2025-10-01 17:54:45 +02:00
19 changed files with 78 additions and 147 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -454,9 +454,6 @@ systemd tests:
  causes all non-matching test functions to be skipped. Only applies to tests
  using our regular test boilerplate.

-* `$SYSTEMD_ASSERT_RETURN_IS_CRITICAL` — Takes a boolean to control if
-  `assert_return()` and friends call `abort()`.
-
 fuzzers:

 * `$SYSTEMD_FUZZ_OUTPUT` — A boolean that specifies whether to write output to
--- a/src/basic/assert-util.c
+++ b/src/basic/assert-util.c
@ -4,7 +4,6 @@
 #include <stdlib.h>

 #include "assert-util.h"
-#include "env-util.h"
 #include "errno-util.h"
 #include "log.h"

@ -18,22 +17,6 @@ void log_set_assert_return_is_critical(bool b) {
        assert_return_is_critical = b;
 }

-void log_set_assert_return_is_critical_from_env(void) {
-        static int cached = INT_MIN;
-        int r;
-
-        if (cached == INT_MIN) {
-                r = secure_getenv_bool("SYSTEMD_ASSERT_RETURN_IS_CRITICAL");
-                if (r < 0 && r != -ENXIO)
-                        log_debug_errno(r, "Failed to parse $SYSTEMD_ASSERT_RETURN_IS_CRITICAL, ignoring: %m");
-
-                cached = r;
-        }
-
-        if (cached >= 0)
-                log_set_assert_return_is_critical(cached);
-}
-
 bool log_get_assert_return_is_critical(void) {
        return assert_return_is_critical;
 }
--- a/src/basic/assert-util.h
+++ b/src/basic/assert-util.h
@ -6,25 +6,23 @@
 /* Logging for various assertions */

 void log_set_assert_return_is_critical(bool b);
-void log_set_assert_return_is_critical_from_env(void);
 bool log_get_assert_return_is_critical(void) _pure_;

 void log_assert_failed_return(const char *text, const char *file, int line, const char *func);

-#define assert_log(expr)                                                \
-        (_likely_(expr) ?                                               \
-         true :                                                         \
-         (log_assert_failed_return(#expr, PROJECT_FILE, __LINE__, __func__), false))
+#define assert_log(expr, message) ((_likely_(expr))                     \
+        ? (true)                                                        \
+        : (log_assert_failed_return(message, PROJECT_FILE, __LINE__, __func__), false))

 #define assert_return(expr, r)                                          \
        do {                                                            \
-                if (!assert_log(expr))                                  \
+                if (!assert_log(expr, #expr))                           \
                        return (r);                                     \
        } while (false)

 #define assert_return_errno(expr, r, err)                               \
        do {                                                            \
-                if (!assert_log(expr)) {                                \
+                if (!assert_log(expr, #expr)) {                         \
                        errno = err;                                    \
                        return (r);                                     \
                }                                                       \
--- a/src/shared/nss-util.h
+++ b/src/shared/nss-util.h
@ -7,27 +7,7 @@
 #include <pwd.h>
 #include <resolv.h>

-#include "forward.h"
-#include "signal-util.h"
-
-extern sd_json_dispatch_flags_t nss_json_dispatch_flags;
-
-void log_setup_nss(void);
-
-#define NSS_ENTRYPOINT_BEGIN        \
-        log_setup_nss();            \
-        BLOCK_SIGNALS(SIGALRM,      \
-                      SIGVTALRM,    \
-                      SIGPIPE,      \
-                      SIGCHLD,      \
-                      SIGTSTP,      \
-                      SIGIO,        \
-                      SIGHUP,       \
-                      SIGUSR1,      \
-                      SIGUSR2,      \
-                      SIGPROF,      \
-                      SIGURG,       \
-                      SIGWINCH)
+#define NSS_SIGNALS_BLOCK SIGALRM,SIGVTALRM,SIGPIPE,SIGCHLD,SIGTSTP,SIGIO,SIGHUP,SIGUSR1,SIGUSR2,SIGPROF,SIGURG,SIGWINCH

 #ifndef DEPRECATED_RES_USE_INET6
 #  define DEPRECATED_RES_USE_INET6 0x00002000
--- a/src/basic/signal-util.h
+++ b/src/basic/signal-util.h
@ -36,21 +36,16 @@ int signal_from_string(const char *s) _pure_;

 void nop_signal_handler(int sig);

-static inline void block_signals_reset(sigset_t **ss) {
-        assert(ss);
-
-        if (!*ss)
-                return;
-
-        assert_log(sigprocmask(SIG_SETMASK, *ss, NULL) >= 0);
+static inline void block_signals_reset(sigset_t *ss) {
+        assert_se(sigprocmask(SIG_SETMASK, ss, NULL) >= 0);
 }

-#define BLOCK_SIGNALS(...)                                              \
-        sigset_t _saved_sigset;                                         \
-        _cleanup_(block_signals_reset) _unused_ sigset_t *_saved_sigsetp = \
-                assert_log(sigprocmask_many(SIG_BLOCK, &_saved_sigset, __VA_ARGS__) >= 0) ? \
-                &_saved_sigset : NULL;
-
+#define BLOCK_SIGNALS(...)                                                         \
+        _cleanup_(block_signals_reset) _unused_ sigset_t _saved_sigset = ({        \
+                sigset_t _t;                                                       \
+                assert_se(sigprocmask_many(SIG_BLOCK, &_t, __VA_ARGS__) >= 0);     \
+                _t;                                                                \
+        })
 #define SIGNO_INVALID (-EINVAL)

 static inline bool SIGNAL_VALID(int signo) {
--- a/src/core/service.c
+++ b/src/core/service.c
@ -414,12 +414,6 @@ static void service_extend_timeout(Service *s, usec_t extend_timeout_usec) {
 static void service_reset_watchdog(Service *s) {
        assert(s);

-        if (freezer_state_finish(UNIT(s)->freezer_state) != FREEZER_RUNNING) {
-                log_unit_debug(UNIT(s), "Service is currently %s, skipping resetting watchdog.",
-                               freezer_state_to_string(UNIT(s)->freezer_state));
-                return;
-        }
-
        dual_timestamp_now(&s->watchdog_timestamp);
        service_start_watchdog(s);
 }
--- a/src/fundamental/assert-fundamental.h
+++ b/src/fundamental/assert-fundamental.h
@ -50,7 +50,7 @@ static inline int __coverity_check_and_return__(int condition) {

 #define assert_message_se(expr, message) __coverity_check__(!!(expr))

-#define assert_log(expr) __coverity_check_and_return__(!!(expr))
+#define assert_log(expr, message) __coverity_check_and_return__(!!(expr))

 #else  /* ! __COVERITY__ */

--- a/src/libsystemd/sd-bus/bus-internal.h
+++ b/src/libsystemd/sd-bus/bus-internal.h
@ -399,7 +399,7 @@ int bus_maybe_reply_error(sd_bus_message *m, int r, const sd_bus_error *e);

 #define bus_assert_return(expr, r, error)                               \
        do {                                                            \
-                if (!assert_log(expr))                                  \
+                if (!assert_log(expr, #expr))                           \
                        return sd_bus_error_set_errno(error, r);        \
        } while (false)

--- a/src/nss-myhostname/nss-myhostname.c
+++ b/src/nss-myhostname/nss-myhostname.c
@ -43,7 +43,7 @@ enum nss_status _nss_myhostname_gethostbyname4_r(
        char *r_name;

        PROTECT_ERRNO;
-        NSS_ENTRYPOINT_BEGIN;
+        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        assert(name);
        assert(pat);
@ -326,7 +326,7 @@ enum nss_status _nss_myhostname_gethostbyname3_r(
        int n_addresses = 0;

        PROTECT_ERRNO;
-        NSS_ENTRYPOINT_BEGIN;
+        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        assert(name);
        assert(host);
@ -425,7 +425,7 @@ enum nss_status _nss_myhostname_gethostbyaddr2_r(
        unsigned n;

        PROTECT_ERRNO;
-        NSS_ENTRYPOINT_BEGIN;
+        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        assert(addr);
        assert(host);
--- a/src/nss-mymachines/nss-mymachines.c
+++ b/src/nss-mymachines/nss-mymachines.c
@ -17,6 +17,15 @@
 #include "signal-util.h"
 #include "string-util.h"

+static void setup_logging_once(void) {
+        static pthread_once_t once = PTHREAD_ONCE_INIT;
+        assert_se(pthread_once(&once, log_parse_environment_variables) == 0);
+}
+
+#define NSS_ENTRYPOINT_BEGIN                    \
+        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);       \
+        setup_logging_once()
+
 NSS_GETHOSTBYNAME_PROTOTYPES(mymachines);
 NSS_GETPW_PROTOTYPES(mymachines);
 NSS_GETGR_PROTOTYPES(mymachines);
--- a/src/nss-resolve/nss-resolve.c
+++ b/src/nss-resolve/nss-resolve.c
@ -19,6 +19,24 @@
 #include "strv.h"
 #include "time-util.h"

+static sd_json_dispatch_flags_t json_dispatch_flags = SD_JSON_ALLOW_EXTENSIONS;
+
+static void setup_logging(void) {
+        log_parse_environment_variables();
+
+        if (DEBUG_LOGGING)
+                json_dispatch_flags = SD_JSON_LOG;
+}
+
+static void setup_logging_once(void) {
+        static pthread_once_t once = PTHREAD_ONCE_INIT;
+        assert_se(pthread_once(&once, setup_logging) == 0);
+}
+
+#define NSS_ENTRYPOINT_BEGIN                    \
+        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);       \
+        setup_logging_once()
+
 NSS_GETHOSTBYNAME_PROTOTYPES(resolve);
 NSS_GETHOSTBYADDR_PROTOTYPES(resolve);

@ -240,7 +258,7 @@ enum nss_status _nss_resolve_gethostbyname4_r(
                goto not_found;
        }

-        r = sd_json_dispatch(rparams, resolve_hostname_reply_dispatch_table, nss_json_dispatch_flags, &p);
+        r = sd_json_dispatch(rparams, resolve_hostname_reply_dispatch_table, json_dispatch_flags, &p);
        if (r < 0)
                goto fail;
        if (sd_json_variant_is_blank_object(p.addresses))
@ -250,7 +268,7 @@ enum nss_status _nss_resolve_gethostbyname4_r(
        JSON_VARIANT_ARRAY_FOREACH(entry, p.addresses) {
                AddressParameters q = {};

-                r = sd_json_dispatch(entry, address_parameters_dispatch_table, nss_json_dispatch_flags, &q);
+                r = sd_json_dispatch(entry, address_parameters_dispatch_table, json_dispatch_flags, &q);
                if (r < 0)
                        goto fail;

@ -288,7 +306,7 @@ enum nss_status _nss_resolve_gethostbyname4_r(
        JSON_VARIANT_ARRAY_FOREACH(entry, p.addresses) {
                AddressParameters q = {};

-                r = sd_json_dispatch(entry, address_parameters_dispatch_table, nss_json_dispatch_flags, &q);
+                r = sd_json_dispatch(entry, address_parameters_dispatch_table, json_dispatch_flags, &q);
                if (r < 0)
                        goto fail;

@ -404,7 +422,7 @@ enum nss_status _nss_resolve_gethostbyname3_r(
                goto not_found;
        }

-        r = sd_json_dispatch(rparams, resolve_hostname_reply_dispatch_table, nss_json_dispatch_flags, &p);
+        r = sd_json_dispatch(rparams, resolve_hostname_reply_dispatch_table, json_dispatch_flags, &p);
        if (r < 0)
                goto fail;
        if (sd_json_variant_is_blank_object(p.addresses))
@ -414,7 +432,7 @@ enum nss_status _nss_resolve_gethostbyname3_r(
        JSON_VARIANT_ARRAY_FOREACH(entry, p.addresses) {
                AddressParameters q = {};

-                r = sd_json_dispatch(entry, address_parameters_dispatch_table, nss_json_dispatch_flags, &q);
+                r = sd_json_dispatch(entry, address_parameters_dispatch_table, json_dispatch_flags, &q);
                if (r < 0)
                        goto fail;

@ -460,7 +478,7 @@ enum nss_status _nss_resolve_gethostbyname3_r(
        JSON_VARIANT_ARRAY_FOREACH(entry, p.addresses) {
                AddressParameters q = {};

-                r = sd_json_dispatch(entry, address_parameters_dispatch_table, nss_json_dispatch_flags, &q);
+                r = sd_json_dispatch(entry, address_parameters_dispatch_table, json_dispatch_flags, &q);
                if (r < 0)
                        goto fail;

@ -622,7 +640,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
                goto not_found;
        }

-        r = sd_json_dispatch(rparams, resolve_address_reply_dispatch_table, nss_json_dispatch_flags, &p);
+        r = sd_json_dispatch(rparams, resolve_address_reply_dispatch_table, json_dispatch_flags, &p);
        if (r < 0)
                goto fail;
        if (sd_json_variant_is_blank_object(p.names))
@ -633,7 +651,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
        JSON_VARIANT_ARRAY_FOREACH(entry, p.names) {
                _cleanup_(name_parameters_destroy) NameParameters q = {};

-                r = sd_json_dispatch(entry, name_parameters_dispatch_table, nss_json_dispatch_flags, &q);
+                r = sd_json_dispatch(entry, name_parameters_dispatch_table, json_dispatch_flags, &q);
                if (r < 0)
                        goto fail;

@ -674,7 +692,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
        JSON_VARIANT_ARRAY_FOREACH(entry, p.names) {
                _cleanup_(name_parameters_destroy) NameParameters q = {};

-                r = sd_json_dispatch(entry, name_parameters_dispatch_table, nss_json_dispatch_flags, &q);
+                r = sd_json_dispatch(entry, name_parameters_dispatch_table, json_dispatch_flags, &q);
                if (r < 0)
                        goto fail;

--- a/src/nss-systemd/nss-systemd.c
+++ b/src/nss-systemd/nss-systemd.c
@ -122,6 +122,15 @@ static GetentData getsgent_data = {
 };
 REENABLE_WARNING;

+static void setup_logging_once(void) {
+        static pthread_once_t once = PTHREAD_ONCE_INIT;
+        assert_se(pthread_once(&once, log_parse_environment_variables) == 0);
+}
+
+#define NSS_ENTRYPOINT_BEGIN                    \
+        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);       \
+        setup_logging_once()
+
 NSS_GETPW_PROTOTYPES(systemd);
 NSS_GETSP_PROTOTYPES(systemd);
 NSS_GETGR_PROTOTYPES(systemd);
--- a/src/shared/hostname-setup.c
+++ b/src/shared/hostname-setup.c
@ -316,8 +316,7 @@ int gethostname_full(GetHostnameFlags flags, char **ret) {

        assert(ret);

-        if (uname(&u) < 0)
-                return -errno;
+        assert_se(uname(&u) >= 0);

        s = u.nodename;
        if (isempty(s) || streq(s, "(none)") ||
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@ -227,10 +227,6 @@ shared_sources = files(
        'xml.c',
 )

-if conf.get('ENABLE_NSS') == 1
-        shared_sources += files('nss-util.c')
-endif
-
 if get_option('tests') != 'false'
        shared_sources += files('tests.c')
 endif
--- a/src/shared/nss-util.c
+++ b/src/shared/nss-util.c
@ -1,23 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include <pthread.h>
-
-#include "sd-json.h"
-
-#include "assert-util.h"
-#include "log.h"
-#include "nss-util.h"
-
-sd_json_dispatch_flags_t nss_json_dispatch_flags = SD_JSON_ALLOW_EXTENSIONS;
-
-static void log_setup_nss_internal(void) {
-        log_set_assert_return_is_critical_from_env();
-        log_parse_environment_variables();
-        if (DEBUG_LOGGING)
-                nss_json_dispatch_flags = SD_JSON_LOG;
-}
-
-void log_setup_nss(void) {
-        static pthread_once_t once = PTHREAD_ONCE_INIT;
-        assert_se(pthread_once(&once, log_setup_nss_internal) == 0);
-}
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -65,8 +65,8 @@ extern const SyscallFilterSet syscall_filter_sets[];

 const SyscallFilterSet *syscall_filter_set_find(const char *name);

-int seccomp_filter_set_add_by_name(Hashmap *filter, bool add, const char *name);
-int seccomp_filter_set_add(Hashmap *filter, bool add, const SyscallFilterSet *set);
+int seccomp_filter_set_add_by_name(Hashmap *s, bool b, const char *name);
+int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);

 int seccomp_add_syscall_filter_item(
                scmp_filter_ctx *ctx,
@ -77,7 +77,7 @@ int seccomp_add_syscall_filter_item(
                char ***added);

 int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
-int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap *filter, uint32_t action, bool log_missing);
+int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);

 typedef enum SeccompParseFlags {
        SECCOMP_PARSE_INVERT     = 1 << 0,
--- a/src/test/meson.build
+++ b/src/test/meson.build
@ -376,10 +376,7 @@ executables += [
                        'nss-test-util.c',
                ),
                'extract' : files('nss-test-util.c'),
-                'dependencies' : [
-                        libdl,
-                        libseccomp,
-                ],
+                'dependencies' : libdl,
                'conditions' : ['ENABLE_NSS'],
                'timeout' : 120,
        },
--- a/src/test/test-nss-hosts.c
+++ b/src/test/test-nss-hosts.c
@ -8,7 +8,6 @@
 #include "env-util.h"
 #include "errno-list.h"
 #include "format-ifname.h"
-#include "hashmap.h"
 #include "hexdecoct.h"
 #include "hostname-setup.h"
 #include "in-addr-util.h"
@ -19,8 +18,6 @@
 #include "nss-util.h"
 #include "parse-util.h"
 #include "path-util.h"
-#include "process-util.h"
-#include "seccomp-util.h"
 #include "socket-util.h"
 #include "string-util.h"
 #include "strv.h"
@ -475,7 +472,7 @@ static int run(int argc, char **argv) {
        int n_addresses = 0;
        int r;

-        test_setup_logging(LOG_DEBUG);
+        test_setup_logging(LOG_INFO);

        r = parse_argv(argc, argv, &modules, &names, &addresses, &n_addresses);
        if (r < 0)
@ -483,32 +480,6 @@ static int run(int argc, char **argv) {

        assert_se(path_extract_directory(argv[0], &dir) >= 0);

-        if (geteuid() != 0 || !is_seccomp_available())
-                log_tests_skipped("Not privileged or seccomp is not available");
-        else {
-                /* Testing with several syscalls filtered, and check if the nss modules gracefully handle failures in
-                 * masked syscalls. See issue #38582. */
-
-                ASSERT_OK(r = safe_fork("(with-seccomp)", FORK_LOG | FORK_WAIT, /* ret_pid = */ NULL));
-                if (r == 0) {
-                        _cleanup_hashmap_free_ Hashmap *filter = NULL;
-                        ASSERT_NOT_NULL(filter = hashmap_new(NULL));
-                        FOREACH_STRING(s, "uname", "olduname", "oldolduname", "sigprocmask", "rt_sigprocmask", "osf_sigprocmask")
-                                ASSERT_OK(seccomp_filter_set_add_by_name(filter, /* add = */ true, s));
-                        ASSERT_OK(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, filter, SCMP_ACT_ERRNO(ENOSYS), /* log_missing = */ true));
-
-                        /* To make assert_return() and friends not call abort(), even built as developer mode. */
-                        ASSERT_OK_ERRNO(setenv("SYSTEMD_ASSERT_RETURN_IS_CRITICAL", "0", /* overwrite = */ true));
-                        /* Let's also make nss modules output debugging logs. */
-                        ASSERT_OK_ERRNO(setenv("SYSTEMD_LOG_LEVEL", "debug", /* overwrite = */ true));
-
-                        STRV_FOREACH(module, modules)
-                                ASSERT_OK(test_one_module(dir, *module, names, addresses, n_addresses));
-
-                        _exit(EXIT_SUCCESS);
-                }
-        }
-
        STRV_FOREACH(module, modules) {
                r = test_one_module(dir, *module, names, addresses, n_addresses);
                if (r < 0)
--- a/test/units/TEST-89-RESOLVED-MDNS.service
+++ b/test/units/TEST-89-RESOLVED-MDNS.service
@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=TEST-89-RESOLVED-MDNS
+
+[Service]
+ExecStartPre=rm -f /failed /testok
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
+Type=oneshot