vmspawn: Use virtio-blk-pci for extra drives

Fixes #39262
Revert "meson: fail build when encountering unused variables"
2025-11-21 01:34:44 +01:00 · 2025-10-14 16:09:51 +02:00 · 2025-10-14 14:40:09 +02:00 · 2025-10-14 14:39:45 +02:00 · 2025-10-14 13:14:23 +02:00 · 2025-10-14 13:08:57 +02:00
19 changed files with 366 additions and 389 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -123,8 +123,12 @@ All tools:
 * `$SYSTEMD_NETLINK_DEFAULT_TIMEOUT` — specifies the default timeout of waiting
  replies for netlink messages from the kernel. Defaults to 25 seconds.
-* `$SYSTEMD_VERITY_SHARING=0` — if set, sharing dm-verity devices by
+* `$SYSTEMD_VERITY_SHARING=` — takes a boolean. If set, overrides whether
-  using a stable `<ROOTHASH>-verity` device mapper name will be disabled.
+  dm-verity devices shall be shared between multiple components by using a
  stable `<ROOTHASH>-verity` device mapper name. The default for this depends
  on the subsystem in question. Usually,
  RootImage=/ExtensionImages=/MountImages= in unit files default to enabled,
  while other uses default to disabled for this.
 `systemctl`:
--- a/meson.build
+++ b/meson.build
@ -405,7 +405,6 @@ possible_common_cc_flags = [
        '-Werror=shift-overflow=2',
        '-Werror=strict-flex-arrays',
        '-Werror=undef',
        '-Werror=unused-variable',
        '-Wfloat-equal',
        # gperf prevents us from enabling this because it does not emit fallthrough
        # attribute with clang.
@ -629,33 +628,34 @@ stat   = find_program('stat')
 ln_s = ln.full_path() + ' -frsT -- "${DESTDIR:-}@0@" "${DESTDIR:-}@1@"'
-# If -Dxxx-path option is found, use that. Otherwise, check in $PATH,
+# If -Dxxx-path option is found, use that. Otherwise, use the default from the
-# /usr/sbin, /sbin, and fall back to the default from middle column.
+# middle column; a full path is used directly, a relative path is converted to
-progs = [['quotaon',    '/usr/sbin/quotaon'    ],
+# /usr/bin/foo or /usr/sbin/foo, depending on whether split-bin is enabled.
-         ['quotacheck', '/usr/sbin/quotacheck' ],
+progs = [['quotaon',    'quotaon'              ],
         ['quotacheck', 'quotacheck'           ],
         ['kmod',       '/usr/bin/kmod'        ],
-         ['kexec',      '/usr/sbin/kexec'      ],
+         ['kexec',      'kexec'                ],
-         ['sulogin',    '/usr/sbin/sulogin'    ],
+         ['sulogin',    'sulogin'              ],
-         ['swapon',     '/usr/sbin/swapon'     ],
+         ['swapon',     'swapon'               ],
-         ['swapoff',    '/usr/sbin/swapoff'    ],
+         ['swapoff',    'swapoff'              ],
-         ['agetty',     '/usr/sbin/agetty'     ],
+         ['agetty',     'agetty'               ],
         ['mount',      '/usr/bin/mount',      'MOUNT_PATH'],
         ['umount',     '/usr/bin/umount',     'UMOUNT_PATH'],
         ['loadkeys',   '/usr/bin/loadkeys',   'KBD_LOADKEYS'],
         ['setfont',    '/usr/bin/setfont',    'KBD_SETFONT'],
-         ['nologin',    '/usr/sbin/nologin',   ],
+         ['nologin',    'nologin',             ],
        ]
 foreach prog : progs
        path = get_option(prog[0] + '-path')
-        if path != ''
+        if path == ''
-                message('Using @1@ for @0@'.format(prog[0], path))
+                if prog[1].startswith('/')
-        else
+                        path = prog[1]
-                exe = find_program(prog[0],
+                else
-                                   '/usr/sbin/' + prog[0],
+                        path = '/usr' / (split_bin ? 'sbin' : 'bin') / prog[1]
-                                   '/sbin/' + prog[0],
+                endif
                                   required: false)
                path = exe.found() ? exe.full_path() : prog[1]
        endif
        message('Using @1@ for @0@'.format(prog[0], path))
        name = prog.length() > 2 ? prog[2] : prog[0].to_upper()
        conf.set_quoted(name, path)
 endforeach
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -2523,7 +2523,8 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) {
                DISSECT_IMAGE_GROWFS |
                DISSECT_IMAGE_ADD_PARTITION_DEVICES |
                DISSECT_IMAGE_PIN_PARTITION_DEVICES |
-                DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
+                DISSECT_IMAGE_ALLOW_USERSPACE_VERITY |
                DISSECT_IMAGE_VERITY_SHARE;
        int r;
        assert(p);
@ -2588,6 +2589,7 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) {
                                        dissected_image,
                                        NULL,
                                        p->verity,
                                        p->root_image_policy,
                                        dissect_image_flags);
                        if (r < 0)
                                return log_debug_errno(r, "Failed to decrypt dissected image: %m");
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@ -2281,6 +2281,7 @@ static int run(int argc, char *argv[]) {
                                        r = dissected_image_decrypt_interactively(
                                                        m, NULL,
                                                        &arg_verity_settings,
                                                        arg_image_policy,
                                                        arg_flags);
                                        if (r < 0)
                                                return r;
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@ -497,6 +497,7 @@ static int vl_method_mount_image(
                        di,
                        p.password,
                        &verity,
                        use_policy,
                        dissect_flags);
        if (r == -ENOKEY) /* new dm-verity userspace returns ENOKEY if the dm-verity signature key is not in
                           * key chain. That's great. */
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@ -131,30 +131,25 @@ static int can_set_coredump_receive(sd_bus *bus) {
        return r >= 0;
 }
-static int create_or_register_machine_ex(
+static int register_machine_ex(
                sd_bus *bus,
                const char *machine_name,
                const PidRef *pid,
                const char *directory,
                sd_id128_t uuid,
                int local_ifindex,
                const char *slice,
                CustomMount *mounts,
                unsigned n_mounts,
                int kill_signal,
                char **properties,
                sd_bus_message *properties_message,
                const char *service,
-                StartMode start_mode,
+                sd_bus_error *error) {
                sd_bus_error *error,
                bool keep_unit) {
        _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
        int r;
        assert(bus);
        assert(machine_name);
        assert(service);
        assert(error);
-        r = bus_message_new_method_call(bus, &m,  bus_machine_mgr, keep_unit ? "RegisterMachineEx" : "CreateMachineEx");
+        r = bus_message_new_method_call(bus, &m,  bus_machine_mgr, "RegisterMachineEx");
        if (r < 0)
                return bus_log_create_error(r);
@ -209,45 +204,6 @@ static int create_or_register_machine_ex(
        if (r < 0)
                return bus_log_create_error(r);
        if (!keep_unit) {
                r = sd_bus_message_open_container(m, 'a', "(sv)");
                if (r < 0)
                        return bus_log_create_error(r);
                if (!isempty(slice)) {
                        r = sd_bus_message_append(m, "(sv)", "Slice", "s", slice);
                        if (r < 0)
                                return bus_log_create_error(r);
                }
                r = append_controller_property(bus, m);
                if (r < 0)
                        return r;
                r = append_machine_properties(
                                m,
                                mounts,
                                n_mounts,
                                kill_signal,
                                start_mode == START_BOOT && can_set_coredump_receive(bus) > 0);
                if (r < 0)
                        return r;
                if (properties_message) {
                        r = sd_bus_message_copy(m, properties_message, true);
                        if (r < 0)
                                return bus_log_create_error(r);
                }
                r = bus_append_unit_property_assignment_many(m, UNIT_SERVICE, properties);
                if (r < 0)
                        return r;
                r = sd_bus_message_close_container(m);
                if (r < 0)
                        return bus_log_create_error(r);
        }
        return sd_bus_call(bus, m, 0, error, NULL);
 }
@ -258,117 +214,45 @@ int register_machine(
                const char *directory,
                sd_id128_t uuid,
                int local_ifindex,
-                const char *slice,
+                const char *service) {
                CustomMount *mounts,
                unsigned n_mounts,
                int kill_signal,
                char **properties,
                sd_bus_message *properties_message,
                const char *service,
                StartMode start_mode,
                RegisterMachineFlags flags) {
        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        int r;
        assert(bus);
        assert(machine_name);
        assert(service);
-        r = create_or_register_machine_ex(
+        r = register_machine_ex(
                        bus,
                        machine_name,
                        pid,
                        directory,
                        uuid,
                        local_ifindex,
                        slice,
                        mounts,
                        n_mounts,
                        kill_signal,
                        properties,
                        properties_message,
                        service,
-                        start_mode,
+                        &error);
                        &error,
                        FLAGS_SET(flags, REGISTER_MACHINE_KEEP_UNIT));
        if (r >= 0)
                return 0;
        if (!sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_METHOD))
                return log_error_errno(r, "Failed to register machine: %s", bus_error_message(&error, r));
        sd_bus_error_free(&error);
        if (FLAGS_SET(flags, REGISTER_MACHINE_KEEP_UNIT)) {
                r = bus_call_method(
                                bus,
                                bus_machine_mgr,
                                "RegisterMachineWithNetwork",
                                &error,
                                NULL,
                                "sayssusai",
                                machine_name,
                                SD_BUS_MESSAGE_APPEND_ID128(uuid),
                                service,
                                "container",
                                pidref_is_set(pid) ? (uint32_t) pid->pid : 0,
                                strempty(directory),
                                local_ifindex > 0 ? 1 : 0, local_ifindex);
        } else {
                _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
-                r = bus_message_new_method_call(bus, &m,  bus_machine_mgr, "CreateMachineWithNetwork");
+        r = bus_call_method(
-                if (r < 0)
+                        bus,
-                        return bus_log_create_error(r);
+                        bus_machine_mgr,
-
+                        "RegisterMachineWithNetwork",
-                r = sd_bus_message_append(
+                        &error,
-                                m,
+                        NULL,
-                                "sayssusai",
+                        "sayssusai",
-                                machine_name,
+                        machine_name,
-                                SD_BUS_MESSAGE_APPEND_ID128(uuid),
+                        SD_BUS_MESSAGE_APPEND_ID128(uuid),
-                                service,
+                        service,
-                                "container",
+                        "container",
-                                pidref_is_set(pid) ? (uint32_t) pid->pid : 0,
+                        pidref_is_set(pid) ? (uint32_t) pid->pid : 0,
-                                strempty(directory),
+                        strempty(directory),
-                                local_ifindex > 0 ? 1 : 0, local_ifindex);
+                        local_ifindex > 0 ? 1 : 0, local_ifindex);
                if (r < 0)
                        return bus_log_create_error(r);
                r = sd_bus_message_open_container(m, 'a', "(sv)");
                if (r < 0)
                        return bus_log_create_error(r);
                if (!isempty(slice)) {
                        r = sd_bus_message_append(m, "(sv)", "Slice", "s", slice);
                        if (r < 0)
                                return bus_log_create_error(r);
                }
                r = append_controller_property(bus, m);
                if (r < 0)
                        return r;
                r = append_machine_properties(
                                m,
                                mounts,
                                n_mounts,
                                kill_signal,
                                start_mode == START_BOOT && can_set_coredump_receive(bus) > 0);
                if (r < 0)
                        return r;
                if (properties_message) {
                        r = sd_bus_message_copy(m, properties_message, true);
                        if (r < 0)
                                return bus_log_create_error(r);
                }
                r = bus_append_unit_property_assignment_many(m, UNIT_SERVICE, properties);
                if (r < 0)
                        return r;
                r = sd_bus_message_close_container(m);
                if (r < 0)
                        return bus_log_create_error(r);
                r = sd_bus_call(bus, m, 0, &error, NULL);
        }
        if (r < 0)
                return log_error_errno(r, "Failed to register machine: %s", bus_error_message(&error, r));
--- a/src/nspawn/nspawn-register.h
+++ b/src/nspawn/nspawn-register.h
@ -4,10 +4,6 @@
 #include "forward.h"
 #include "nspawn-settings.h"
 typedef enum RegisterMachineFlags {
        REGISTER_MACHINE_KEEP_UNIT   = 1 << 0,
 } RegisterMachineFlags;
 int register_machine(
                sd_bus *bus,
                const char *machine_name,
@ -15,14 +11,7 @@ int register_machine(
                const char *directory,
                sd_id128_t uuid,
                int local_ifindex,
-                const char *slice,
+                const char *service);
                CustomMount *mounts, unsigned n_mounts,
                int kill_signal,
                char **properties,
                sd_bus_message *properties_message,
                const char *service,
                StartMode start_mode,
                RegisterMachineFlags flags);
 int unregister_machine(sd_bus *bus, const char *machine_name);
 typedef enum AllocateScopeFlags {
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -18,6 +18,7 @@
 #include "sd-event.h"
 #include "sd-id128.h"
 #include "sd-netlink.h"
 #include "sd-path.h"
 #include "alloc-util.h"
 #include "barrier.h"
@ -4936,30 +4937,49 @@ static int load_settings(void) {
        if (FLAGS_SET(arg_settings_mask, _SETTINGS_MASK_ALL))
                return 0;
-        /* We first look in the admin's directories in /etc and /run */
+        /* We first look in the admin's directories in /etc/ and /run/ */
-        if (arg_privileged)
+        static const uint64_t lookup_dir_system[] = {
-                FOREACH_STRING(i, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
+                SD_PATH_SYSTEM_CONFIGURATION,
-                        _cleanup_free_ char *j = NULL;
+                SD_PATH_SYSTEM_RUNTIME,
                _SD_PATH_INVALID,
        };
        static const uint64_t lookup_dir_user[] = {
                SD_PATH_USER_CONFIGURATION,
                SD_PATH_USER_RUNTIME,
                _SD_PATH_INVALID,
        };
-                        j = path_join(i, arg_settings_filename);
+        const uint64_t *q = arg_privileged ? lookup_dir_system : lookup_dir_user;
-                        if (!j)
+        for (; *q != _SD_PATH_INVALID; q++) {
-                                return log_oom();
+                _cleanup_free_ char *cd = NULL;
-
+                r = sd_path_lookup(*q, "systemd/nspawn", &cd);
-                        f = fopen(j, "re");
+                if (r < 0) {
-                        if (f) {
+                        log_warning_errno(r, "Failed to determine settings directory, ignoring: %m");
-                                p = TAKE_PTR(j);
+                        continue;
                                /* By default, we trust configuration from /etc and /run */
                                if (arg_settings_trusted < 0)
                                        arg_settings_trusted = true;
                                break;
                        }
                        if (errno != ENOENT)
                                return log_error_errno(errno, "Failed to open %s: %m", j);
                }
                _cleanup_free_ char *j = NULL;
                j = path_join(cd, arg_settings_filename);
                if (!j)
                        return log_oom();
                f = fopen(j, "re");
                if (f) {
                        p = TAKE_PTR(j);
                        log_debug("Found settings file: %s", p);
                        /* By default, we trust configuration from /etc and /run */
                        if (arg_settings_trusted < 0)
                                arg_settings_trusted = true;
                        break;
                }
                if (errno != ENOENT)
                        return log_error_errno(errno, "Failed to open %s: %m", j);
        }
        if (!f) {
                /* After that, let's look for a file next to the
                 * actual image we shall boot. */
@ -4979,6 +4999,9 @@ static int load_settings(void) {
                        if (!f && errno != ENOENT)
                                return log_error_errno(errno, "Failed to open %s: %m", p);
                        if (f)
                                log_debug("Found settings file: %s", p);
                        /* By default, we do not trust configuration from /var/lib/machines */
                        if (arg_settings_trusted < 0)
                                arg_settings_trusted = false;
@ -5357,10 +5380,10 @@ static int run_container(
                (void) sd_bus_set_allow_interactive_authorization(system_bus, arg_ask_password);
        }
        /* Scope allocation happens on the user bus if we are unpriv, otherwise system bus. */
        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *user_bus = NULL;
        _cleanup_(sd_bus_unrefp) sd_bus *runtime_bus = NULL;
-        if (!arg_keep_unit) {
+
        if (arg_register || !arg_keep_unit) {
                if (arg_privileged)
                        runtime_bus = sd_bus_ref(system_bus);
                else {
@ -5374,7 +5397,22 @@ static int run_container(
                        runtime_bus = sd_bus_ref(user_bus);
                }
        }
        /* Scope allocation happens on the user bus if we are unpriv, otherwise system bus. */
        if (arg_keep_unit) {
                /* If we are not supposed to allocate a unit, then let's move the process now, so that we can
                 * register things while being in the right cgroup location already. Otherwise, let's move
                 * the process later, once we have unit and hence cgroup. */
                r = create_subcgroup(
                                pid,
                                arg_keep_unit,
                                arg_uid_shift,
                                userns_fd,
                                arg_userns_mode);
                if (r < 0)
                        return r;
        } else {
                /* When a new scope is created for this container, then we'll be registered as its controller, in which
                 * case PID 1 will send us a friendly RequestStop signal, when it is asked to terminate the
                 * scope. Let's hook into that, and cleanly shut down the container, and print a friendly message. */
@ -5393,22 +5431,8 @@ static int run_container(
                        return log_error_errno(r, "Failed to request RequestStop match: %m");
        }
        if (arg_keep_unit) {
                /* If we are not supposed to allocate a unit, then let's move the process now, so that we can
                 * register things while being in the right cgroup location already. Otherwise, let's move
                 * the process later, once we have unit and hence cgroup. */
                r = create_subcgroup(
                                pid,
                                arg_keep_unit,
                                arg_uid_shift,
                                userns_fd,
                                arg_userns_mode);
                if (r < 0)
                        return r;
        }
        bool scope_allocated = false;
-        if (!arg_keep_unit && (!arg_register || !arg_privileged)) {
+        if (!arg_keep_unit) {
                AllocateScopeFlags flags = ALLOCATE_SCOPE_ALLOW_PIDFD;
                r = allocate_scope(
                                runtime_bus,
@ -5427,10 +5451,8 @@ static int run_container(
                scope_allocated = true;
        }
-        bool registered = false;
+        bool registered_system = false, registered_runtime = false;
        if (arg_register) {
                RegisterMachineFlags flags = 0;
                SET_FLAG(flags, REGISTER_MACHINE_KEEP_UNIT, arg_keep_unit || !arg_privileged);
                r = register_machine(
                                system_bus,
                                arg_machine,
@ -5438,18 +5460,32 @@ static int run_container(
                                arg_directory,
                                arg_uuid,
                                ifi,
-                                arg_slice,
+                                arg_container_service_name);
-                                arg_custom_mounts, arg_n_custom_mounts,
+                if (r < 0) {
-                                arg_kill_signal,
+                        if (arg_privileged) /* if privileged the request to register definitely failed */
-                                arg_property,
+                                return r;
                                arg_property_message,
                                arg_container_service_name,
                                arg_start_mode,
                                flags);
                if (r < 0)
                        return r;
-                registered = true;
+                        log_notice_errno(r, "Failed to register machine in system context, will try in user context.");
                } else
                        registered_system = true;
                if (!arg_privileged) {
                        r = register_machine(
                                        runtime_bus,
                                        arg_machine,
                                        pid,
                                        arg_directory,
                                        arg_uuid,
                                        ifi,
                                        arg_container_service_name);
                        if (r < 0) {
                                if (!registered_system) /* neither registration worked: fail */
                                        return r;
                                log_notice_errno(r, "Failed to register machine in user context, but succeeded in system context, will proceed.");
                        } else
                                registered_runtime = true;
                }
        }
        if (arg_keep_unit && (arg_slice || arg_property))
@ -5661,8 +5697,10 @@ static int run_container(
        r = wait_for_container(pid, &container_status);
        /* Tell machined that we are gone. */
-        if (registered)
+        if (registered_system)
                (void) unregister_machine(system_bus, arg_machine);
        if (registered_runtime)
                (void) unregister_machine(runtime_bus, arg_machine);
        if (r < 0)
                /* We failed to wait for the container, or the container exited abnormally. */
@ -6301,6 +6339,7 @@ static int run(int argc, char *argv[]) {
                                        dissected_image,
                                        NULL,
                                        &arg_verity_settings,
                                        arg_image_policy ?: &image_policy_container,
                                        dissect_image_flags);
                        if (r < 0)
                                goto finish;
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@ -2547,6 +2547,7 @@ static int decrypt_partition(
                DissectedPartition *m,
                const char *passphrase,
                DissectImageFlags flags,
                PartitionPolicyFlags policy_flags,
                DecryptedImage *d) {
        _cleanup_free_ char *node = NULL, *name = NULL;
@ -2566,6 +2567,9 @@ static int decrypt_partition(
        if (!passphrase)
                return -ENOKEY;
        if (!FLAGS_SET(policy_flags, PARTITION_POLICY_ENCRYPTED))
                return log_debug_errno(SYNTHETIC_ERRNO(ERFKILL), "Attempted to unlock partition via LUKS, but it's prohibited.");
        r = dlopen_cryptsetup();
        if (r < 0)
                return r;
@ -2672,6 +2676,8 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
 static int validate_signature_userspace(const VeritySettings *verity, DissectImageFlags flags) {
        int r;
        /* Returns > 0 if signature checks out, == 0 if not, < 0 on unexpected errors */
        if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) {
                log_debug("Userspace dm-verity signature authentication disabled via flag.");
                return 0;
@ -2778,7 +2784,8 @@ static int do_crypt_activate_verity(
                struct crypt_device *cd,
                const char *name,
                const VeritySettings *verity,
-                DissectImageFlags flags) {
+                DissectImageFlags flags,
                PartitionPolicyFlags policy_flags) {
        bool check_signature;
        int r, k;
@ -2787,7 +2794,7 @@ static int do_crypt_activate_verity(
        assert(name);
        assert(verity);
-        if (verity->root_hash_sig) {
+        if (verity->root_hash_sig && FLAGS_SET(policy_flags, PARTITION_POLICY_SIGNED)) {
                r = secure_getenv_bool("SYSTEMD_DISSECT_VERITY_SIGNATURE");
                if (r < 0 && r != -ENXIO)
                        log_debug_errno(r, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIGNATURE");
@ -2797,7 +2804,6 @@ static int do_crypt_activate_verity(
                check_signature = false;
        if (check_signature) {
 #if HAVE_CRYPT_ACTIVATE_BY_SIGNED_KEY
                /* First, if we have support for signed keys in the kernel, then try that first. */
                r = sym_crypt_activate_by_signed_key(
@ -2808,10 +2814,18 @@ static int do_crypt_activate_verity(
                                verity->root_hash_sig,
                                verity->root_hash_sig_size,
                                CRYPT_ACTIVATE_READONLY);
-                if (r >= 0)
+                if (r >= 0) {
-                        return r;
+                        log_debug("Verity activation via kernel signature logic worked.");
                        return 0;
                }
                log_debug_errno(r, "Validation of dm-verity signature failed via the kernel, trying userspace validation instead: %m");
                /* Let's mangle ENOKEY → EDESTADDRREQ, so that we return a clear, recognizable error if
                 * there's a signature we don't recognize, that is distinct from the LUKS/encryption
                 * -ENOKEY, which means "password required, but I have none". */
                if (r == -ENOKEY)
                        r = -EDESTADDRREQ;
 #else
                log_debug("Activation of verity device with signature requested, but not supported via the kernel by %s due to missing crypt_activate_by_signed_key(), trying userspace validation instead.",
                          program_invocation_short_name);
@ -2825,18 +2839,36 @@ static int do_crypt_activate_verity(
                 * as the device-mapper is finicky around concurrent activations of the same volume */
                k = validate_signature_userspace(verity, flags);
                if (k < 0)
-                        return r < 0 ? r : k;
+                        return k;
-                if (k == 0)
+                if (k == 0) {
-                        return log_debug_errno(r < 0 ? r : SYNTHETIC_ERRNO(ENOKEY),
+                        log_debug("Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.");
                                               "Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.");
        }
-        return sym_crypt_activate_by_volume_key(
+                        /* So if we had a signature and we're supposed to exclusively allow
                         * signature-based activation, then return the error now */
                        if (!FLAGS_SET(policy_flags, PARTITION_POLICY_VERITY))
                                return r < 0 ? r : -EDESTADDRREQ;
                        log_debug("Activation of signed Verity volume without validating signature is permitted by policy. Continuing.");
                } else
                        log_debug("Verity activation via userspace signature logic worked, activating by root hash.");
                /* Otherwise let's see what signature-less activation results in. */
        } else if (!FLAGS_SET(policy_flags, PARTITION_POLICY_VERITY))
                return log_debug_errno(SYNTHETIC_ERRNO(ERFKILL),
                                       "No-signature activation of Verity volume not allowed by policy, refusing.");
        r = sym_crypt_activate_by_volume_key(
                        cd,
                        name,
                        verity->root_hash,
                        verity->root_hash_size,
                        CRYPT_ACTIVATE_READONLY);
        if (r < 0)
                return log_debug_errno(r, "Activation of Verity via root hash failed: %m");
        log_debug("Activation of Verity via root hash succeeded.");
        return 0;
 }
 static usec_t verity_timeout(void) {
@ -2863,10 +2895,11 @@ static usec_t verity_timeout(void) {
 static int verity_partition(
                PartitionDesignator designator,
-                DissectedPartition *m,
+                DissectedPartition *m, /* data partition */
-                DissectedPartition *v,
+                DissectedPartition *v, /* verity partition */
                const VeritySettings *verity,
                DissectImageFlags flags,
                PartitionPolicyFlags policy_flags,
                DecryptedImage *d) {
        _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
@ -2893,6 +2926,11 @@ static int verity_partition(
                        return 0;
        }
        if (!(policy_flags & (PARTITION_POLICY_VERITY|PARTITION_POLICY_SIGNED))) {
                log_debug("Attempted to unlock partition via Verity, but it's prohibited, skipping.");
                return 0;
        }
        r = dlopen_cryptsetup();
        if (r < 0)
                return r;
@ -2944,7 +2982,7 @@ static int verity_partition(
                        goto check; /* The device already exists. Let's check it. */
                /* The symlink to the device node does not exist yet. Assume not activated, and let's activate it. */
-                r = do_crypt_activate_verity(cd, name, verity, flags);
+                r = do_crypt_activate_verity(cd, name, verity, flags, policy_flags);
                if (r >= 0)
                        goto try_open; /* The device is activated. Let's open it. */
                /* libdevmapper can return EINVAL when the device is already in the activation stage.
@ -3038,7 +3076,7 @@ static int verity_partition(
                 */
                sym_crypt_free(cd);
                cd = NULL;
-                return verity_partition(designator, m, v, verity, flags & ~DISSECT_IMAGE_VERITY_SHARE, d);
+                return verity_partition(designator, m, v, verity, flags & ~DISSECT_IMAGE_VERITY_SHARE, policy_flags, d);
        }
        return log_debug_errno(SYNTHETIC_ERRNO(EBUSY), "All attempts to activate verity device %s failed.", name);
@ -3060,23 +3098,26 @@ int dissected_image_decrypt(
                DissectedImage *m,
                const char *passphrase,
                const VeritySettings *verity,
                const ImagePolicy *policy,
                DissectImageFlags flags) {
 #if HAVE_LIBCRYPTSETUP
        _cleanup_(decrypted_image_unrefp) DecryptedImage *d = NULL;
        int r;
 #endif
        int r;
        assert(m);
        assert(!verity || verity->root_hash || verity->root_hash_size == 0);
        /* Returns:
         *
-         *      = 0           → There was nothing to decrypt
+         *      = 0           → There was nothing to decrypt/setup
-         *      > 0           → Decrypted successfully
+         *      > 0           → Decrypted/setup successfully
-         *      -ENOKEY       → There's something to decrypt but no key was supplied
+         *      -ENOKEY       → dm-crypt: there's something to decrypt but no decryption key was supplied
-         *      -EKEYREJECTED → Passed key was not correct
+         *      -EKEYREJECTED → dm-crypt: Passed key was not correct
-         *      -EBUSY        → Generic Verity error (kernel is not very explanatory)
+         *      -EDESTADDRREQ → dm-verity: there's something to setup but no signature was supplied
         *      -EBUSY        → dm-verity: Generic Verity error (kernel is not very explanatory)
         *      -ERFKILL      → image policy not compatible with request
         */
        if (verity && verity->root_hash && verity->root_hash_size < sizeof(sd_id128_t))
@ -3085,6 +3126,10 @@ int dissected_image_decrypt(
        if (!m->encrypted && !m->verity_ready)
                return 0;
        r = secure_getenv_bool("SYSTEMD_VERITY_SHARING");
        if (r >= 0)
                SET_FLAG(flags, DISSECT_IMAGE_VERITY_SHARE, r);
 #if HAVE_LIBCRYPTSETUP
        r = decrypted_image_new(&d);
        if (r < 0)
@ -3097,15 +3142,15 @@ int dissected_image_decrypt(
                if (!p->found)
                        continue;
-                r = decrypt_partition(p, passphrase, flags, d);
+                PartitionPolicyFlags fl = image_policy_get_exhaustively(policy, i);
                r = decrypt_partition(p, passphrase, flags, fl, d);
                if (r < 0)
                        return r;
                k = partition_verity_hash_of(i);
                if (k >= 0) {
-                        flags |= getenv_bool("SYSTEMD_VERITY_SHARING") != 0 ? DISSECT_IMAGE_VERITY_SHARE : 0;
+                        r = verity_partition(i, p, m->partitions + k, verity, flags, fl, d);
                        r = verity_partition(i, p, m->partitions + k, verity, flags, d);
                        if (r < 0)
                                return r;
                }
@ -3118,7 +3163,6 @@ int dissected_image_decrypt(
        }
        m->decrypted_image = TAKE_PTR(d);
        return 1;
 #else
        return -EOPNOTSUPP;
@ -3129,6 +3173,7 @@ int dissected_image_decrypt_interactively(
                DissectedImage *m,
                const char *passphrase,
                const VeritySettings *verity,
                const ImagePolicy *image_policy,
                DissectImageFlags flags) {
        _cleanup_strv_free_erase_ char **z = NULL;
@ -3138,13 +3183,17 @@ int dissected_image_decrypt_interactively(
                n--;
        for (;;) {
-                r = dissected_image_decrypt(m, passphrase, verity, flags);
+                r = dissected_image_decrypt(m, passphrase, verity, image_policy, flags);
                if (r >= 0)
                        return r;
                if (r == -EKEYREJECTED)
                        log_error_errno(r, "Incorrect passphrase, try again!");
                else if (r == -EDESTADDRREQ)
                        return log_error_errno(r, "Image lacks recognized signature.");
                else if (r == -ERFKILL)
                        return log_error_errno(r, "Unlocking of Verity/LUKS volumes not permitted by policy.");
                else if (r != -ENOKEY)
-                        return log_error_errno(r, "Failed to decrypt image: %m");
+                        return log_error_errno(r, "Failed to decrypt/set up image: %m");
                if (--n < 0)
                        return log_error_errno(SYNTHETIC_ERRNO(EKEYREJECTED),
@ -4275,7 +4324,7 @@ int mount_image_privately_interactively(
        if (r < 0)
                return r;
-        r = dissected_image_decrypt_interactively(dissected_image, NULL, &verity, flags);
+        r = dissected_image_decrypt_interactively(dissected_image, NULL, &verity, image_policy, flags);
        if (r < 0)
                return r;
@ -4379,7 +4428,8 @@ int verity_dissect_and_mount(
                (relax_extension_release_check ? DISSECT_IMAGE_RELAX_EXTENSION_CHECK : 0) |
                DISSECT_IMAGE_ADD_PARTITION_DEVICES |
                DISSECT_IMAGE_PIN_PARTITION_DEVICES |
-                DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
+                DISSECT_IMAGE_ALLOW_USERSPACE_VERITY |
                DISSECT_IMAGE_VERITY_SHARE;
        /* Note that we don't use loop_device_make here, as the FD is most likely O_PATH which would not be
         * accepted by LOOP_CONFIGURE, so just let loop_device_make_by_path reopen it as a regular FD. */
@ -4426,6 +4476,7 @@ int verity_dissect_and_mount(
                        dissected_image,
                        NULL,
                        verity,
                        image_policy,
                        dissect_image_flags);
        if (r < 0)
                return log_debug_errno(r, "Failed to decrypt dissected image: %m");
--- a/src/shared/dissect-image.h
+++ b/src/shared/dissect-image.h
@ -171,8 +171,8 @@ void dissected_image_close(DissectedImage *m);
 DissectedImage* dissected_image_unref(DissectedImage *m);
 DEFINE_TRIVIAL_CLEANUP_FUNC(DissectedImage*, dissected_image_unref);
-int dissected_image_decrypt(DissectedImage *m, const char *passphrase, const VeritySettings *verity, DissectImageFlags flags);
+int dissected_image_decrypt(DissectedImage *m, const char *passphrase, const VeritySettings *verity, const ImagePolicy *image_policy, DissectImageFlags flags);
-int dissected_image_decrypt_interactively(DissectedImage *m, const char *passphrase, const VeritySettings *verity, DissectImageFlags flags);
+int dissected_image_decrypt_interactively(DissectedImage *m, const char *passphrase, const VeritySettings *verity, const ImagePolicy *image_policy, DissectImageFlags flags);
 int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift, uid_t uid_range, int userns_fd, DissectImageFlags flags);
 int dissected_image_mount_and_warn(DissectedImage *m, const char *where, uid_t uid_shift, uid_t uid_range, int userns_fd, DissectImageFlags flags);
--- a/src/shared/varlink-io.systemd.Unit.c
+++ b/src/shared/varlink-io.systemd.Unit.c
@ -92,145 +92,145 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
                /* CPU Control
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#CPU%20Control */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#CPUWeight=weight"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#CPUWeight=weight"),
                SD_VARLINK_DEFINE_FIELD(CPUWeight, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#CPUWeight=weight"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#CPUWeight=weight"),
                SD_VARLINK_DEFINE_FIELD(StartupCPUWeight, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#CPUQuota="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#CPUQuota="),
                SD_VARLINK_DEFINE_FIELD(CPUQuotaPerSecUSec, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#CPUQuotaPeriodSec="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#CPUQuotaPeriodSec="),
                SD_VARLINK_DEFINE_FIELD(CPUQuotaPeriodUSec, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#AllowedCPUs="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#AllowedCPUs="),
                SD_VARLINK_DEFINE_FIELD(AllowedCPUs, SD_VARLINK_INT, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#AllowedCPUs="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#AllowedCPUs="),
                SD_VARLINK_DEFINE_FIELD(StartupAllowedCPUs, SD_VARLINK_INT, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                /* Memory Accounting and Control
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#Memory%20Accounting%20and%20Control */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryAccounting="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryAccounting="),
                SD_VARLINK_DEFINE_FIELD(MemoryAccounting, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
                SD_VARLINK_DEFINE_FIELD(MemoryMin, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
                SD_VARLINK_DEFINE_FIELD(DefaultMemoryMin, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
                SD_VARLINK_DEFINE_FIELD(MemoryLow, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
                SD_VARLINK_DEFINE_FIELD(DefaultMemoryLow, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemorySwapMax=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemorySwapMax=bytes"),
                SD_VARLINK_DEFINE_FIELD(StartupMemoryLow, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryMin=bytes,%20MemoryLow=bytes"),
                SD_VARLINK_DEFINE_FIELD(DefaultStartupMemoryLow, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryHigh=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryHigh=bytes"),
                SD_VARLINK_DEFINE_FIELD(MemoryHigh, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryHigh=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryHigh=bytes"),
                SD_VARLINK_DEFINE_FIELD(StartupMemoryHigh, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryMax=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryMax=bytes"),
                SD_VARLINK_DEFINE_FIELD(MemoryMax, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryMax=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryMax=bytes"),
                SD_VARLINK_DEFINE_FIELD(StartupMemoryMax, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemorySwapMax=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemorySwapMax=bytes"),
                SD_VARLINK_DEFINE_FIELD(MemorySwapMax, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemorySwapMax=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemorySwapMax=bytes"),
                SD_VARLINK_DEFINE_FIELD(StartupMemorySwapMax, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryZSwapMax=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryZSwapMax=bytes"),
                SD_VARLINK_DEFINE_FIELD(MemoryZSwapMax, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryZSwapMax=bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryZSwapMax=bytes"),
                SD_VARLINK_DEFINE_FIELD(StartupMemoryZSwapMax, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryZSwapWriteback="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryZSwapWriteback="),
                SD_VARLINK_DEFINE_FIELD(MemoryZSwapWriteback, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#AllowedMemoryNodes="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#AllowedMemoryNodes="),
                SD_VARLINK_DEFINE_FIELD(AllowedMemoryNodes, SD_VARLINK_INT, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#AllowedMemoryNodes="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#AllowedMemoryNodes="),
                SD_VARLINK_DEFINE_FIELD(StartupAllowedMemoryNodes, SD_VARLINK_INT, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                /* Process Accounting and Control
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#Process%20Accounting%20and%20Control */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#TasksAccounting="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#TasksAccounting="),
                SD_VARLINK_DEFINE_FIELD(TasksAccounting, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#TasksMax=N"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#TasksMax=N"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(TasksMax, CGroupTasksMax, SD_VARLINK_NULLABLE),
                /* IO Accounting and Control
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IO%20Accounting%20and%20Control */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IOAccounting="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IOAccounting="),
                SD_VARLINK_DEFINE_FIELD(IOAccounting, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IOWeight=weight"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IOWeight=weight"),
                SD_VARLINK_DEFINE_FIELD(IOWeight, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IOWeight=weight"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IOWeight=weight"),
                SD_VARLINK_DEFINE_FIELD(StartupIOWeight, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IODeviceWeight=device%20weight"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IODeviceWeight=device%20weight"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IODeviceWeight, CGroupIODeviceWeight, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IOReadBandwidthMax=device%20bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IOReadBandwidthMax=device%20bytes"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IOReadBandwidthMax, CGroupIODeviceLimit, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IOReadBandwidthMax=device%20bytes"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IOReadBandwidthMax=device%20bytes"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IOWriteBandwidthMax, CGroupIODeviceLimit, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IOReadIOPSMax=device%20IOPS"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IOReadIOPSMax=device%20IOPS"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IOReadIOPSMax, CGroupIODeviceLimit, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IOReadIOPSMax=device%20IOPS"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IOReadIOPSMax=device%20IOPS"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IOWriteIOPSMax, CGroupIODeviceLimit, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IODeviceLatencyTargetSec=device%20target"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IODeviceLatencyTargetSec=device%20target"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IODeviceLatencyTargetUSec, CGroupIODeviceLatency, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                /* Network Accounting and Control
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#Network%20Accounting%20and%20Control */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IPAccounting="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IPAccounting="),
                SD_VARLINK_DEFINE_FIELD(IPAccounting, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IPAddressAllow, CGroupAddressPrefix, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(IPAddressDeny, CGroupAddressPrefix, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#SocketBindAllow=bind-rule"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#SocketBindAllow=bind-rule"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(SocketBindAllow, CGroupSocketBind, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#SocketBindAllow=bind-rule"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#SocketBindAllow=bind-rule"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(SocketBindDeny, CGroupSocketBind, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#RestrictNetworkInterfaces="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#RestrictNetworkInterfaces="),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(RestrictNetworkInterfaces, CGroupRestrictNetworkInterfaces, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#NFTSet=family:table:set"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#NFTSet=family:table:set"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(NFTSet, CGroupNFTSet, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                /* BPF programs
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#BPF%20Programs */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IPIngressFilterPath=BPF_FS_PROGRAM_PATH"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IPIngressFilterPath=BPF_FS_PROGRAM_PATH"),
                SD_VARLINK_DEFINE_FIELD(IPIngressFilterPath, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#IPIngressFilterPath=BPF_FS_PROGRAM_PATH"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#IPIngressFilterPath=BPF_FS_PROGRAM_PATH"),
                SD_VARLINK_DEFINE_FIELD(IPEgressFilterPath, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#BPFProgram=type:program-path"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#BPFProgram=type:program-path"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(BPFProgram, CGroupBPFProgram, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                /* Device Access
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#Device%20Access */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#DeviceAllow="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#DeviceAllow="),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(DeviceAllow, CGroupDeviceAllow, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#DevicePolicy=auto%7Cclosed%7Cstrict"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#DevicePolicy=auto%7Cclosed%7Cstrict"),
                SD_VARLINK_DEFINE_FIELD(DevicePolicy, SD_VARLINK_STRING, 0),
                /* Control Group Management
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#Control%20Group%20Management */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#Delegate="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#Delegate="),
                SD_VARLINK_DEFINE_FIELD(Delegate, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#DelegateSubgroup="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#DelegateSubgroup="),
                SD_VARLINK_DEFINE_FIELD(DelegateSubgroup, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#DisableControllers="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#DisableControllers="),
                SD_VARLINK_DEFINE_FIELD(DelegateControllers, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#DisableControllers="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#DisableControllers="),
                SD_VARLINK_DEFINE_FIELD(DisableControllers, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                /* Memory Pressure Control
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#Memory%20Pressure%20Control */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill"),
                SD_VARLINK_DEFINE_FIELD(ManagedOOMSwap, SD_VARLINK_STRING, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#ManagedOOMSwap=auto%7Ckill"),
                SD_VARLINK_DEFINE_FIELD(ManagedOOMMemoryPressure, SD_VARLINK_STRING, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#ManagedOOMMemoryPressureLimit="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#ManagedOOMMemoryPressureLimit="),
                SD_VARLINK_DEFINE_FIELD(ManagedOOMMemoryPressureLimit, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#ManagedOOMMemoryPressureDurationSec="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#ManagedOOMMemoryPressureDurationSec="),
                SD_VARLINK_DEFINE_FIELD(ManagedOOMMemoryPressureDurationUSec, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#ManagedOOMPreference=none%7Cavoid%7Comit"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#ManagedOOMPreference=none%7Cavoid%7Comit"),
                SD_VARLINK_DEFINE_FIELD(ManagedOOMPreference, SD_VARLINK_STRING, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryPressureWatch="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryPressureWatch="),
                SD_VARLINK_DEFINE_FIELD(MemoryPressureWatch, SD_VARLINK_STRING, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#MemoryPressureThresholdSec="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.resource-control.html#MemoryPressureThresholdSec="),
                SD_VARLINK_DEFINE_FIELD(MemoryPressureThresholdUSec, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
                /* Others */
@ -259,107 +259,107 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
                /* [Unit] Section Options
                 * https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#%5BUnit%5D%20Section%20Options */
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Description="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Description="),
                SD_VARLINK_DEFINE_FIELD(Description, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Documentation="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Documentation="),
                SD_VARLINK_DEFINE_FIELD(Documentation, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Wants="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Wants="),
                SD_VARLINK_DEFINE_FIELD(Wants, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#WantedBy="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#WantedBy="),
                SD_VARLINK_DEFINE_FIELD(WantedBy, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Requires="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Requires="),
                SD_VARLINK_DEFINE_FIELD(Requires, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#WantedBy="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#WantedBy="),
                SD_VARLINK_DEFINE_FIELD(RequiredBy, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Requisite="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Requisite="),
                SD_VARLINK_DEFINE_FIELD(Requisite, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Requisite="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Requisite="),
                SD_VARLINK_DEFINE_FIELD(RequisiteOf, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#BindsTo="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#BindsTo="),
                SD_VARLINK_DEFINE_FIELD(BindsTo, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#BindsTo="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#BindsTo="),
                SD_VARLINK_DEFINE_FIELD(BoundBy, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PartOf="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#PartOf="),
                SD_VARLINK_DEFINE_FIELD(PartOf, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PartOf="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#PartOf="),
                SD_VARLINK_DEFINE_FIELD(ConsistsOf, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Upholds="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Upholds="),
                SD_VARLINK_DEFINE_FIELD(Upholds, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#WantedBy="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#WantedBy="),
                SD_VARLINK_DEFINE_FIELD(UpheldBy, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Conflicts="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Conflicts="),
                SD_VARLINK_DEFINE_FIELD(Conflicts, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                SD_VARLINK_FIELD_COMMENT("The ConflictedBy= dependencies of this unit"),
                SD_VARLINK_DEFINE_FIELD(ConflictedBy, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Before="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Before="),
                SD_VARLINK_DEFINE_FIELD(Before, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Before="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#Before="),
                SD_VARLINK_DEFINE_FIELD(After, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#OnFailure="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#OnFailure="),
                SD_VARLINK_DEFINE_FIELD(OnFailure, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                SD_VARLINK_FIELD_COMMENT("The OnFailureOf= dependencies of this unit"),
                SD_VARLINK_DEFINE_FIELD(OnFailureOf, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#OnSuccess="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#OnSuccess="),
                SD_VARLINK_DEFINE_FIELD(OnSuccess, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
                SD_VARLINK_FIELD_COMMENT("The OnSuccessOf= dependencies of this unit"),
                SD_VARLINK_DEFINE_FIELD(OnSuccessOf, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PropagatesReloadTo="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#PropagatesReloadTo="),
                SD_VARLINK_DEFINE_FIELD(PropagatesReloadTo, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PropagatesReloadTo="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#PropagatesReloadTo="),
                SD_VARLINK_DEFINE_FIELD(ReloadPropagatedFrom, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PropagatesStopTo="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#PropagatesStopTo="),
                SD_VARLINK_DEFINE_FIELD(PropagatesStopTo, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PropagatesStopTo="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#PropagatesStopTo="),
                SD_VARLINK_DEFINE_FIELD(StopPropagatedFrom, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#JoinsNamespaceOf="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#JoinsNamespaceOf="),
                SD_VARLINK_DEFINE_FIELD(JoinsNamespaceOf, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#RequiresMountsFor="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#RequiresMountsFor="),
                SD_VARLINK_DEFINE_FIELD(RequiresMountsFor, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#WantsMountsFor="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#WantsMountsFor="),
                SD_VARLINK_DEFINE_FIELD(WantsMountsFor, SD_VARLINK_STRING, SD_VARLINK_ARRAY|SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#OnSuccessJobMode="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#OnSuccessJobMode="),
                SD_VARLINK_DEFINE_FIELD(OnSuccessJobMode, SD_VARLINK_STRING, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#OnSuccessJobMode="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#OnSuccessJobMode="),
                SD_VARLINK_DEFINE_FIELD(OnFailureJobMode, SD_VARLINK_STRING, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#IgnoreOnIsolate="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#IgnoreOnIsolate="),
                SD_VARLINK_DEFINE_FIELD(IgnoreOnIsolate, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#StopWhenUnneeded="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#StopWhenUnneeded="),
                SD_VARLINK_DEFINE_FIELD(StopWhenUnneeded, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#RefuseManualStart="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#RefuseManualStart="),
                SD_VARLINK_DEFINE_FIELD(RefuseManualStart, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#RefuseManualStart="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#RefuseManualStart="),
                SD_VARLINK_DEFINE_FIELD(RefuseManualStop, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#AllowIsolate="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#AllowIsolate="),
                SD_VARLINK_DEFINE_FIELD(AllowIsolate, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#DefaultDependencies="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#DefaultDependencies="),
                SD_VARLINK_DEFINE_FIELD(DefaultDependencies, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#SurviveFinalKillSignal="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#SurviveFinalKillSignal="),
                SD_VARLINK_DEFINE_FIELD(SurviveFinalKillSignal, SD_VARLINK_BOOL, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#CollectMode="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#CollectMode="),
                SD_VARLINK_DEFINE_FIELD(CollectMode, SD_VARLINK_STRING, 0),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#FailureAction="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#FailureAction="),
                SD_VARLINK_DEFINE_FIELD(FailureAction, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#FailureAction="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#FailureAction="),
                SD_VARLINK_DEFINE_FIELD(SuccessAction, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#FailureActionExitStatus="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#FailureActionExitStatus="),
                SD_VARLINK_DEFINE_FIELD(FailureActionExitStatus, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#FailureActionExitStatus="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#FailureActionExitStatus="),
                SD_VARLINK_DEFINE_FIELD(SuccessActionExitStatus, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#JobTimeoutSec="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#JobTimeoutSec="),
                SD_VARLINK_DEFINE_FIELD(JobTimeoutUSec, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#JobTimeoutSec="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#JobTimeoutSec="),
                SD_VARLINK_DEFINE_FIELD(JobRunningTimeoutUSec, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#JobTimeoutAction="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#JobTimeoutAction="),
                SD_VARLINK_DEFINE_FIELD(JobTimeoutAction, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#JobTimeoutAction="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#JobTimeoutAction="),
                SD_VARLINK_DEFINE_FIELD(JobTimeoutRebootArgument, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#StartLimitIntervalSec=interval"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#StartLimitIntervalSec=interval"),
                SD_VARLINK_DEFINE_FIELD_BY_TYPE(StartLimit, RateLimit, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#StartLimitIntervalSec=interval"),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#StartLimitIntervalSec=interval"),
                SD_VARLINK_DEFINE_FIELD(StartLimitAction, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#RebootArgument="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#RebootArgument="),
                SD_VARLINK_DEFINE_FIELD(RebootArgument, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
-                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#SourcePath="),
+                SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man/"PROJECT_VERSION_STR"/systemd.unit.html#SourcePath="),
                SD_VARLINK_DEFINE_FIELD(SourcePath, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
                /* Conditions and Asserts
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@ -1862,7 +1862,7 @@ static int merge_subprocess(
                        if (r < 0)
                                return r;
-                        r = dissected_image_decrypt(m, /* passphrase= */ NULL, &verity_settings, flags);
+                        r = dissected_image_decrypt(m, /* passphrase= */ NULL, &verity_settings, pick_image_policy(img), flags);
                        if (r < 0)
                                return r;
--- a/src/systemd/_sd-common.h
+++ b/src/systemd/_sd-common.h
@ -52,10 +52,6 @@ typedef void (*_sd_destroy_t)(void *userdata);
 #  define _sd_pure_ __attribute__((__pure__))
 #endif
 #ifndef _sd_const_
 #  define _sd_const_ __attribute__((__const__))
 #endif
 /* Note that strictly speaking __deprecated__ has been available before GCC 6. However, starting with GCC 6
 * it also works on enum values, which we are interested in. Since this is a developer-facing feature anyway
 * (as opposed to build engineer-facing), let's hence conditionalize this to gcc 6, given that the developers
--- a/src/systemd/sd-id128.h
+++ b/src/systemd/sd-id128.h
@ -115,17 +115,17 @@ int sd_id128_get_invocation_app_specific(sd_id128_t app_id, sd_id128_t *ret);
 #define SD_ID128_MAKE_UUID_STR(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) \
        #a #b #c #d "-" #e #f "-" #g #h "-" #i #j "-" #k #l #m #n #o #p
-_sd_const_ static __inline__ int sd_id128_equal(sd_id128_t a, sd_id128_t b) {
+static __inline__ int sd_id128_equal(sd_id128_t a, sd_id128_t b) {
        return a.qwords[0] == b.qwords[0] && a.qwords[1] == b.qwords[1];
 }
 int sd_id128_string_equal(const char *s, sd_id128_t id);
-_sd_const_ static __inline__ int sd_id128_is_null(sd_id128_t a) {
+static __inline__ int sd_id128_is_null(sd_id128_t a) {
        return a.qwords[0] == 0 && a.qwords[1] == 0;
 }
-_sd_const_ static __inline__ int sd_id128_is_allf(sd_id128_t a) {
+static __inline__ int sd_id128_is_allf(sd_id128_t a) {
        return a.qwords[0] == UINT64_C(0xFFFFFFFFFFFFFFFF) && a.qwords[1] == UINT64_C(0xFFFFFFFFFFFFFFFF);
 }
@ -144,7 +144,7 @@ static __inline__ int sd_id128_in_setv(sd_id128_t a, va_list ap) {
        }
 }
-_sd_const_ static __inline__ int sd_id128_in_set_sentinel(sd_id128_t a, ...) {
+static __inline__ int sd_id128_in_set_sentinel(sd_id128_t a, ...) {
        va_list ap;
        int r;
--- a/src/systemd/sd-json.h
+++ b/src/systemd/sd-json.h
@ -338,7 +338,7 @@ int sd_json_variant_unhex(sd_json_variant *v, void **ret, size_t *ret_size);
 const char* sd_json_variant_type_to_string(sd_json_variant_type_t t);
 sd_json_variant_type_t sd_json_variant_type_from_string(const char *s);
-_sd_const_ static __inline__ int sd_json_format_enabled(sd_json_format_flags_t flags) {
+static __inline__ int sd_json_format_enabled(sd_json_format_flags_t flags) {
        return !(flags & SD_JSON_FORMAT_OFF);
 }
--- a/src/systemd/sd-path.h
+++ b/src/systemd/sd-path.h
@ -21,7 +21,7 @@
 _SD_BEGIN_DECLARATIONS;
-enum {
+__extension__ enum {
        /* Temporary files */
        SD_PATH_TEMPORARY,
        SD_PATH_TEMPORARY_LARGE,
@ -129,7 +129,8 @@ enum {
        SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED,
        SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
-        _SD_PATH_MAX
+        _SD_PATH_MAX,
        _SD_PATH_INVALID = UINT64_MAX
 };
 int sd_path_lookup(uint64_t type, const char *suffix, char **ret);
--- a/src/vmspawn/vmspawn.c
+++ b/src/vmspawn/vmspawn.c
@ -2101,12 +2101,6 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
                        return log_oom();
        }
        if (strv_length(arg_extra_drives) > 0) {
                r = strv_extend_many(&cmdline, "-device", "virtio-scsi-pci,id=scsi");
                if (r < 0)
                        return log_oom();
        }
        if (kernel) {
                r = strv_extend_many(&cmdline, "-kernel", kernel);
                if (r < 0)
@ -2255,7 +2249,7 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
                if (strv_extend(&cmdline, "-device") < 0)
                        return log_oom();
-                if (strv_extendf(&cmdline, "scsi-hd,drive=vmspawn_extra_%zu,serial=%s", i++, escaped_drive_fn) < 0)
+                if (strv_extendf(&cmdline, "virtio-blk-pci,drive=vmspawn_extra_%zu,serial=%s", i++, escaped_drive_fn) < 0)
                        return log_oom();
        }
--- a/test/units/TEST-50-DISSECT.dissect.sh
+++ b/test/units/TEST-50-DISSECT.dissect.sh
@ -69,12 +69,12 @@ mv "$MINIMAL_IMAGE.fooverity" "$MINIMAL_IMAGE.verity"
 mv "$MINIMAL_IMAGE.foohash" "$MINIMAL_IMAGE.roothash"
 mkdir -p "$IMAGE_DIR/mount" "$IMAGE_DIR/mount2"
-systemd-dissect --mount "$MINIMAL_IMAGE.raw" "$IMAGE_DIR/mount"
+SYSTEMD_VERITY_SHARING=1 systemd-dissect --mount "$MINIMAL_IMAGE.raw" "$IMAGE_DIR/mount"
 grep -q -F -f "$OS_RELEASE" "$IMAGE_DIR/mount/usr/lib/os-release"
 grep -q -F -f "$OS_RELEASE" "$IMAGE_DIR/mount/etc/os-release"
 grep -q -F "MARKER=1" "$IMAGE_DIR/mount/usr/lib/os-release"
 # Verity volume should be shared (opened only once)
-systemd-dissect --mount "$MINIMAL_IMAGE.raw" "$IMAGE_DIR/mount2"
+SYSTEMD_VERITY_SHARING=1 systemd-dissect --mount "$MINIMAL_IMAGE.raw" "$IMAGE_DIR/mount2"
 verity_count=$(find /dev/mapper/ -name "*verity*" | wc -l)
 # In theory we should check that count is exactly one. In practice, libdevmapper
 # randomly and unpredictably fails with an unhelpful EINVAL when a device is open
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@ -60,8 +60,23 @@ if (SYSTEMD_LOG_TARGET=console varlinkctl call \
    exit 0
 fi
 # This should work without the key
 systemd-dissect --image-policy='root=verity:=absent+unused' --mtree /var/tmp/unpriv.raw >/dev/null
 systemd-dissect --image-policy='root=verity+signed:=absent+unused' --mtree /var/tmp/unpriv.raw >/dev/null
 # This should fail before we install the key
 (! systemd-dissect --image-policy='root=signed:=absent+unused' --mtree /var/tmp/unpriv.raw >/dev/null)
 # Install key in keychain
-cp /tmp/test-50-unpriv-cert.crt /run/verity.d
+mkdir -p /run/verity.d
 cp /tmp/test-50-unpriv-cert.crt /run/verity.d/
 # This should work now
 systemd-dissect --image-policy='root=signed:=absent+unused' --mtree /var/tmp/unpriv.raw >/dev/null
 # This should still work
 systemd-dissect --image-policy='root=verity:=absent+unused' --mtree /var/tmp/unpriv.raw >/dev/null
 systemd-dissect --image-policy='root=verity+signed:=absent+unused' --mtree /var/tmp/unpriv.raw >/dev/null
 # Now run unpriv again, should be OK now.
 runas testuser systemd-dissect /var/tmp/unpriv.raw
Author	SHA1	Message	Date
Nick Labich	1df624422a	vmspawn: Use virtio-blk-pci for extra drives Fixes #39262	2025-10-14 16:09:51 +02:00
Zbigniew Jędrzejewski-Szmek	770170fa62	Revert "meson: fail build when encountering unused variables" This reverts commit e1e1ef09f9bc7d2ca1f6876f4f4d13268be5a50d. This change was misguided. The warning is enough during development and will get fixed, but turning this into a hard failure just makes WIP harder. Also, a hard error increases the likelyhood of a build failure in scenarios where somebody is disabling components (as seen e.g. in ba8801a07640205778c5a62539597c68d7bdb211). We already are not very good at keeping our codebase compile correctly as it ages, because of changes in compilers and dependencies, and we should not go out of our way to increase the probability of failure. Such scenarios are painful for downstream builds.	2025-10-14 14:40:09 +02:00
Zbigniew Jędrzejewski-Szmek	c3f32b941b	meson: stop probing for paths of programs in /usr/sbin We dropped support for split-usr a while ago, which means that the programs will be in /usr/sbin, which actually may be the same as /usr/bin on merged-bin systems. So the whole checking is mostly pointless in the usual case. OTOH, on Nix the paths will be totally different and need to be set through the option anyway. So save time during builds by using the "fallback" path unless the option is specified. This avoid some busywork during the slow serial build phase.	2025-10-14 14:39:45 +02:00
Daan De Meyer	a2890ce3e0	varlink: Always link to documentation for current version	2025-10-14 13:14:23 +02:00
Lennart Poettering	86d9498c8c	libsystemd: drop "const" decorators on public inline functions The point of the "const" attribute is to give the compiler hints about behaviour of functions if it only has the function prototype but no body around. But inline functions are the ones where the compiler always has the body around, hence the "const" decorator is really just noise: the compuler can determine the constness on its own, just by looking at the code. Hence, drop the decorators, it's just noise. And a source of errors, as 675fa49f69943b0f009c973ed3d1e90afc1d88b1 has shown. Follow-up for: #39289	2025-10-14 13:08:57 +02:00
Lennart Poettering	e5dc514277	nspawn: register containers in both user and system machined if applicable (#39145 )	2025-10-14 11:58:29 +02:00
Lennart Poettering	fec0f699a2	dissect image policy tweaks (#39168 )	2025-10-14 10:25:34 +02:00
Lennart Poettering	f84d61d639	test: make sure TEST-50-DISSECT.mountfsd.sh can run standalone	2025-10-13 22:26:34 +02:00
Lennart Poettering	d20dff2814	dissect-image: take policy into consideration when unlocking verity, too Previously, we'd take the image policy only into consideration when dissecting the mage, but for the unlock/verity step we'd go via best effort. Change that. This means we can now enforce policies such as activating by root hash only even if a signature exists and similar. Also, introduce a separate error code if we try to unlock a Verity volume but have no root hash. Previously we'd return ENOKEY for that, exactly like we do for encrypted volumes where we have no passparse. The interctive unlock loop dissected_image_decrypt_interactively() is otherwise very confused and will ask for a root hash, which makes no sense. Hence use two distinct errors for this.	2025-10-13 22:26:34 +02:00
Lennart Poettering	57d1ceffb3	dissect-image: turn verity device sharing into opt-in Sharing verity volumes is problematic for a veriety of reasons, for example because it might pin the wrong backing device at the wrong time. Let's hence turn this around: unless verity sharing is enabled, leave it off, and turn $SYSTEMD_VERITY_SHARING into a true boolean that can be set both ways. The primary usecase for verity sharing is RootImage=, where it probably makes sense to leave on, hence set the flag there. This is crucial when putting together installers which install an OS on a second disk: if verity sharing is always on we might mount the wrong of the two disks at the wrong time.	2025-10-13 22:13:53 +02:00
Lennart Poettering	814db2ae79	nspawn: register containers with both the system-wide and the per-user machined instance Let's make sure each container run by unpriv users is known by both instances. Making it known by the host instance ensures it is resovlable by nss-myhostname (and various other tools), but making it known by the per-user instance means the user can fully manage it on their own. This simplifies the code a bit too, i.e. we always allocate a scope ourselves now, and just register it, instead of letting machined do that under some circumstances. THere's little value in that and it simplifies things for us quite a bit.	2025-10-07 12:33:52 +02:00
Lennart Poettering	4e75f47782	nspawn: support .nspawn files in per-user mode	2025-10-07 11:44:54 +02:00