2026-03-30 19:54:51 +02:00
58 changed files with 338 additions and 506 deletions
--- a/.github/workflows/build-test-musl.sh
+++ b/.github/workflows/build-test-musl.sh
@ -20,5 +20,75 @@ cleanup() (
 trap cleanup EXIT ERR INT TERM
-tools/setup-musl-build.sh "${TMPDIR}/build"
+mkdir -p "${TMPDIR}/build"
-ninja -v -C "${TMPDIR}/build"
+mkdir -p "${TMPDIR}/usr/include"
 mkdir -p "${TMPDIR}/usr/lib64/pkgconfig"
 CFLAGS="-idirafter ${TMPDIR}/usr/include"
 export PKG_CONFIG_PATH="${TMPDIR}"/usr/lib64/pkgconfig
 LINKS=(
    acl
    archive.h
    archive_entry.h
    asm
    asm-generic
    audit-records.h
    audit_logging.h
    bpf
    bzlib.h
    curl
    dwarf.h
    elfutils
    fido.h
    gcrypt.h
    gelf.h
    gnutls
    gpg-error.h
    idn2.h
    libaudit.h
    libcryptsetup.h
    libelf.h
    libkmod.h
    linux
    lz4.h
    lz4frame.h
    lz4hc.h
    lzma
    lzma.h
    microhttpd.h
    mtd
    openssl
    pcre2.h
    pwquality.h
    qrencode.h
    seccomp-syscalls.h
    seccomp.h
    security
    selinux
    sys/acl.h
    sys/capability.h
    tss2
    xen
    xkbcommon
    zconf.h
    zlib.h
    zstd.h
    zstd_errors.h
 )
 for t in "${LINKS[@]}"; do
    [[ -e /usr/include/"$t" ]]
    link="${TMPDIR}"/usr/include/"${t}"
    mkdir -p "${link%/*}"
    ln -s /usr/include/"$t" "$link"
 done
 env \
    CC=musl-gcc \
    CXX=musl-gcc \
    CFLAGS="$CFLAGS" \
    CXXFLAGS="$CFLAGS" \
    meson setup --werror -Ddbus-interfaces-dir=no -Dlibc=musl "${TMPDIR}"/build
 ninja -v -C "${TMPDIR}"/build
--- a/.github/workflows/unit-tests-musl.sh
+++ b/.github/workflows/unit-tests-musl.sh
@ -37,7 +37,7 @@ for phase in "${PHASES[@]}"; do
            info "Run phase"
            # Create dummy machine ID.
-            echo '052e58f661f94bd080e258b96aea3f7b' >/etc/machine-id
+            echo '052e58f661f94bd080e258b96aea3f7b' > /etc/machine-id
            # Start dbus for several unit tests.
            mkdir -p /var/run/dbus
--- a/68
+++ b/68
@ -4,31 +4,6 @@ CHANGES WITH 259 in spe:
        Announcements of Future Feature Removals and Incompatible Changes:
        * Support for System V service scripts is deprecated and will be
          removed in v260. Please make sure to update your software *now* to
          include a native systemd unit file instead of a legacy System V
          script to retain compatibility with future systemd releases.
          Following components will be removed:
          * systemd-rc-local-generator,
          * systemd-sysv-generator,
          * systemd-sysv-install (hook for systemctl enable/disable/is-enabled).
        * Required minimum versions of following components are planned to be
          raised in v260:
          * Linux kernel >= 5.10 (recommended >= 5.14),
          * glibc >= 2.34,
          * libxcrypt >= 4.4.0 (libcrypt in glibc will be no longer supported),
          * util-linux >= 2.37,
          * elfutils >= 0.177,
          * openssl >= 3.0.0,
          * cryptsetup >= 2.4.0,
          * libseccomp >= 2.4.0,
          * python >= 3.9.0.
          Please provide feedback on systemd-devel if this would cause problems.
        * The parsing of RootImageOptions= and the mount image parameters of
          ExtensionImages= and MountImages= will be changed in the next version
          so that the last duplicated definition for a given partition wins and
@ -74,15 +49,6 @@ CHANGES WITH 259 in spe:
          image. Hence, effectively they were read-only already, and this is
          now official.
        * The LUKS volume label string set by systemd-repart no longer defaults
          to the literal same as the partition and file system label, but is
          prefixed with "luks-". This is done so that on LUKS enabled images a
          conflict between /dev/disk/by-label/ symlinks is removed, as this
          symlink is generated both for file system and LUKS superblock
          labels. There's a new VolumeLabel= setting for partitions that can be
          used to expicitly choose a LUKS superblock label, which can be used
          to explicitly revert to the old naming, if required.
        Service manager/PID1:
        * The service manager's Varlink IPC has been extended considerably. It
@ -542,16 +508,16 @@ CHANGES WITH 259 in spe:
        Contributions from: Alan Brady, Alberto Planas, Aleksandr Mezin,
        Allison Karlitskaya, Andreas Schneider, Anton Tiurin,
        Antonio Alvarez Feijoo, Arian van Putten, Armin Wolf,
-        Bastian Almendras, Charlie Le, Chen Qi, Chris Down,
+        Bastian Almendras, Chen Qi, Chris Down, Christian Hesse,
-        Christian Hesse, Christoph Anton Mitterer, Daan De Meyer,
+        Christoph Anton Mitterer, Daan De Meyer, Daniel Brackenbury,
-        Daniel Brackenbury, Daniel Foster, Daniel Hast, Danilo Spinella,
+        Daniel Foster, Daniel Hast, Danilo Spinella, David Tardon,
-        David Tardon, Dimitri John Ledkov, Dr. David Alan Gilbert,
+        Dimitri John Ledkov, Dr. David Alan Gilbert, Duy Nguyen Van,
-        Duy Nguyen Van, Emanuele Giuseppe Esposito, Emil Renner Berthing,
+        Emanuele Giuseppe Esposito, Eric Curtin, Erin Shepherd,
-        Eric Curtin, Erin Shepherd, Evgeny Vereshchagin, Felix Pehla,
+        Evgeny Vereshchagin, Felix Pehla, Florian, Francesco Valla,
-        Florian, Francesco Valla, Franck Bui, Frantisek Sumsal,
+        Franck Bui, Frantisek Sumsal, Gero Schwäricke,
-        Gero Schwäricke, Goffredo Baroncelli, Govind Venugopal,
+        Goffredo Baroncelli, Govind Venugopal, Guido Günther,
-        Guido Günther, Hans de Goede, Igor Opaniuk, Ingo Franzki, Itxaka,
+        Hans de Goede, Igor Opaniuk, Ingo Franzki, Itxaka, Ivan Kruglov,
-        Ivan Kruglov, Jelle van der Waa, Jim Spentzos, Joshua Krusell,
+        Jelle van der Waa, Jim Spentzos, Joshua Krusell,
        Justin Kromlinger, Jörg Behrmann, Kai Lueke, Kai Wohlfahrt,
        Le_Futuriste, Lennart Poettering, Luca Boccassi,
        Lucas Adriano Salles, Lukáš Nykrýn, Managor, Mantas Mikulėnas,
@ -567,8 +533,6 @@ CHANGES WITH 259 in spe:
        jouyouyun, jsks, kanitha chim, n0099, ners, nkraetzschmar, nl6720,
        theSillywhat, val4oss, 雪叶
        — Edinburgh, 2025/11/17
 CHANGES WITH 258:
        Incompatible changes:
@ -745,10 +709,10 @@ CHANGES WITH 258:
        Announcements of Future Feature Removals:
-        * (postponed to v260) Support for System V service scripts is deprecated
+        * Support for System V service scripts is deprecated and will be
-          and will be removed in v259. Please make sure to update your software
+          removed in v259. Please make sure to update your software *now* to
-          *now* to include a native systemd unit file instead of a legacy System
+          include a native systemd unit file instead of a legacy System V
-          V script to retain compatibility with future systemd releases.
+          script to retain compatibility with future systemd releases.
        * Support for the legacy /run/lock/ directory is deprecated and will be
          removed in v259. Any software that still needs access to this legacy
@ -772,8 +736,8 @@ CHANGES WITH 258:
          Only nftables backend will be supported by systemd-networkd and
          systemd-nspawn since v259.
-        * (postponed to v260) Required minimum versions of following components
+        * Required minimum versions of following components are planned to be
-          are planned to be raised in the next release:
+          raised in the next release:
          * Linux kernel >= 5.10 (recommended >= 5.14),
          * glibc >= 2.34,
--- a/10
+++ b/10
@ -22,10 +22,7 @@ External:
 * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it
-* missing shell completions:
+* zsh shell completion:
  - systemd-hwdb
 * zsh shell completions:
  - <command> <verb> -<TAB> should complete options, but currently does not
  - systemctl add-wants,add-requires
  - systemctl reboot --boot-loader-entry=
@ -781,11 +778,6 @@ Features:
 * credentials: add a flag to the scoped credentials that if set require PK
  reauthentication when unlocking a secret.
 * credentials: rework docs. The list in
  https://systemd.io/CREDENTIALS/#well-known-credentials is very stale.
  Document credentials in individual man pages, generate list as in
  systemd.directives.
 * extend the smbios11 logic for passing credentials so that instead of passing
  the credential data literally it can also just reference an AF_VSOCK CID/port
  to read them from. This way the data doesn't remain in the SMBIOS blob during
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -578,8 +578,8 @@ disk images with `--image=` or similar:
  environment variable to the build directory and you are set. This variable
  is only supported when systemd is compiled in developer mode.
-Various tools that read passwords from the TTY, such as `systemd-cryptenroll`,
+Various tools that read passwords from the TTY, such as `systemd-cryptenroll`
-`systemd-dissect` and `homectl`:
+and `homectl`:
 * `$PASSWORD` — takes a string: the literal password to use. If this
  environment variable is set it is used as password instead of prompting the
--- a/docs/MEMORY_PRESSURE.md
+++ b/docs/MEMORY_PRESSURE.md
@ -227,15 +227,12 @@ handling, it's typically sufficient to add a line such as:
 Other programming environments might have native APIs to watch memory
 pressure/low memory events. Most notable is probably GLib's
-[GMemoryMonitor](https://docs.gtk.org/gio/iface.MemoryMonitor.html). As of GLib
+[GMemoryMonitor](https://docs.gtk.org/gio/iface.MemoryMonitor.html). It
-2.86.0, it uses the per-cgroup PSI kernel file to monitor for memory pressure,
+currently uses the per-system Linux PSI interface as the backend, but operates
-but does not yet read the environment variables recommended above.
+differently than the above: memory pressure events are picked up by a system
-
+service, which then propagates this through D-Bus to the applications. This is
-In older versions, it used the per-system Linux PSI interface as the backend, but operated
+typically less than ideal, since this means each notification event has to
-differently than the above: memory pressure events were picked up by a system
+traverse three processes before being handled. This traversal creates
 service, which then propagated this through D-Bus to the applications. This was
 typically less than ideal, since this means each notification event had to
 traverse three processes before being handled. This traversal created
 additional latencies at a time where the system is already experiencing adverse
-latencies. Moreover, it focused on system-wide PSI events, even though
+latencies. Moreover, it focuses on system-wide PSI events, even though
 service-local ones are generally the better approach.
--- a/hwdb.d/60-keyboard.hwdb
+++ b/hwdb.d/60-keyboard.hwdb
@ -237,8 +237,6 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAcer*:pnNitro*AN*515-47:pvr*
 # Nitro AN515-58
 evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAcer*:pnNitro*AN*515-58:pvr*
 KEYBOARD_KEY_ef=kbdillumup                             # Fn+F10
 KEYBOARD_KEY_f0=kbdillumdown                           # Fn+F9
 KEYBOARD_KEY_8a=micmute                                # Microphone mute button
 KEYBOARD_KEY_55=power
--- a/man/repart.d.xml
+++ b/man/repart.d.xml
@ -256,17 +256,6 @@
        <xi:include href="version-info.xml" xpointer="v245"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>VolumeLabel=</varname></term>
        <listitem><para>The textual label to assign to the LUKS superblock if applicable. If not specified
        defaults to the same string as the partition label (see <varname>Label=</varname> above), however
        prefixed with <literal>luks-</literal>. This setting has no effect if encryption is not enabled for
        this partition.</para>
        <xi:include href="version-info.xml" xpointer="v259"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><varname>UUID=</varname></term>
--- a/meson.build
+++ b/meson.build
@ -26,8 +26,8 @@ else
        project_minor_version = '0'
 endif
-libsystemd_version = '0.42.0'
+libsystemd_version = '0.41.0'
-libudev_version = '1.7.12'
+libudev_version = '1.7.11'
 conf = configuration_data()
 conf.set_quoted('PROJECT_URL', 'https://systemd.io/')
@ -1028,6 +1028,7 @@ threads = dependency('threads')
 librt = cc.find_library('rt')
 libm = cc.find_library('m')
 libdl = cc.find_library('dl')
 libutmps = dependency('libutmps', required : false)
 # On some distributions that use musl (e.g. Alpine), libintl.h may be provided by gettext rather than musl.
 # In that case, we need to explicitly link with libintl.so.
@ -1687,7 +1688,7 @@ foreach tuple : [
                ['timesyncd'],
                ['tmpfiles'],
                ['tpm'],
-                ['utmp',            get_option('libc') != 'musl',     'musl does not support it'],
+                ['utmp'],
                ['userdb'],
                ['vconsole'],
                ['xdg-autostart'],
--- a/meson.version
+++ b/meson.version
@ -1 +1 @@
-259~rc1
+259~devel
--- a/src/basic/chase.c
+++ b/src/basic/chase.c
@ -412,9 +412,11 @@ int chaseat(int dir_fd, const char *path, ChaseFlags flags, char **ret_path, int
                                return r;
                        if (FLAGS_SET(flags, CHASE_MKDIR_0755) && (!isempty(todo) || !(flags & (CHASE_PARENT|CHASE_NONEXISTENT)))) {
-                                child = xopenat(fd,
+                                child = xopenat_full(fd,
-                                                first,
+                                                     first,
-                                                O_DIRECTORY|O_CREAT|O_EXCL|O_NOFOLLOW|O_PATH|O_CLOEXEC);
+                                                     O_DIRECTORY|O_CREAT|O_EXCL|O_NOFOLLOW|O_PATH|O_CLOEXEC,
                                                     /* xopen_flags = */ 0,
                                                     0755);
                                if (child < 0)
                                        return child;
                        } else if (FLAGS_SET(flags, CHASE_PARENT) && isempty(todo)) {
--- a/src/basic/fs-util.h
+++ b/src/basic/fs-util.h
@ -128,7 +128,7 @@ int openat_report_new(int dirfd, const char *pathname, int flags, mode_t mode, b
 int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode);
 static inline int xopenat(int dir_fd, const char *path, int open_flags) {
-        return xopenat_full(dir_fd, path, open_flags, 0, MODE_INVALID);
+        return xopenat_full(dir_fd, path, open_flags, 0, 0);
 }
 int xopenat_lock_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode, LockType locktype, int operation);
--- a/src/basic/log.c
+++ b/src/basic/log.c
@ -950,6 +950,8 @@ int log_format_iovec(
                const char *format,
                va_list ap) {
        static const char nl = '\n';
        while (format && *n + 1 < iovec_len) {
                va_list aq;
                char *m;
@ -973,7 +975,7 @@ int log_format_iovec(
                iovec[(*n)++] = IOVEC_MAKE_STRING(m);
                if (newline_separator)
-                        iovec[(*n)++] = IOVEC_MAKE_STRING("\n");
+                        iovec[(*n)++] = IOVEC_MAKE((char *)&nl, 1);
                format = va_arg(ap, char *);
        }
--- a/src/basic/log.h
+++ b/src/basic/log.h
@ -287,21 +287,18 @@ bool log_on_console(void) _pure_;
 /* Helper to wrap the main message in structured logging. The macro doesn't do much,
 * except to provide visual grouping of the format string and its arguments. */
-#ifdef __COVERITY__
+#if LOG_MESSAGE_VERIFICATION || defined(__COVERITY__)
 /* Coverity does not like the concatenation of multiple formats and arguments. Let's replace each format
 * string with a dummy string. The validity of the formats is hopefully checked by other CIs. */
 #  define LOG_ITEM(fmt, ...)    "dummy", NULL, ##__VA_ARGS__
 #elif LOG_MESSAGE_VERIFICATION
 /* Do a fake formatting of the message string to let the scanner verify the arguments against the format
 * message. The variable will never be set to true, but we don't tell the compiler that :) */
 extern bool _log_message_dummy;
 #  define LOG_ITEM(fmt, ...) "%.0d" fmt, (_log_message_dummy && printf(fmt, ##__VA_ARGS__)), ##__VA_ARGS__
 #  define LOG_MESSAGE(fmt, ...) LOG_ITEM("MESSAGE=" fmt, ##__VA_ARGS__)
 #else
 #  define LOG_ITEM(fmt, ...) fmt, ##__VA_ARGS__
 #  define LOG_MESSAGE(fmt, ...) "MESSAGE=" fmt, ##__VA_ARGS__
 #endif
-#define LOG_MESSAGE(fmt, ...) LOG_ITEM("MESSAGE=" fmt, ##__VA_ARGS__)
+#define LOG_MESSAGE_ID(id) LOG_ITEM("MESSAGE_ID=" id)
 #define LOG_MESSAGE_ID(id)    LOG_ITEM("MESSAGE_ID=" id)
 void log_received_signal(int level, const struct signalfd_siginfo *si);
--- a/src/basic/tmpfile-util.c
+++ b/src/basic/tmpfile-util.c
@ -447,9 +447,7 @@ void cleanup_tmpfile_data_done(struct cleanup_tmpfile_data *d) {
            !*d->filename)
                return;
-        PROTECT_ERRNO;
+        (void) unlinkat(*d->dir_fd, *d->filename, 0);
        (void) unlinkat(*d->dir_fd, *d->filename, /* flags= */ 0);
        d->dir_fd = NULL;
        d->filename = NULL;
 }
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -136,9 +136,8 @@ static const BindMount bind_log_sockets_table[] = {
        { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
 };
-/* If MountAPIVFS= is used, let's mount /proc/, /dev/, /sys/, and /run/, but only as a fallback if the user
+/* If MountAPIVFS= is used, let's mount /sys, /proc, /dev and /run into the it, but only as a fallback if the user hasn't mounted
- * hasn't mounted something already. These mounts are hence overridden by any other explicitly configured
+ * something there already. These mounts are hence overridden by any other explicitly configured mounts. */
 * mounts. */
 static const MountEntry apivfs_table[] = {
        { "/proc",               MOUNT_PROCFS,       false },
        { "/dev",                MOUNT_BIND_DEV,     false },
@ -192,8 +191,8 @@ static const MountEntry protect_kernel_logs_dev_table[] = {
 };
 /*
- * ProtectHome=read-only. Protect $HOME and $XDG_RUNTIME_DIR and rest of
+ * ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of
- * system should be protected by ProtectSystem=.
+ * system should be protected by ProtectSystem=
 */
 static const MountEntry protect_home_read_only_table[] = {
        { "/home",               MOUNT_READ_ONLY,     true  },
@ -201,37 +200,37 @@ static const MountEntry protect_home_read_only_table[] = {
        { "/root",               MOUNT_READ_ONLY,     true  },
 };
-/* ProtectHome=tmpfs */
+/* ProtectHome=tmpfs table */
 static const MountEntry protect_home_tmpfs_table[] = {
        { "/home",               MOUNT_TMPFS,        true, .read_only = true, .options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
        { "/run/user",           MOUNT_TMPFS,        true, .read_only = true, .options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
        { "/root",               MOUNT_TMPFS,        true, .read_only = true, .options_const = "mode=0700" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
 };
-/* ProtectHome=yes */
+/* ProtectHome=yes table */
 static const MountEntry protect_home_yes_table[] = {
        { "/home",               MOUNT_INACCESSIBLE, true  },
        { "/run/user",           MOUNT_INACCESSIBLE, true  },
        { "/root",               MOUNT_INACCESSIBLE, true  },
 };
-/* ProtectControlGroups=yes */
+/* ProtectControlGroups=yes table */
 static const MountEntry protect_control_groups_yes_table[] = {
        { "/sys/fs/cgroup",      MOUNT_READ_ONLY,         false  },
 };
-/* ProtectControlGroups=private. Note mount_private_apivfs() always use MS_NOSUID|MS_NOEXEC|MS_NODEV so
+/* ProtectControlGroups=private table. Note mount_private_apivfs() always use MS_NOSUID|MS_NOEXEC|MS_NODEV so
- * flags are not set here. */
+ * flags is not set here. */
 static const MountEntry protect_control_groups_private_table[] = {
        { "/sys/fs/cgroup",      MOUNT_PRIVATE_CGROUP2FS, false, .read_only = false },
 };
-/* ProtectControlGroups=strict */
+/* ProtectControlGroups=strict table */
 static const MountEntry protect_control_groups_strict_table[] = {
        { "/sys/fs/cgroup",      MOUNT_PRIVATE_CGROUP2FS, false, .read_only = true },
 };
-/* ProtectSystem=yes */
+/* ProtectSystem=yes table */
 static const MountEntry protect_system_yes_table[] = {
        { "/usr",                MOUNT_READ_ONLY,     false },
        { "/boot",               MOUNT_READ_ONLY,     true  },
@ -246,9 +245,9 @@ static const MountEntry protect_system_full_table[] = {
        { "/etc",                MOUNT_READ_ONLY,     false },
 };
-/* ProtectSystem=strict. In this strict mode, we mount everything read-only, except for /proc, /dev, and
+/* ProtectSystem=strict table. In this strict mode, we mount everything read-only, except for /proc, /dev,
- * /sys which are the kernel API VFS and left writable. PrivateDevices= + ProtectKernelTunables=
+ * /sys which are the kernel API VFS, which are left writable, but PrivateDevices= + ProtectKernelTunables=
- * protect those, and these options should be fully orthogonal. (And of course /home and friends are also
+ * protect those, and these options should be fully orthogonal.  (And of course /home and friends are also
 * left writable, as ProtectHome= shall manage those, orthogonally).
 */
 static const MountEntry protect_system_strict_table[] = {
@ -261,7 +260,7 @@ static const MountEntry protect_system_strict_table[] = {
        { "/root",               MOUNT_READ_WRITE_IMPLICIT, true  },      /* ProtectHome= */
 };
-/* ProtectHostname=yes */
+/* ProtectHostname=yes able */
 static const MountEntry protect_hostname_yes_table[] = {
        { "/proc/sys/kernel/hostname",   MOUNT_READ_ONLY, false },
        { "/proc/sys/kernel/domainname", MOUNT_READ_ONLY, false },
@ -1840,7 +1839,7 @@ static int apply_one_mount(
                        return 0;
                }
-                log_debug_errno(r, "Failed to mount new bpffs instance at %s, will make read-only, ignoring: %m", mount_entry_path(m));
+                log_debug_errno(r, "Failed to mount new bpffs instance, fallback to making %s read-only, ignoring: %m", mount_entry_path(m));
                m->mode = MOUNT_READ_ONLY;
                m->ignore = true;
        }
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@ -2152,15 +2152,8 @@ static int run(int argc, char *argv[]) {
                                        return log_error_errno(r, "Failed to guess verity root hash: %m");
                                if (arg_action != ACTION_DISSECT) {
                                        _cleanup_(erase_and_freep) char *envpw = NULL;
                                        r = getenv_steal_erase("PASSWORD", &envpw);
                                        if (r < 0)
                                                return log_error_errno(r, "Failed to acquire password from environment: %m");
                                        r = dissected_image_decrypt_interactively(
-                                                        m,
+                                                        m, NULL,
                                                        envpw,
                                                        &arg_verity_settings,
                                                        arg_image_policy,
                                                        arg_flags);
--- a/src/include/musl/utmpx.h
+++ b/src/include/musl/utmpx.h
@ -0,0 +1,16 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 #include_next <utmpx.h>
 #ifndef UTMPX_FILE
 #define UTMPX_FILE "/run/utmp"
 #endif
 #ifndef WTMPX_FILE
 #define WTMPX_FILE "/var/log/wtmp"
 #endif
 #ifndef ACCOUNTING
 #define ACCOUNTING 9
 #endif
--- a/src/login/meson.build
+++ b/src/login/meson.build
@ -49,6 +49,7 @@ executables += [
                'include_directories' : [libexec_template['include_directories'], include_directories('.')],
                'extract' : systemd_logind_extract_sources,
                'dependencies' : [
                        libutmps,
                        threads,
                ],
        },
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@ -139,6 +139,32 @@ static int oci_console_size(const char *name, sd_json_variant *v, sd_json_dispat
        return oci_dispatch(v, table, flags, s);
 }
 static int oci_env(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) {
        char ***l = ASSERT_PTR(userdata);
        sd_json_variant *e;
        int r;
        JSON_VARIANT_ARRAY_FOREACH(e, v) {
                const char *n;
                if (!sd_json_variant_is_string(e))
                        return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
                                        "Environment array contains non-string.");
                assert_se(n = sd_json_variant_string(e));
                if (!env_assignment_is_valid(n))
                        return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
                                        "Environment assignment not valid: %s", n);
                r = strv_extend(l, n);
                if (r < 0)
                        return log_oom();
        }
        return 0;
 }
 static int oci_args(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) {
        _cleanup_strv_free_ char **l = NULL;
        char ***value = ASSERT_PTR(userdata);
@ -361,18 +387,18 @@ static int oci_user(const char *name, sd_json_variant *v, sd_json_dispatch_flags
 static int oci_process(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) {
        static const sd_json_dispatch_field table[] = {
-                { "terminal",        SD_JSON_VARIANT_BOOLEAN, oci_terminal,                   0,                                     0                  },
+                { "terminal",        SD_JSON_VARIANT_BOOLEAN, oci_terminal,              0,                                     0                  },
-                { "consoleSize",     SD_JSON_VARIANT_OBJECT,  oci_console_size,               0,                                     0                  },
+                { "consoleSize",     SD_JSON_VARIANT_OBJECT,  oci_console_size,          0,                                     0                  },
-                { "cwd",             SD_JSON_VARIANT_STRING,  json_dispatch_path,             offsetof(Settings, working_directory), 0                  },
+                { "cwd",             SD_JSON_VARIANT_STRING,  json_dispatch_path,        offsetof(Settings, working_directory), 0                  },
-                { "env",             SD_JSON_VARIANT_ARRAY,   json_dispatch_strv_environment, offsetof(Settings, environment),       0                  },
+                { "env",             SD_JSON_VARIANT_ARRAY,   oci_env,                   offsetof(Settings, environment),       0                  },
-                { "args",            SD_JSON_VARIANT_ARRAY,   oci_args,                       offsetof(Settings, parameters),        0                  },
+                { "args",            SD_JSON_VARIANT_ARRAY,   oci_args,                  offsetof(Settings, parameters),        0                  },
-                { "rlimits",         SD_JSON_VARIANT_ARRAY,   oci_rlimits,                    0,                                     0                  },
+                { "rlimits",         SD_JSON_VARIANT_ARRAY,   oci_rlimits,               0,                                     0                  },
-                { "apparmorProfile", SD_JSON_VARIANT_STRING,  oci_unsupported,                0,                                     SD_JSON_PERMISSIVE },
+                { "apparmorProfile", SD_JSON_VARIANT_STRING,  oci_unsupported,           0,                                     SD_JSON_PERMISSIVE },
-                { "capabilities",    SD_JSON_VARIANT_OBJECT,  oci_capabilities,               0,                                     0                  },
+                { "capabilities",    SD_JSON_VARIANT_OBJECT,  oci_capabilities,          0,                                     0                  },
-                { "noNewPrivileges", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate,      offsetof(Settings, no_new_privileges), 0                  },
+                { "noNewPrivileges", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(Settings, no_new_privileges), 0                  },
-                { "oomScoreAdj",     SD_JSON_VARIANT_INTEGER, oci_oom_score_adj,              0,                                     0                  },
+                { "oomScoreAdj",     SD_JSON_VARIANT_INTEGER, oci_oom_score_adj,         0,                                     0                  },
-                { "selinuxLabel",    SD_JSON_VARIANT_STRING,  oci_unsupported,                0,                                     SD_JSON_PERMISSIVE },
+                { "selinuxLabel",    SD_JSON_VARIANT_STRING,  oci_unsupported,           0,                                     SD_JSON_PERMISSIVE },
-                { "user",            SD_JSON_VARIANT_OBJECT,  oci_user,                       0,                                     0                  },
+                { "user",            SD_JSON_VARIANT_OBJECT,  oci_user,                  0,                                     0                  },
                {}
        };
@ -1984,10 +2010,10 @@ static int oci_hooks_array(const char *name, sd_json_variant *v, sd_json_dispatc
        JSON_VARIANT_ARRAY_FOREACH(e, v) {
                static const sd_json_dispatch_field table[] = {
-                        { "path",    SD_JSON_VARIANT_STRING,   json_dispatch_path,             offsetof(OciHook, path),    SD_JSON_MANDATORY },
+                        { "path",    SD_JSON_VARIANT_STRING,   json_dispatch_path, offsetof(OciHook, path),    SD_JSON_MANDATORY },
-                        { "args",    SD_JSON_VARIANT_ARRAY,    oci_args,                       offsetof(OciHook, args),    0,                },
+                        { "args",    SD_JSON_VARIANT_ARRAY,    oci_args,           offsetof(OciHook, args),    0,                },
-                        { "env",     SD_JSON_VARIANT_ARRAY,    json_dispatch_strv_environment, offsetof(OciHook, env),     0                 },
+                        { "env",     SD_JSON_VARIANT_ARRAY,    oci_env,            offsetof(OciHook, env),     0                 },
-                        { "timeout", SD_JSON_VARIANT_UNSIGNED, oci_hook_timeout,               offsetof(OciHook, timeout), 0                 },
+                        { "timeout", SD_JSON_VARIANT_UNSIGNED, oci_hook_timeout,   offsetof(OciHook, timeout), 0                 },
                        {}
                };
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -3154,7 +3154,7 @@ static int determine_names(void) {
        return 0;
 }
-static int chase_and_update(char **p, ChaseFlags flags) {
+static int chase_and_update(char **p, unsigned flags) {
        char *chased;
        int r;
@ -3163,7 +3163,7 @@ static int chase_and_update(char **p, ChaseFlags flags) {
        if (!*p)
                return 0;
-        r = chase(*p, /* root= */ NULL, flags, &chased, /* ret_fd= */ NULL);
+        r = chase(*p, NULL, flags, &chased, NULL);
        if (r < 0)
                return log_error_errno(r, "Failed to resolve path %s: %m", *p);
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@ -398,8 +398,7 @@ typedef struct Partition {
        GptPartitionType type;
        sd_id128_t current_uuid, new_uuid;
        bool new_uuid_is_set;
-        char *current_label, *new_label;      /* Used for the GPT partition label + fs superblock label */
+        char *current_label, *new_label;
        char *new_volume_label;               /* used for LUKS superblock */
        sd_id128_t fs_uuid, luks_uuid, verity_uuid;
        uint8_t verity_salt[SHA256_DIGEST_SIZE];
@ -715,7 +714,6 @@ static Partition* partition_free(Partition *p) {
        free(p->current_label);
        free(p->new_label);
        free(p->new_volume_label);
        free(p->definition_path);
        strv_free(p->drop_in_files);
@ -2752,7 +2750,6 @@ static int partition_read_definition(
        ConfigTableItem table[] = {
                { "Partition", "Type",                     config_parse_type,              0,                                  &p->type                    },
                { "Partition", "Label",                    config_parse_label,             0,                                  &p->new_label               },
                { "Partition", "VolumeLabel",              config_parse_label,             0,                                  &p->new_volume_label        },
                { "Partition", "UUID",                     config_parse_uuid,              0,                                  p                           },
                { "Partition", "Priority",                 config_parse_int32,             0,                                  &p->priority                },
                { "Partition", "Weight",                   config_parse_weight,            0,                                  &p->weight                  },
@ -3979,27 +3976,6 @@ static const char *partition_label(const Partition *p) {
        return gpt_partition_type_uuid_to_string(p->type.uuid);
 }
 static int volume_label(const Partition *p, char **ret) {
        assert(p);
        assert(ret);
        if (p->new_volume_label)
                return strdup_to(ret, p->new_volume_label);
        const char *e = partition_label(p);
        if (!e)
                return -ENODATA;
        /* Let's prefix "luks-" for the label string used for LUKS superblocks. We do this so that the
         * /dev/disk/by-label/ symlink to the LUKS volume and the file system inside it do not clash */
        char *j = strjoin("luks-", e);
        if (!j)
                return -ENOMEM;
        *ret = j;
        return 0;
 }
 static int context_dump_partitions(Context *context) {
        _cleanup_(table_unrefp) Table *t = NULL;
        uint64_t sum_padding = 0, sum_size = 0;
@ -4990,6 +4966,21 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
 static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
 #if HAVE_LIBCRYPTSETUP
        const char *node = partition_target_path(target);
        struct crypt_params_luks2 luks_params = {
                .label = strempty(ASSERT_PTR(p)->new_label),
                .sector_size = partition_fs_sector_size(context, p),
                .data_device = offline ? node : NULL,
        };
        struct crypt_params_reencrypt reencrypt_params = {
                .mode = CRYPT_REENCRYPT_ENCRYPT,
                .direction = CRYPT_REENCRYPT_BACKWARD,
                .resilience = "datashift",
                .data_shift = LUKS2_METADATA_SIZE / 512,
                .luks2 = &luks_params,
                .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY|CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT,
        };
        _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
 #if HAVE_TPM2
        _cleanup_(erase_and_freep) char *base64_encoded = NULL;
 #endif
@ -5010,26 +5001,6 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
        log_info("Encrypting future partition %" PRIu64 "...", p->partno);
        _cleanup_free_ char *vl = NULL;
        r = volume_label(p, &vl);
        if (r < 0)
                return log_error_errno(r, "Failed to generate volume label: %m");
        const char *node = partition_target_path(target);
        struct crypt_params_luks2 luks_params = {
                .label = vl,
                .sector_size = partition_fs_sector_size(context, p),
                .data_device = offline ? node : NULL,
        };
        struct crypt_params_reencrypt reencrypt_params = {
                .mode = CRYPT_REENCRYPT_ENCRYPT,
                .direction = CRYPT_REENCRYPT_BACKWARD,
                .resilience = "datashift",
                .data_shift = LUKS2_METADATA_SIZE / 512,
                .luks2 = &luks_params,
                .flags = CRYPT_REENCRYPT_INITIALIZE_ONLY|CRYPT_REENCRYPT_MOVE_FIRST_SEGMENT,
        };
        if (offline) {
                r = var_tmp_dir(&vt);
                if (r < 0)
@ -5052,7 +5023,6 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
                        return log_oom();
        }
        _cleanup_(sym_crypt_freep) struct crypt_device *cd = NULL;
        r = sym_crypt_init(&cd, offline ? hp : node);
        if (r < 0)
                return log_error_errno(r, "Failed to allocate libcryptsetup context for %s: %m", hp);
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@ -1997,7 +1997,6 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy, RuntimeScope
        case IMAGE_RAW:
        case IMAGE_BLOCK: {
                _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
                _cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
                _cleanup_(dissected_image_unrefp) DissectedImage *m = NULL;
                DissectImageFlags flags =
@ -2020,47 +2019,25 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy, RuntimeScope
                                LOCK_SH,
                                &d);
                if (r < 0)
-                        return log_debug_errno(r, "Failed to create loopback device of '%s': %m", i->path);
+                        return r;
                r = dissect_loop_device(
                                d,
-                                &verity,
+                                /* verity= */ NULL,
                                /* mount_options= */ NULL,
                                image_policy,
                                /* image_filter= */ NULL,
                                flags,
                                &m);
                if (r < 0)
-                        return log_debug_errno(r, "Failed to dissect image '%s': %m", i->path);
+                        return r;
                r = dissected_image_load_verity_sig_partition(
                                m,
                                d->fd,
                                &verity);
                if (r < 0)
                        return log_debug_errno(r, "Failed to load Verity signature partition of '%s': %m", i->path);
                r = dissected_image_guess_verity_roothash(
                                m,
                                &verity);
                if (r < 0)
                        return log_debug_errno(r, "Failed to guess Verity root hash of '%s': %m", i->path);
                r = dissected_image_decrypt(
                                m,
                                /* passphrase= */ NULL,
                                &verity,
                                image_policy,
                                flags);
                if (r < 0)
                        return log_debug_errno(r, "Failed to decrypt image '%s': %m", i->path);
                r = dissected_image_acquire_metadata(
                                m,
                                /* userns_fd= */ -EBADF,
                                flags);
                if (r < 0)
-                        return log_debug_errno(r, "Failed to acquire medata from image '%s': %m", i->path);
+                        return r;
                free_and_replace(i->hostname, m->hostname);
                i->machine_id = m->machine_id;
@ -2068,6 +2045,7 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy, RuntimeScope
                strv_free_and_replace(i->os_release, m->os_release);
                strv_free_and_replace(i->sysext_release, m->sysext_release);
                strv_free_and_replace(i->confext_release, m->confext_release);
                break;
        }
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@ -385,6 +385,7 @@ libshared_deps = [threads,
                  librt,
                  libseccomp_cflags,
                  libselinux_cflags,
                  libutmps,
                  libxenctrl_cflags,
                  libxz_cflags,
                  libzstd_cflags,
--- a/src/ssh-generator/ssh-generator.c
+++ b/src/ssh-generator/ssh-generator.c
@ -85,7 +85,7 @@ static int make_sshd_template_unit(
        assert(sshd_binary);
        assert(generated_sshd_template_unit);
-        /* If the system has a suitable template already, symlink it under the name we want to use */
+        /* If the system has a suitable template already, symlink it to the name we want to reuse it */
        if (found_sshd_template_service)
                return generator_add_symlink(
                                dest,
@ -96,11 +96,10 @@ static int make_sshd_template_unit(
        if (!*generated_sshd_template_unit) {
                _cleanup_fclose_ FILE *f = NULL;
                /* We use a generic name for the unit, since we'll use it for both AF_UNIX and AF_VSOCK  */
                r = generator_open_unit_file_full(
                                dest,
                                /* source= */ NULL,
-                                "sshd-generated@.service",
+                                "sshd-generated@.service", /* Give this generated unit a generic name, since we want to use it for both AF_UNIX and AF_VSOCK */
                                &f,
                                generated_sshd_template_unit,
                                /* ret_temp_path= */ NULL);
--- a/src/test/meson.build
+++ b/src/test/meson.build
@ -473,6 +473,7 @@ executables += [
        test_template + {
                'sources' : files('test-utmp.c'),
                'conditions' : ['ENABLE_UTMP'],
                'dependencies' : libutmps,
        },
        test_template + {
                'sources' : files('test-varlink.c'),
--- a/src/test/test-log.c
+++ b/src/test/test-log.c
@ -14,45 +14,32 @@
 #define X100(x) X10(X10(x))
 #define X1000(x) X100(X10(x))
 TEST(synthetic_errno) {
        ASSERT_TRUE(IS_SYNTHETIC_ERRNO(SYNTHETIC_ERRNO(EINVAL)));
        ASSERT_TRUE(IS_SYNTHETIC_ERRNO(SYNTHETIC_ERRNO(-EINVAL)));
        assert_cc(!IS_SYNTHETIC_ERRNO(EINVAL));
        assert_cc(!IS_SYNTHETIC_ERRNO(-EINVAL));
        ASSERT_TRUE(IS_SYNTHETIC_ERRNO(SYNTHETIC_ERRNO(0)));
        assert_cc(!IS_SYNTHETIC_ERRNO(0));
        ASSERT_EQ(ERRNO_VALUE(EINVAL), EINVAL);
        ASSERT_EQ(ERRNO_VALUE(SYNTHETIC_ERRNO(-EINVAL)), EINVAL);
        ASSERT_ERROR(log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), "foo"), EUCLEAN);
 }
 static int fail_with_EINVAL(void) {
        assert_return(false, -EINVAL);
        return 0;
 }
-TEST(assert_return_is_critical) {
+static void test_assert_return_is_critical(void) {
        SAVE_ASSERT_RETURN_IS_CRITICAL;
        log_set_assert_return_is_critical(false);
-        ASSERT_ERROR(fail_with_EINVAL(), EINVAL);
+        assert_se(fail_with_EINVAL() == -EINVAL);
        log_set_assert_return_is_critical(true);
-        ASSERT_RETURN_IS_CRITICAL(false, ASSERT_ERROR(fail_with_EINVAL(), EINVAL));
+        ASSERT_RETURN_IS_CRITICAL(false, assert_se(fail_with_EINVAL() == -EINVAL));
-        ASSERT_TRUE(log_get_assert_return_is_critical());
+        assert_se(log_get_assert_return_is_critical() == true);
-        ASSERT_RETURN_EXPECTED(ASSERT_ERROR(fail_with_EINVAL(), EINVAL));
+        ASSERT_RETURN_EXPECTED(assert_se(fail_with_EINVAL() == -EINVAL));
-        ASSERT_TRUE(log_get_assert_return_is_critical());
+        assert_se(log_get_assert_return_is_critical() == true);
        ASSERT_RETURN_EXPECTED_SE(fail_with_EINVAL() == -EINVAL);
-        ASSERT_TRUE(log_get_assert_return_is_critical());
+        assert_se(log_get_assert_return_is_critical() == true);
 }
-TEST(file) {
+static void test_file(void) {
        log_info("__FILE__: %s", __FILE__);
        log_info("RELATIVE_SOURCE_PATH: %s", RELATIVE_SOURCE_PATH);
        log_info("PROJECT_FILE: %s", PROJECT_FILE);
-        ASSERT_NOT_NULL(startswith(__FILE__, RELATIVE_SOURCE_PATH "/"));
+        assert_se(startswith(__FILE__, RELATIVE_SOURCE_PATH "/"));
 }
 static void test_log_once_impl(void) {
@ -66,85 +53,11 @@ static void test_log_once_impl(void) {
                     EBADMSG);
 }
-TEST(log_once) {
+static void test_log_once(void) {
        for (unsigned i = 0; i < 4; i++)
                test_log_once_impl();
 }
 _sentinel_
 static void test_log_format_iovec_sentinel(
                char * const *expected,
                const char *format,
                ...) {
        size_t iovec_len = 20, n = 0;
        struct iovec *iovec = newa(struct iovec, iovec_len);
        va_list ap;
        log_debug("/* %s(%s) */", __func__, strnull(format));
        char **v = STRV_MAKE("SYSLOG_FACILITY=3",
                             "SYSLOG_IDENTIFIER=systemd-journald",
                             "_TRANSPORT=driver",
                             "PRIORITY=6");
        size_t m = strv_length(v);
        STRV_FOREACH(s, v)
                iovec[n++] = IOVEC_MAKE_STRING(*s);
        ASSERT_EQ(n, m);
        va_start(ap, format);
        DISABLE_WARNING_FORMAT_NONLITERAL;
        ASSERT_OK(log_format_iovec(iovec, iovec_len, &n, /* newline_separator = */ false, ENOANO, format, ap));
        REENABLE_WARNING;
        va_end(ap);
        ASSERT_EQ(n, m + strv_length(expected));
        for (size_t i = 0; i < n; i++)
                if (i < m)
                        ASSERT_EQ(iovec_memcmp(&iovec[i], &IOVEC_MAKE_STRING(v[i])), 0);
                else {
                        ASSERT_EQ(iovec_memcmp(&iovec[i], &IOVEC_MAKE_STRING(expected[i - m])), 0);
                        free(iovec[i].iov_base);
                }
        n = m;
        va_start(ap, format);
        DISABLE_WARNING_FORMAT_NONLITERAL;
        ASSERT_OK(log_format_iovec(iovec, iovec_len, &n, /* newline_separator = */ true, ENOANO, format, ap));
        REENABLE_WARNING;
        va_end(ap);
        ASSERT_EQ(n, m + strv_length(expected) * 2);
        for (size_t i = 0; i < n; i++)
                if (i < m)
                        ASSERT_EQ(iovec_memcmp(&iovec[i], &IOVEC_MAKE_STRING(v[i])), 0);
                else if ((i - m) % 2 == 0) {
                        ASSERT_EQ(iovec_memcmp(&iovec[i], &IOVEC_MAKE_STRING(expected[(i - m) / 2])), 0);
                        free(iovec[i].iov_base);
                } else
                        ASSERT_EQ(iovec_memcmp(&iovec[i], &IOVEC_MAKE_STRING("\n")), 0);
 }
 #define test_log_format_iovec_one(...)                 \
        test_log_format_iovec_sentinel(__VA_ARGS__, NULL)
 TEST(log_format_iovec) {
        test_log_format_iovec_one(NULL, NULL);
        test_log_format_iovec_one(STRV_MAKE("MESSAGE=hoge"),
                                  LOG_MESSAGE("hoge"));
        test_log_format_iovec_one(STRV_MAKE("MESSAGE=hoge: 10"),
                                  LOG_MESSAGE("hoge: %i", 10));
        test_log_format_iovec_one(STRV_MAKE("MESSAGE=hoge: 10-a", "HOGEHOGE=100-string", "FOOFOO=4-3"),
                                  LOG_MESSAGE("hoge: %i-%c", 10, 'a'),
                                  LOG_ITEM("HOGEHOGE=%zu-%s", (size_t) 100, "string"),
                                  LOG_ITEM("FOOFOO=%hu-%llu", (unsigned short) 4, (long long unsigned) 3));
 }
 static void test_log_struct(void) {
        log_struct(LOG_INFO,
                   "MESSAGE=Waldo PID="PID_FMT" (no errno)", getpid_cached(),
@ -184,9 +97,9 @@ static void test_long_lines(void) {
 }
 static void test_log_syntax(void) {
-        ASSERT_ERROR(log_syntax("unit", LOG_ERR, "filename", 10, EINVAL, "EINVAL: %s: %m", "hogehoge"), EINVAL);
+        assert_se(log_syntax("unit", LOG_ERR, "filename", 10, EINVAL, "EINVAL: %s: %m", "hogehoge") == -EINVAL);
-        ASSERT_ERROR(log_syntax("unit", LOG_ERR, "filename", 10, -ENOENT, "ENOENT: %s: %m", "hogehoge"), ENOENT);
+        assert_se(log_syntax("unit", LOG_ERR, "filename", 10, -ENOENT, "ENOENT: %s: %m", "hogehoge") == -ENOENT);
-        ASSERT_ERROR(log_syntax("unit", LOG_ERR, "filename", 10, SYNTHETIC_ERRNO(ENOTTY), "ENOTTY: %s: %m", "hogehoge"), ENOTTY);
+        assert_se(log_syntax("unit", LOG_ERR, "filename", 10, SYNTHETIC_ERRNO(ENOTTY), "ENOTTY: %s: %m", "hogehoge") == -ENOTTY);
 }
 static void test_log_context(void) {
@ -200,8 +113,8 @@ static void test_log_context(void) {
                /* Test that the log context was set up correctly. The strv we pushed twice should only
                 * result in one log context which is reused. */
-                ASSERT_EQ(log_context_num_contexts(), 3U);
+                assert_se(log_context_num_contexts() == 3);
-                ASSERT_EQ(log_context_num_fields(), 4U);
+                assert_se(log_context_num_fields() == 4);
                /* Test that everything still works with modifications to the log context. */
                test_log_struct();
@ -213,8 +126,8 @@ static void test_log_context(void) {
                        LOG_CONTEXT_PUSH_STRV(strv);
                        /* Check that our nested fields got added correctly. */
-                        ASSERT_EQ(log_context_num_contexts(), 4U);
+                        assert_se(log_context_num_contexts() == 4);
-                        ASSERT_EQ(log_context_num_fields(), 5U);
+                        assert_se(log_context_num_fields() == 5);
                        /* Test that everything still works in a nested block. */
                        test_log_struct();
@ -223,21 +136,21 @@ static void test_log_context(void) {
                }
                /* Check that only the fields from the nested block got removed. */
-                ASSERT_EQ(log_context_num_contexts(), 3U);
+                assert_se(log_context_num_contexts() == 3);
-                ASSERT_EQ(log_context_num_fields(), 4U);
+                assert_se(log_context_num_fields() == 4);
        }
-        ASSERT_EQ(log_context_num_contexts(), 0U);
+        assert_se(log_context_num_contexts() == 0);
-        ASSERT_EQ(log_context_num_fields(), 0U);
+        assert_se(log_context_num_fields() == 0);
        {
                _cleanup_(log_context_unrefp) LogContext *ctx = NULL;
                char **strv = STRV_MAKE("SIXTH=ijn", "SEVENTH=PRP");
-                ASSERT_NOT_NULL(ctx = log_context_new_strv(strv, /*owned=*/ false));
+                assert_se(ctx = log_context_new_strv(strv, /*owned=*/ false));
-                ASSERT_EQ(log_context_num_contexts(), 1U);
+                assert_se(log_context_num_contexts() == 1);
-                ASSERT_EQ(log_context_num_fields(), 2U);
+                assert_se(log_context_num_fields() == 2);
                /* Test that everything still works with a manually configured log context. */
                test_log_struct();
@ -248,11 +161,11 @@ static void test_log_context(void) {
        {
                char **strv = NULL;
-                ASSERT_NOT_NULL(strv = strv_new("ABC", "DEF"));
+                assert_se(strv = strv_new("ABC", "DEF"));
                LOG_CONTEXT_CONSUME_STRV(strv);
-                ASSERT_EQ(log_context_num_contexts(), 1U);
+                assert_se(log_context_num_contexts() == 1);
-                ASSERT_EQ(log_context_num_fields(), 2U);
+                assert_se(log_context_num_fields() == 2);
        }
        {
@ -261,17 +174,17 @@ static void test_log_context(void) {
                        IOVEC_MAKE_STRING("ABC=def"),
                        IOVEC_MAKE_STRING("GHI=jkl"),
                };
-                _cleanup_free_ struct iovec_wrapper *iovw = NULL;
+                _cleanup_free_ struct iovec_wrapper *iovw = iovw_new();
-                ASSERT_NOT_NULL(iovw = iovw_new());
+                assert_se(iovw);
-                ASSERT_OK(iovw_consume(iovw, strdup("MNO=pqr"), STRLEN("MNO=pqr") + 1));
+                assert_se(iovw_consume(iovw, strdup("MNO=pqr"), STRLEN("MNO=pqr") + 1) == 0);
                LOG_CONTEXT_PUSH_IOV(iov, ELEMENTSOF(iov));
                LOG_CONTEXT_PUSH_IOV(iov, ELEMENTSOF(iov));
                LOG_CONTEXT_CONSUME_IOV(iovw->iovec, iovw->count);
                LOG_CONTEXT_PUSH("STU=vwx");
-                ASSERT_EQ(log_context_num_contexts(), 3U);
+                assert_se(log_context_num_contexts() == 3);
-                ASSERT_EQ(log_context_num_fields(), 4U);
+                assert_se(log_context_num_fields() == 4);
                test_log_struct();
                test_long_lines();
@ -281,16 +194,16 @@ static void test_log_context(void) {
        {
                LOG_CONTEXT_PUSH_KEY_VALUE("ABC=", "QED");
                LOG_CONTEXT_PUSH_KEY_VALUE("ABC=", "QED");
-                ASSERT_EQ(log_context_num_contexts(), 1U);
+                assert_se(log_context_num_contexts() == 1);
-                ASSERT_EQ(log_context_num_fields(), 1U);
+                assert_se(log_context_num_fields() == 1);
                test_log_struct();
                test_long_lines();
                test_log_syntax();
        }
-        ASSERT_EQ(log_context_num_contexts(), 0U);
+        assert_se(log_context_num_contexts() == 0);
-        ASSERT_EQ(log_context_num_fields(), 0U);
+        assert_se(log_context_num_fields() == 0);
 }
 static void test_log_prefix(void) {
@ -319,7 +232,25 @@ static void test_log_prefix(void) {
        test_log_syntax();
 }
-TEST(log_target) {
+int main(int argc, char* argv[]) {
        test_setup_logging(LOG_DEBUG);
        ASSERT_TRUE(IS_SYNTHETIC_ERRNO(SYNTHETIC_ERRNO(EINVAL)));
        ASSERT_TRUE(IS_SYNTHETIC_ERRNO(SYNTHETIC_ERRNO(-EINVAL)));
        assert_cc(!IS_SYNTHETIC_ERRNO(EINVAL));
        assert_cc(!IS_SYNTHETIC_ERRNO(-EINVAL));
        ASSERT_TRUE(IS_SYNTHETIC_ERRNO(SYNTHETIC_ERRNO(0)));
        assert_cc(!IS_SYNTHETIC_ERRNO(0));
        ASSERT_EQ(ERRNO_VALUE(EINVAL), EINVAL);
        ASSERT_EQ(ERRNO_VALUE(SYNTHETIC_ERRNO(-EINVAL)), EINVAL);
        test_assert_return_is_critical();
        test_file();
        assert_se(log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), "foo") == -EUCLEAN);
        test_log_once();
        for (int target = 0; target < _LOG_TARGET_MAX; target++) {
                log_set_target(target);
                log_open();
@ -330,6 +261,6 @@ TEST(log_target) {
                test_log_context();
                test_log_prefix();
        }
 }
-DEFINE_TEST_MAIN(LOG_DEBUG);
+        return 0;
 }
--- a/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/reload-timeout.sh
+++ b/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/reload-timeout.sh
@ -17,7 +17,7 @@ wait_for_signal() {
 }
 sighup_handler() {
-    echo "hup$(( ++COUNTER ))" >/tmp/syncfifo1
+    echo "hup$(( ++COUNTER ))" > /tmp/syncfifo1
 }
 trap sighup_handler SIGHUP
--- a/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/test.sh
+++ b/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/test.sh
@ -10,7 +10,7 @@ sync_in() {
 }
 sync_out() {
-    echo "$1" >/tmp/syncfifo1
+    echo "$1" > /tmp/syncfifo1
 }
 export SYSTEMD_LOG_LEVEL=debug
--- a/test/test-bootctl-json.sh
+++ b/test/test-bootctl-json.sh
@ -37,7 +37,7 @@ if ret=$("bootctl" --print-boot-path); then
    test "$ret" = "/efi" -o "$ret" = "/boot" -o "$ret" = "/boot/efi"
 fi
-if "$bootctl" -R >/dev/null ; then
+if "$bootctl" -R > /dev/null ; then
    P=$("$bootctl" -R)
    PP=$("$bootctl" -RR)
--- a/test/units/TEST-07-PID1.issue-31752.sh
+++ b/test/units/TEST-07-PID1.issue-31752.sh
@ -21,7 +21,7 @@ cleanup() {
 trap cleanup EXIT
-cat >/run/systemd/system/"$UNIT" <<EOF
+cat > /run/systemd/system/"$UNIT" <<EOF
 [Service]
 ExecStart=true
 RemainAfterExit=yes
@ -32,7 +32,7 @@ systemctl start "$UNIT"
 assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" no
 mkdir /run/systemd/system/"$UNIT".d
-cat >/run/systemd/system/"$UNIT".d/desc.conf <<EOF
+cat > /run/systemd/system/"$UNIT".d/desc.conf <<EOF
 [Unit]
 Description=Test NeedDaemonReload status after creating drop-in
 EOF
--- a/test/units/TEST-07-PID1.issue-33672.sh
+++ b/test/units/TEST-07-PID1.issue-33672.sh
@ -21,13 +21,13 @@ cleanup() {
 trap cleanup EXIT
-cat >/run/systemd/system/"$UNIT" <<EOF
+cat > /run/systemd/system/"$UNIT" <<EOF
 [Service]
 ExecStart=true
 EOF
 mkdir /run/systemd/system/"$UNIT".d
-cat >/run/systemd/system/"$UNIT".d/desc.conf <<EOF
+cat > /run/systemd/system/"$UNIT".d/desc.conf <<EOF
 [Unit]
 Description=Test NeedDaemonReload status of a masked unit with drop-ins
 EOF
--- a/test/units/TEST-07-PID1.mqueue-ownership.sh
+++ b/test/units/TEST-07-PID1.mqueue-ownership.sh
@ -19,7 +19,7 @@ at_exit() {
 }
 trap at_exit EXIT
-cat <<EOF >/run/systemd/system/mqueue-ownership.socket
+cat << EOF > /run/systemd/system/mqueue-ownership.socket
 [Unit]
 Description=Create a message queue with customized ownership
 [Socket]
@ -30,7 +30,7 @@ SocketGroup=$group
 SocketMode=$mode
 EOF
-cat <<EOF >/run/systemd/system/mqueue-ownership.service
+cat << 'EOF' > /run/systemd/system/mqueue-ownership.service
 [Unit]
 Description=Dummy service for the socket unit
 Requires=%N.socket
--- a/test/units/TEST-13-NSPAWN.machined.sh
+++ b/test/units/TEST-13-NSPAWN.machined.sh
@ -397,7 +397,7 @@ rm -f /tmp/none-existent-file
 # server side, to not generate early SIGHUP. Hence, let's just invoke "sleep
 # infinity" client side, once we acquired the fd (passing it to it), and kill
 # it once we verified everything worked.
-PID=$(systemd-notify --fork -- varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/usr/bin/bash", "args": ["bash", "-c", "echo $FOO >/tmp/none-existent-file"], "environment": ["FOO=BAR"]}' -- sleep infinity)
+PID=$(systemd-notify --fork -- varlinkctl --exec call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open '{"name": ".host", "mode": "shell", "user": "root", "path": "/usr/bin/bash", "args": ["bash", "-c", "echo $FOO > /tmp/none-existent-file"], "environment": ["FOO=BAR"]}' -- sleep infinity)
 timeout 30 bash -c "until test -e /tmp/none-existent-file; do sleep .5; done"
 grep -q "BAR" /tmp/none-existent-file
 kill "$PID"
@ -424,7 +424,7 @@ diff /tmp/foo /var/lib/machines/long-running/root/foo
 (! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo"}') # FileExists
 varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo", "replace": true}'
-echo "sample-test-output" >/tmp/foo
+echo "sample-test-output" > /tmp/foo
 varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo", "replace": true}'
 diff /tmp/foo /var/lib/machines/long-running/root/foo
 rm -f /tmp/foo /var/lib/machines/long-running/root/foo
--- a/test/units/TEST-13-NSPAWN.unpriv.sh
+++ b/test/units/TEST-13-NSPAWN.unpriv.sh
@ -164,7 +164,7 @@ assert_not_in 'nurps' "$(run0 --pipe -u testuser machinectl --user list-images)"
 assert_not_in 'kurps' "$(run0 --pipe -u testuser machinectl --user list-images)"
 mkdir /home/testuser/.local/state/machines/inodetest
-echo hallo >/home/testuser/.local/state/machines/inodetest/testfile
+echo hallo > /home/testuser/.local/state/machines/inodetest/testfile
 # Make the file sparse, set an xattr, set an ACL, set a chattr flag, and make it hardlink
 ln /home/testuser/.local/state/machines/inodetest/testfile /home/testuser/.local/state/machines/inodetest/testfile.hard
@ -176,7 +176,7 @@ chown foreign-0:foreign-0 /home/testuser/.local/state/machines/inodetest/testfil
 ls -al /home/testuser/.local/state/machines/inodetest
 # Verify UID squashing
-echo gaga >/home/testuser/.local/state/machines/inodetest/squashtest
+echo gaga > /home/testuser/.local/state/machines/inodetest/squashtest
 chown 1000:1000 /home/testuser/.local/state/machines/inodetest/squashtest
 # Ensure hardlinked symlinks work
@ -217,7 +217,7 @@ run0 -u testuser machinectl --user remove inodetest2
 # Test tree mangling (i.e. moving the root dir one level up on extract)
 mkdir -p /var/tmp/mangletest/mangletest-0.1/usr/lib
-echo "ID=brumm" >/var/tmp/mangletest/mangletest-0.1/usr/lib/os-release
+echo "ID=brumm" > /var/tmp/mangletest/mangletest-0.1/usr/lib/os-release
 tar -C /var/tmp/mangletest/ -cvzf /var/tmp/mangletest.tar.gz mangletest-0.1
 run0 --pipe -u testuser importctl -m --user import-tar /var/tmp/mangletest.tar.gz
 cmp /var/tmp/mangletest/mangletest-0.1/usr/lib/os-release /home/testuser/.local/state/machines/mangletest/usr/lib/os-release
--- a/test/units/TEST-16-EXTEND-TIMEOUT.sh
+++ b/test/units/TEST-16-EXTEND-TIMEOUT.sh
@ -86,7 +86,7 @@ systemd-run \
    -u runtime-max-sec-test-3.service \
    sh -c "while true; do sleep 1; done"
 mkdir -p /etc/systemd/system/runtime-max-sec-test-3.service.d/
-cat >/etc/systemd/system/runtime-max-sec-test-3.service.d/override.conf <<EOF
+cat > /etc/systemd/system/runtime-max-sec-test-3.service.d/override.conf << EOF
 [Service]
 RuntimeMaxSec=${runtime_max_sec}s
 EOF
@ -103,7 +103,7 @@ until systemctl is-active runtime-max-sec-test-4.scope; do
    sleep 1
 done
 mkdir -p /etc/systemd/system/runtime-max-sec-test-4.scope.d/
-cat >/etc/systemd/system/runtime-max-sec-test-4.scope.d/override.conf <<EOF
+cat > /etc/systemd/system/runtime-max-sec-test-4.scope.d/override.conf << EOF
 [Scope]
 RuntimeMaxSec=${runtime_max_sec}s
 EOF
--- a/test/units/TEST-17-UDEV.credentials.sh
+++ b/test/units/TEST-17-UDEV.credentials.sh
@ -19,10 +19,10 @@ at_exit() {
 trap at_exit EXIT
 mkdir -p /run/credstore
-cat >/run/credstore/udev.conf.50-testme <<EOF
+cat > /run/credstore/udev.conf.50-testme <<EOF
 udev_log=debug
 EOF
-cat >/run/credstore/udev.rules.50-testme <<EOF
+cat > /run/credstore/udev.rules.50-testme <<EOF
 SUBSYSTEM=="net", OPTIONS="log_level=debug"
 EOF
--- a/test/units/TEST-22-TMPFILES.02.sh
+++ b/test/units/TEST-22-TMPFILES.02.sh
@ -139,7 +139,7 @@ test "$(stat -c %U:%G:%a /tmp/C/3/f1)" = "root:root:644"
 test ! -e /tmp/C/4
 touch /tmp/C/3-origin/f{2,3,4}
-echo -n ABC >/tmp/C/3/f1
+echo -n ABC > /tmp/C/3/f1
 systemd-tmpfiles --create - <<EOF
 C+     /tmp/C/3    0755 daemon daemon - /tmp/C/3-origin
--- a/test/units/TEST-23-UNIT-FILE.ExtraFileDescriptors.sh
+++ b/test/units/TEST-23-UNIT-FILE.ExtraFileDescriptors.sh
@ -15,8 +15,8 @@ at_exit() {
 trap at_exit EXIT
 mkdir /tmp/test-extra-fd
-echo "Hello" >/tmp/test-extra-fd/1.txt
+echo "Hello" > /tmp/test-extra-fd/1.txt
-echo "Extra" >/tmp/test-extra-fd/2.txt
+echo "Extra" > /tmp/test-extra-fd/2.txt
 # Open files and assign FD to variables
 exec {TEST_FD1}</tmp/test-extra-fd/1.txt
--- a/test/units/TEST-29-PORTABLE.directory.sh
+++ b/test/units/TEST-29-PORTABLE.directory.sh
@ -138,7 +138,7 @@ portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0
 # The wrong file should be ignored, given the right one has the xattr set
 trap 'rm -rf /var/cache/wrongext' EXIT
 mkdir -p /var/cache/wrongext/usr/lib/extension-release.d /var/cache/wrongext/usr/lib/systemd/system/
-echo "[Service]" >/var/cache/wrongext/usr/lib/systemd/system/app0.service
+echo "[Service]" > /var/cache/wrongext/usr/lib/systemd/system/app0.service
 touch /var/cache/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt
 cp /tmp/rootdir/usr/lib/os-release /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0
 setfattr -n user.extension-release.strict -v "false" /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0
--- a/test/units/TEST-35-LOGIN.sh
+++ b/test/units/TEST-35-LOGIN.sh
@ -674,7 +674,7 @@ testcase_ambient_caps() {
    TRANSIENTUNIT="capwakealarm$RANDOM.service"
    SCRIPT="/tmp/capwakealarm$RANDOM.sh"
-    cat >/etc/pam.d/"$PAMSERVICE" <<EOF
+    cat > /etc/pam.d/"$PAMSERVICE" <<EOF
 auth sufficient    pam_unix.so
 auth required      pam_deny.so
 account sufficient pam_unix.so
@ -725,7 +725,7 @@ testcase_background() {
    trap background_at_return RETURN
-    cat >/etc/pam.d/"$PAMSERVICE" <<EOF
+    cat > /etc/pam.d/"$PAMSERVICE" <<EOF
 auth sufficient    pam_unix.so
 auth required      pam_deny.so
 account sufficient pam_unix.so
--- a/test/units/TEST-50-DISSECT.dissect.sh
+++ b/test/units/TEST-50-DISSECT.dissect.sh
@ -916,7 +916,7 @@ systemd-dissect --list /tmp/img >/dev/null
 read -r SHA256SUM1 _ < <(systemd-dissect --copy-from /tmp/img etc/os-release | sha256sum)
 test "$SHA256SUM1" != ""
-echo abc >abc
+echo abc > abc
 systemd-dissect --copy-to /tmp/img abc /abc
 test -f /tmp/img/abc
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@ -122,7 +122,7 @@ cmp /tmp/unpriv.raw.mtree /tmp/unpriv2.raw.mtree
 # Make sure nspawn works unpriv, too (for now do not nest)
 if ! systemd-detect-virt -c; then
-    systemd-nspawn --pipe -i /var/tmp/unpriv.raw --read-only echo thisisatest >/tmp/unpriv.out
+    systemd-nspawn --pipe -i /var/tmp/unpriv.raw --read-only echo thisisatest > /tmp/unpriv.out
    echo thisisatest | cmp /tmp/unpriv.out -
    # The unpriv user has no rights to lock the image or write to it. Let's
--- a/test/units/TEST-54-CREDS.sh
+++ b/test/units/TEST-54-CREDS.sh
@ -490,24 +490,24 @@ fi
 # Decrypt/encrypt via varlink
 DATA="Zm9vYmFyCg=="
-echo "{\"data\":\"$DATA\"}" >/tmp/vlcredsdata
+echo "{\"data\":\"$DATA\"}" > /tmp/vlcredsdata
 varlinkctl call /run/systemd/io.systemd.Credentials io.systemd.Credentials.Encrypt "$(cat /tmp/vlcredsdata)" | \
-    varlinkctl call --json=short /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt >/tmp/vlcredsdata2
+    varlinkctl call --json=short /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt > /tmp/vlcredsdata2
 cmp /tmp/vlcredsdata /tmp/vlcredsdata2
 rm /tmp/vlcredsdata2
 # Pick a key type explicitly
 varlinkctl call /run/systemd/io.systemd.Credentials io.systemd.Credentials.Encrypt "{\"data\":\"$DATA\",\"withKey\":\"host\"}" | \
-    varlinkctl call --json=short /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt >/tmp/vlcredsdata2
+    varlinkctl call --json=short /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt > /tmp/vlcredsdata2
 cmp /tmp/vlcredsdata /tmp/vlcredsdata2
 rm /tmp/vlcredsdata2
 varlinkctl call /run/systemd/io.systemd.Credentials io.systemd.Credentials.Encrypt "{\"data\":\"$DATA\",\"withKey\":\"null\"}" | \
    jq '.["allowNull"] = true' |
-    varlinkctl call --json=short /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt >/tmp/vlcredsdata2
+    varlinkctl call --json=short /run/systemd/io.systemd.Credentials io.systemd.Credentials.Decrypt > /tmp/vlcredsdata2
 cmp /tmp/vlcredsdata /tmp/vlcredsdata2
 rm /tmp/vlcredsdata /tmp/vlcredsdata2
--- a/test/units/TEST-58-REPART.sh
+++ b/test/units/TEST-58-REPART.sh
@ -123,7 +123,6 @@ last-lba: 2097118"
    tee "$defs/root.conf" <<EOF
 [Partition]
 Type=root
 Format=vfat
 EOF
    ln -s root.conf "$defs/root2.conf"
@ -133,7 +132,6 @@ EOF
 Type=home
 Label=home-first
 Label=home-always-too-long-xxxxxxxxxxxxxx-%v
 Format=vfat
 EOF
    tee "$defs/swap.conf" <<EOF
@ -343,14 +341,13 @@ $imgs/zzz6 : start=     4194264, size=     2097152, type=0FC63DAF-8483-4772-8E79
    tee "$defs/extra3.conf" <<EOF
 [Partition]
-Type=srv
+Type=linux-generic
 Label=luks-format-copy
 UUID=7b93d1f2-595d-4ce3-b0b9-837fbd9e63b0
 Format=ext4
 Encrypt=yes
 CopyFiles=$defs:/def
 SizeMinBytes=48M
 VolumeLabel=schrupfel
 EOF
    systemd-repart --offline="$OFFLINE" \
@ -374,7 +371,7 @@ $imgs/zzz3 : start=     1185760, size=      591864, type=${root_guid}, uuid=${ro
 $imgs/zzz4 : start=     1777624, size=      131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\"
 $imgs/zzz5 : start=     1908696, size=     2285568, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=A0A1A2A3-A4A5-A6A7-A8A9-AAABACADAEAF, name=\"custom_label\"
 $imgs/zzz6 : start=     4194264, size=     2097152, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=2A1D97E1-D0A3-46CC-A26E-ADC643926617, name=\"block-copy\"
-$imgs/zzz7 : start=     6291416, size=      131072, type=3B8F8425-20E0-4F3B-907F-1A25A76F98E8, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name=\"luks-format-copy\", attrs=\"GUID:59\""
+$imgs/zzz7 : start=     6291416, size=      131072, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name=\"luks-format-copy\""
    if systemd-detect-virt --quiet --container; then
        echo "Skipping encrypt mount tests in container."
@ -395,11 +392,6 @@ $imgs/zzz7 : start=     6291416, size=      131072, type=3B8F8425-20E0-4F3B-907F
    losetup -d "$loop"
    diff -r "$imgs/mount/def" "$defs" >/dev/null
    umount "$imgs/mount"
    # Validate that the VolumeLabel= had the desired effect
    PASSWORD="" systemd-dissect "$imgs/zzz" -M "$imgs/mount"
    udevadm info /dev/disk/by-label/schrupfel | grep -q ID_FS_TYPE=crypto_LUKS
    systemd-dissect -U "$imgs/mount"
 }
 testcase_dropin() {
--- a/test/units/TEST-63-PATH.sh
+++ b/test/units/TEST-63-PATH.sh
@ -110,11 +110,11 @@ assert_in "test63-issue-24577-dep.service" "$output"
 systemctl start test63-pr-30768.path
 exec {lock}<>/tmp/noexit
 flock -e $lock
-echo test1 >/tmp/copyme
+echo test1 > /tmp/copyme
 # shellcheck disable=SC2016
 timeout 30 bash -c 'until test "$(systemctl show test63-pr-30768.service -P ActiveState)" = deactivating; do sleep .2; done'
 diff /tmp/copyme /tmp/copied
-echo test2 >/tmp/copyme
+echo test2 > /tmp/copyme
 exec {lock}<&-
 timeout 30 bash -c 'until diff /tmp/copyme /tmp/copied >/dev/null; do sleep .2; done'
--- a/test/units/TEST-70-TPM2.creds.sh
+++ b/test/units/TEST-70-TPM2.creds.sh
@ -6,7 +6,7 @@ set -o pipefail
 export SYSTEMD_LOG_LEVEL=debug
 # Ensure that sandboxing doesn't stop creds from being accessible
-echo "test" >/tmp/testdata
+echo "test" > /tmp/testdata
 systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
 # LoadCredentialEncrypted
 systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
--- a/test/units/TEST-70-TPM2.cryptsetup.sh
+++ b/test/units/TEST-70-TPM2.cryptsetup.sh
@ -135,7 +135,7 @@ if tpm_has_pcr sha256 12; then
    tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12
    CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
    tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
-    systemd-analyze srk >/tmp/srk2.pub
+    systemd-analyze srk > /tmp/srk2.pub
    cmp /tmp/srk.pub /tmp/srk2.pub
    if [ -f /run/systemd/tpm2-srk-public-key.tpm2b_public ] ; then
        cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public
@ -203,7 +203,7 @@ if openssl_supports_kdf SSKDF; then
    # Make sure that --tpm2-device-key= also works with systemd-repart
    tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
    mkdir /tmp/dditest
-    cat >/tmp/dditest/50-root.conf <<EOF
+    cat > /tmp/dditest/50-root.conf <<EOF
 [Partition]
 Type=root
 Format=ext4
--- a/test/units/TEST-70-TPM2.pcrextend.sh
+++ b/test/units/TEST-70-TPM2.pcrextend.sh
@ -92,7 +92,7 @@ RECORD_COUNT=$((RECORD_COUNT + 1))
 tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
 # Do the equivalent of 'SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar' via Varlink, just to test the Varlink logic (but first we need to patch out the conditionalization...)
 mkdir -p /run/systemd/system/systemd-pcrextend.socket.d
-cat >/run/systemd/system/systemd-pcrextend.socket.d/50-no-condition.conf <<EOF
+cat > /run/systemd/system/systemd-pcrextend.socket.d/50-no-condition.conf <<EOF
 [Unit]
 # Turn off all conditions */
 ConditionSecurity=
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@ -196,7 +196,7 @@ SYSTEMD_XBOOTLDR_PATH=/tmp/fakexbootldr SYSTEMD_RELAX_XBOOTLDR_CHECKS=1 "$SD_PCR
 # Exercise Varlink API a bit (but first turn off condition)
 mkdir -p /run/systemd/system/systemd-pcrlock.socket.d
-cat >/run/systemd/system/systemd-pcrlock.socket.d/50-no-condition.conf <<EOF
+cat > /run/systemd/system/systemd-pcrlock.socket.d/50-no-condition.conf <<EOF
 [Unit]
 # Turn off all conditions
 ConditionSecurity=
--- a/test/units/TEST-74-AUX-UTILS.firstboot.sh
+++ b/test/units/TEST-74-AUX-UTILS.firstboot.sh
@ -224,7 +224,7 @@ if [ -d "/usr/share/keymaps/" ] || [ -d "/usr/share/kbd/keymaps/" ] || [ -d "/us
   rm "$ROOT/etc/vconsole.conf"
   # this should be a NOP, given that stdout is connected to /dev/null, and hence not a VT
-   systemd-firstboot --root="$ROOT" --prompt-keymap-auto >/dev/null
+   systemd-firstboot --root="$ROOT" --prompt-keymap-auto > /dev/null
 fi
 echo -ne "Europe/Berlin\n" | systemd-firstboot --root="$ROOT" --prompt-timezone
 readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$"
--- a/test/units/TEST-74-AUX-UTILS.keyutil.sh
+++ b/test/units/TEST-74-AUX-UTILS.keyutil.sh
@ -49,20 +49,20 @@ testcase_public() {
 verify_pkcs7() {
    # Verify using internal certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify >/dev/null
+    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null
    # Verify using external (original) certificate
-    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern >/dev/null
+    openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null
 }
 verify_pkcs7_fail() {
    # Verify using internal certificate
-    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify >/dev/null)
+    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify > /dev/null)
    # Verify using external (original) certificate
-    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern >/dev/null)
+    (! openssl smime -verify -binary -inform der -in /tmp/payload.p7s -content /tmp/payload -noverify -certfile /tmp/test.crt -nointern > /dev/null)
 }
 testcase_pkcs7() {
-    echo -n "test" >/tmp/payload
+    echo -n "test" > /tmp/payload
    for hashalg in sha256 sha384 sha512; do
        # shellcheck disable=SC2086
--- a/test/units/TEST-74-AUX-UTILS.network-generator.sh
+++ b/test/units/TEST-74-AUX-UTILS.network-generator.sh
@ -15,12 +15,12 @@ at_exit() {
 trap at_exit EXIT
 mkdir -p /run/credstore
-cat >/run/credstore/network.conf.50-testme <<EOF
+cat > /run/credstore/network.conf.50-testme <<EOF
 [Network]
 SpeedMeter=yes
 EOF
-cat >/run/credstore/network.network.50-testme <<EOF
+cat > /run/credstore/network.network.50-testme <<EOF
 [Match]
 Property=IDONTEXIST
 EOF
--- a/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
+++ b/test/units/TEST-74-AUX-UTILS.varlinkctl.sh
@ -175,8 +175,8 @@ varlinkctl introspect /run/systemd/io.systemd.Hostname io.systemd.Hostname
 varlinkctl call /run/systemd/io.systemd.Hostname io.systemd.Hostname.Describe '{}'
 # Validate that --exec results in the very same values
-varlinkctl call /run/systemd/io.systemd.Hostname io.systemd.Hostname.Describe '{}' | jq >/tmp/describe1.json
+varlinkctl call /run/systemd/io.systemd.Hostname io.systemd.Hostname.Describe '{}' | jq > /tmp/describe1.json
-varlinkctl --exec call /run/systemd/io.systemd.Hostname io.systemd.Hostname.Describe '{}' -- jq >/tmp/describe2.json
+varlinkctl --exec call /run/systemd/io.systemd.Hostname io.systemd.Hostname.Describe '{}' -- jq > /tmp/describe2.json
 cmp /tmp/describe1.json /tmp/describe2.json
 rm /tmp/describe1.json /tmp/describe2.json
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@ -817,7 +817,7 @@ testcase_09_resolvectl_showcache() {
        echo "[NetDev]"
        echo "Name=dns2"
        echo "Kind=dummy"
-    } >/run/systemd/network/10-dns2.netdev
+    } > /run/systemd/network/10-dns2.netdev
    {
        echo "[Match]"
        echo "Name=dns2"
@ -825,7 +825,7 @@ testcase_09_resolvectl_showcache() {
        echo "IPv6AcceptRA=no"
        echo "Address=10.123.0.1/24"
        echo "DNS=10.0.0.1"
-    } >/run/systemd/network/10-dns2.network
+    } > /run/systemd/network/10-dns2.network
    networkctl reload
    networkctl reconfigure dns2
    /usr/lib/systemd/systemd-networkd-wait-online --timeout=60 --dns --interface=dns2
@ -835,7 +835,7 @@ testcase_09_resolvectl_showcache() {
        echo "[Resolve]"
        echo "DNSSEC=no"
        echo "DNSOverTLS=no"
-    } >/run/systemd/resolved.conf.d/90-resolved.conf
+    } > /run/systemd/resolved.conf.d/90-resolved.conf
    systemctl reload systemd-resolved.service
    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnssec')" == 'no'
@ -845,7 +845,7 @@ testcase_09_resolvectl_showcache() {
        echo "[Resolve]"
        echo "DNSSEC=allow-downgrade"
        echo "DNSOverTLS=opportunistic"
-    } >/run/systemd/resolved.conf.d/90-resolved.conf
+    } > /run/systemd/resolved.conf.d/90-resolved.conf
    systemctl reload systemd-resolved.service
    test "$(resolvectl show-cache --json=short | jq -rc '.[] | select(.ifname == "dns2" and .protocol == "dns") | .dnssec')" == 'allow-downgrade'
--- a/test/units/TEST-80-NOTIFYACCESS.sh
+++ b/test/units/TEST-80-NOTIFYACCESS.sh
@ -15,7 +15,7 @@ sync_in() {
 }
 sync_out() {
-    echo "$1" >/tmp/syncfifo2
+    echo "$1" > /tmp/syncfifo2
 }
 export SYSTEMD_LOG_LEVEL=debug
--- a/test/units/TEST-87-AUX-UTILS-VM.validatefs.sh
+++ b/test/units/TEST-87-AUX-UTILS-VM.validatefs.sh
@ -28,14 +28,14 @@ at_exit() {
 trap at_exit EXIT
 mkdir /tmp/validatefs-test
-cat >/tmp/validatefs-test/validatefs-root.conf <<EOF
+cat > /tmp/validatefs-test/validatefs-root.conf <<EOF
 [Partition]
 Type=root
 Label=kromm
 Format=ext4
 EOF
-cat >/tmp/validatefs-test/validatefs-usr.conf <<EOF
+cat > /tmp/validatefs-test/validatefs-usr.conf <<EOF
 [Partition]
 Type=usr
 Label=plisch
@ -44,7 +44,7 @@ Verity=data
 VerityMatchKey=mupf
 EOF
-cat >/tmp/validatefs-test/validatefs-usr-verity.conf <<EOF
+cat > /tmp/validatefs-test/validatefs-usr-verity.conf <<EOF
 [Partition]
 Type=usr-verity
 Label=plisch-verity
@ -52,21 +52,21 @@ Verity=hash
 VerityMatchKey=mupf
 EOF
-cat >/tmp/validatefs-test/validatefs-home.conf <<EOF
+cat > /tmp/validatefs-test/validatefs-home.conf <<EOF
 [Partition]
 Type=home
 Label=rupft
 Format=ext4
 EOF
-cat >/tmp/validatefs-test/validatefs-esp.conf <<EOF
+cat > /tmp/validatefs-test/validatefs-esp.conf <<EOF
 [Partition]
 Type=esp
 Label=fumm
 Format=vfat
 EOF
-cat >/tmp/validatefs-test/validatefs-generic.conf <<EOF
+cat > /tmp/validatefs-test/validatefs-generic.conf <<EOF
 [Partition]
 Label=qnurx
 Type=linux-generic
--- a/tools/setup-musl-build.sh
+++ b/tools/setup-musl-build.sh
@ -1,85 +0,0 @@
 #!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 # Usage:
 #   tools/setup-musl-build.sh <build-directory> <options…>
 # E.g.
 #   tools/setup-musl-build.sh build-musl -Dbuildtype=debugoptimized && ninja -C build-musl
 set -eu
 BUILD_DIR="${1:?}"
 shift
 SETUP_DIR="${BUILD_DIR}/extra"
 LINKS=(
    acl
    archive.h
    archive_entry.h
    asm
    asm-generic
    audit-records.h
    audit_logging.h
    bpf
    bzlib.h
    curl
    dwarf.h
    elfutils
    fido.h
    gcrypt.h
    gelf.h
    gnutls
    gpg-error.h
    idn2.h
    libaudit.h
    libcryptsetup.h
    libelf.h
    libkmod.h
    linux
    lz4.h
    lz4frame.h
    lz4hc.h
    lzma
    lzma.h
    microhttpd.h
    mtd
    openssl
    pcre2.h
    pwquality.h
    qrencode.h
    seccomp-syscalls.h
    seccomp.h
    security
    selinux
    sys/acl.h
    sys/capability.h
    tss2
    xen
    xkbcommon
    zconf.h
    zlib.h
    zstd.h
    zstd_errors.h
 )
 for t in "${LINKS[@]}"; do
    [[ -e /usr/include/"$t" ]]
    link="${SETUP_DIR}/usr/include/${t}"
    mkdir -p "${link%/*}"
    ln -s /usr/include/"$t" "$link"
 done
 # Use an absolute path so that when we chdir into the build directory,
 # the path still works. This is easier than figuring out the relative path.
 [[ "${SETUP_DIR}" =~ ^/ ]] || SETUP_DIR="${PWD}/${SETUP_DIR}"
 CFLAGS="-idirafter ${SETUP_DIR}/usr/include"
 set -x
 env \
    CC=musl-gcc \
    CXX=musl-gcc \
    CFLAGS="$CFLAGS" \
    CXXFLAGS="$CFLAGS" \
    meson setup -Ddbus-interfaces-dir=no -Dlibc=musl "${BUILD_DIR}" "${@}"