to /run/systemd/private... [ 5028.462029] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state OPENING → AUTHENTICATING [ 5028.462029] TEST-80-NOTIFYACCESS.sh[172]: Showing one /org/freedesktop/systemd1/unit/reload_2dtimeout_2eservice [ 5028.463759] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state AUTHENTICATING → RUNNING [ 5028.470322] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state RUNNING → CLOSED [ 5028.472991] TEST-80-NOTIFYACCESS.sh[99]: + sync_in hup1 [ 5028.472991] TEST-80-NOTIFYACCESS.sh[99]: + read -r x [ 5028.473839] reload-timeout.sh[165]: + wait 169 [ 5028.473996] TEST-80-NOTIFYACCESS.sh[99]: + test hup1 = hup1 [ 5028.473996] TEST-80-NOTIFYACCESS.sh[99]: + timeout 10 bash -c 'until [[ $(systemctl show reload-timeout.service -P SubState) == "reload-notify" ]]; do sleep .5; done' [ 5038.477383] systemd[1]: TEST-80-NOTIFYACCESS.service: Failed with result 'exit-code'. (note how the 'wait' is long after SIGHUP has been processed already) Fixes https://github.com/systemd/systemd/issues/39581 Follow-up for ca8658120e1c9993bc05aa08dac2c74e618c2118	2025-12-17 18:41:59 +09:00
Yu Watanabe	b6abe84602	core: fix extensions refreshing (dlopen() shenanigans) (#40112 )	2025-12-17 18:41:23 +09:00
Vivian Wang	2e8985113b	stub: Use log_debug if addons has no applicable sections This can happen expectedly if an addon purely provides .dtbauto sections, and there's no match for this machine. Reduce the log message of this case to "debug" level.	2025-12-17 18:37:49 +09:00
Mike Yuan	4d136f1462	core: dlopen() libcryptsetup in extensions refreshing Follow-up for a08f2ea02dc4fcbd7f2f73a5a24e0af32b34fe55 This fixes extensions refreshing + verity-protected DDIs. TEST-50-DISSECT previously passed because confext refreshing is tested after live mount, the latter of which used to load libcryptsetup in pid1.	2025-12-16 22:11:45 +01:00
Mike Yuan	12df39fadf	core/service: defer cryptsetup dlopen to helper process This should still be safe, as we block dlopen() in namespace_fork(). Partially reverts 9252e26f4cbf92428cab595045716fee783f375e.	2025-12-16 21:57:37 +01:00
Mike Yuan	8f397d5922	core/unit: add unit_fork_helper_process_full() that takes ForkFlags	2025-12-16 21:30:36 +01:00
Mike Yuan	29a823b3b6	process-util: add a flag for retaining dlopen()-ability While blocking dlopen() in child generally makes sense, it does also lead to misery - in the very case of extension/cred refreshing it then enforces loading of libcryptsetup/libacl in pid1, which are otherwise never used. Let's add a flag to opt out hence, but still prohibit it in namespace_fork/enter().	2025-12-16 21:07:20 +01:00