man/nss-mymachines.xml

@@ -39,15 +39,6 @@
     Note that the name that is resolved is the one registered with <command>systemd-machined</command>, which
     may be different than the hostname configured inside of the container.</para>
 
-    <para>Note that this NSS module only makes available names of the containers running immediately below
-    the current system context. It does not provide host name resolution for containers running side-by-side
-    with the invoking system context, or containers further up or down the container hierarchy. Or in other
-    words, on the host system it provides host name resolution for the containers running immediately below
-    the host environment. When used inside a container environment however, it will not be able to provide
-    name resolution for containers running on the host (as those are siblings and not children of the current
-    container environment), but instead only for nested containers running immediately below its own
-    container environment.</para>
-
     <para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
     <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
 

man/systemd.exec.xml

@@ -675,10 +675,9 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
         <varname>SystemCallArchitectures=</varname>,
         <varname>SystemCallFilter=</varname>, or
         <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden
-        by them, <command>systemctl show</command> shows the original value of this setting. In case the
+        by them, <command>systemctl show</command> shows the original value of this setting. Also see
-        service will be run in a new mount namespace anyway, all file systems are mounted with MS_NOSUID
+        <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New
-        flag. Also see <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">
+        Privileges Flag</ulink>.</para></listitem>
-        No New Privileges Flag</ulink>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1037,10 +1036,8 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
       <varlistentry>
         <term><varname>Nice=</varname></term>
 
-        <listitem><para>Sets the default nice level (scheduling priority) for executed processes. Takes an
+        <listitem><para>Sets the default nice level (scheduling priority) for executed processes. Takes an integer
-        integer between -20 (highest priority) and 19 (lowest priority). In case of resource contention,
+        between -20 (highest priority) and 19 (lowest priority). See
-        smaller values mean more resources will be made available to the unit's processes, larger values mean
-        less resources will be made available. See
         <citerefentry><refentrytitle>setpriority</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
         details.</para></listitem>
       </varlistentry>
@@ -1057,13 +1054,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
       <varlistentry>
         <term><varname>CPUSchedulingPriority=</varname></term>
 
-        <listitem><para>Sets the CPU scheduling priority for executed processes. The available priority range
+        <listitem><para>Sets the CPU scheduling priority for executed processes. The available priority range depends
-        depends on the selected CPU scheduling policy (see above). For real-time scheduling policies an
+        on the selected CPU scheduling policy (see above). For real-time scheduling policies an integer between 1
-        integer between 1 (lowest priority) and 99 (highest priority) can be used. In case of CPU resource
+        (lowest priority) and 99 (highest priority) can be used. See
-        contention, smaller values mean less CPU time is made available to the service, larger values mean
+        <citerefentry project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
-        more. See <citerefentry
+        details. </para></listitem>
-        project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-        for details. </para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1127,13 +1122,11 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
       <varlistentry>
         <term><varname>IOSchedulingPriority=</varname></term>
 
-        <listitem><para>Sets the I/O scheduling priority for executed processes. Takes an integer between 0
+        <listitem><para>Sets the I/O scheduling priority for executed processes. Takes an integer between 0 (highest
-        (highest priority) and 7 (lowest priority). In case of I/O contention, smaller values mean more I/O
+        priority) and 7 (lowest priority). The available priorities depend on the selected I/O scheduling class (see
-        bandwidth is made available to the unit's processes, larger values mean less bandwidth. The available
+        above). If the empty string is assigned to this option, all prior assignments to both
-        priorities depend on the selected I/O scheduling class (see above). If the empty string is assigned
+        <varname>IOSchedulingClass=</varname> and <varname>IOSchedulingPriority=</varname> have no effect.
-        to this option, all prior assignments to both <varname>IOSchedulingClass=</varname> and
+        See <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
-        <varname>IOSchedulingPriority=</varname> have no effect.  See
-        <citerefentry><refentrytitle>ioprio_set</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
         details.</para></listitem>
       </varlistentry>
 

man/systemd.resource-control.xml

@@ -180,14 +180,13 @@
         <term><varname>StartupCPUWeight=<replaceable>weight</replaceable></varname></term>
 
         <listitem>
-          <para>Assign the specified CPU time weight to the processes executed, if the unified control group
+          <para>Assign the specified CPU time weight to the processes executed, if the unified control group hierarchy
-          hierarchy is used on the system. These options take an integer value and control the
+          is used on the system. These options take an integer value and control the <literal>cpu.weight</literal>
-          <literal>cpu.weight</literal> control group attribute. The allowed range is 1 to 10000. Defaults to
+          control group attribute. The allowed range is 1 to 10000. Defaults to 100. For details about this control
-          100. For details about this control group attribute, see <ulink
+          group attribute, see <ulink
-          url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html">Control Groups v2</ulink>
+          url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html">Control Groups v2</ulink> and <ulink
-          and <ulink url="https://www.kernel.org/doc/html/latest/scheduler/sched-design-CFS.html">CFS
+          url="https://www.kernel.org/doc/html/latest/scheduler/sched-design-CFS.html">CFS Scheduler</ulink>.
-          Scheduler</ulink>.  The available CPU time is split up among all units within one slice relative to
+          The available CPU time is split up among all units within one slice relative to their CPU time weight.</para>
-          their CPU time weight. A higher weight means more CPU time, a lower weight means less.</para>
 
           <para>While <varname>StartupCPUWeight=</varname> only applies to the startup phase of the system,
           <varname>CPUWeight=</varname> applies to normal runtime of the system, and if the former is not set also to
@@ -436,14 +435,13 @@
         <term><varname>StartupIOWeight=<replaceable>weight</replaceable></varname></term>
 
         <listitem>
-          <para>Set the default overall block I/O weight for the executed processes, if the unified control
+          <para>Set the default overall block I/O weight for the executed processes, if the unified control group
-          group hierarchy is used on the system. Takes a single weight value (between 1 and 10000) to set the
+          hierarchy is used on the system. Takes a single weight value (between 1 and 10000) to set the default block
-          default block I/O weight. This controls the <literal>io.weight</literal> control group attribute,
+          I/O weight. This controls the <literal>io.weight</literal> control group attribute, which defaults to
-          which defaults to 100. For details about this control group attribute, see <ulink
+          100. For details about this control group attribute, see <ulink
-          url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html#io-interface-files">IO
+          url="https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html#io-interface-files">IO Interface Files</ulink>.
-          Interface Files</ulink>.  The available I/O bandwidth is split up among all units within one slice
+          The available I/O bandwidth is split up among all units within one slice relative to their block
-          relative to their block I/O weight. A higher weight means more I/O bandwidth, a lower weight means
+          I/O weight.</para>
-          less.</para>
 
           <para>While <varname>StartupIOWeight=</varname> only applies
           to the startup phase of the system,

man/systemd.unit.xml

@@ -273,11 +273,10 @@
     objects in the file system hierarchy. Example: a device unit <filename>dev-sda.device</filename> refers to a device
     with the device node <filename index="false">/dev/sda</filename> in the file system.</para>
 
-    <para>The escaping algorithm operates as follows: given a string, any <literal>/</literal> character is
+    <para>The escaping algorithm operates as follows: given a string, any <literal>/</literal> character is replaced by
-    replaced by <literal>-</literal>, and all other characters which are not ASCII alphanumerics,
+    <literal>-</literal>, and all other characters which are not ASCII alphanumerics or <literal>_</literal> are
-    <literal>:</literal>, <literal>_</literal> or <literal>.</literal> are replaced by C-style
+    replaced by C-style <literal>\x2d</literal> escapes. In addition, <literal>.</literal> is replaced with such a
-    <literal>\x2d</literal> escapes. In addition, <literal>.</literal> is replaced with such a C-style escape
+    C-style escape when it would appear as the first character in the escaped string.</para>
-    when it would appear as the first character in the escaped string.</para>
 
     <para>When the input qualifies as absolute file system path, this algorithm is extended slightly: the path to the
     root directory <literal>/</literal> is encoded as single dash <literal>-</literal>. In addition, any leading,

man/udevadm.xml

@@ -186,45 +186,6 @@
 
         <xi:include href="standard-options.xml" xpointer="help" />
       </variablelist>
-
-      <para>The generated output shows the current device database entry in a terse format. Each line shown
-      is prefixed with one of the following characters:</para>
-
-      <table>
-        <title><command>udevadm info</command> output prefixes</title>
-        <tgroup cols='2' align='left' colsep='1' rowsep='1'>
-          <colspec colname="prefix" />
-          <colspec colname="meaning" />
-          <thead>
-            <row>
-              <entry>Prefix</entry>
-              <entry>Meaning</entry>
-            </row>
-          </thead>
-          <tbody>
-            <row>
-              <entry><literal>P:</literal></entry>
-              <entry>Device path in <filename>/sys/</filename></entry>
-            </row>
-            <row>
-              <entry><literal>N:</literal></entry>
-              <entry>Kernel device node name</entry>
-            </row>
-            <row>
-              <entry><literal>L:</literal></entry>
-              <entry>Device node symlink priority</entry>
-            </row>
-            <row>
-              <entry><literal>S:</literal></entry>
-              <entry>Device node symlink</entry>
-            </row>
-            <row>
-              <entry><literal>E:</literal></entry>
-              <entry>Device property</entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </table>
     </refsect2>
 
     <refsect2><title>udevadm trigger

src/basic/hexdecoct.c

@@ -115,6 +115,8 @@ int unhexmem_full(const char *p, size_t l, bool secure, void **ret, size_t *ret_
         uint8_t *z;
         int r;
 
+        assert(ret);
+        assert(ret_len);
         assert(p || l == 0);
 
         if (l == SIZE_MAX)
@@ -148,10 +150,8 @@ int unhexmem_full(const char *p, size_t l, bool secure, void **ret, size_t *ret_
 
         *z = 0;
 
-        if (ret_len)
+        *ret_len = (size_t) (z - buf);
-                *ret_len = (size_t) (z - buf);
+        *ret = TAKE_PTR(buf);
-        if (ret)
-                *ret = TAKE_PTR(buf);
 
         return 0;
 
@@ -705,6 +705,8 @@ int unbase64mem_full(const char *p, size_t l, bool secure, void **ret, size_t *r
         int r;
 
         assert(p || l == 0);
+        assert(ret);
+        assert(ret_size);
 
         if (l == SIZE_MAX)
                 l = strlen(p);
@@ -800,10 +802,8 @@ int unbase64mem_full(const char *p, size_t l, bool secure, void **ret, size_t *r
 
         *z = 0;
 
-        if (ret_size)
+        *ret_size = (size_t) (z - buf);
-                *ret_size = (size_t) (z - buf);
+        *ret = TAKE_PTR(buf);
-        if (ret)
-                *ret = TAKE_PTR(buf);
 
         return 0;
 

src/core/execute.c

@@ -3191,8 +3191,6 @@ static int apply_mount_namespace(
                         .protect_proc = context->protect_proc,
                         .proc_subset = context->proc_subset,
                         .private_ipc = context->private_ipc || context->ipc_namespace_path,
-                        /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
-                        .mount_nosuid = context->no_new_privileges,
                 };
         } else if (!context->dynamic_user && root_dir)
                 /*

src/core/namespace.c

@@ -1464,27 +1464,6 @@ static int make_noexec(const MountEntry *m, char **deny_list, FILE *proc_self_mo
         return 0;
 }
 
-static int make_nosuid(const MountEntry *m, FILE *proc_self_mountinfo) {
-        bool submounts = false;
-        int r = 0;
-
-        assert(m);
-        assert(proc_self_mountinfo);
-
-        submounts = !IN_SET(m->mode, EMPTY_DIR, TMPFS);
-
-        if (submounts)
-                r = bind_remount_recursive_with_mountinfo(mount_entry_path(m), MS_NOSUID, MS_NOSUID, NULL, proc_self_mountinfo);
-        else
-                r = bind_remount_one_with_mountinfo(mount_entry_path(m), MS_NOSUID, MS_NOSUID, proc_self_mountinfo);
-        if (r == -ENOENT && m->ignore)
-                return 0;
-        if (r < 0)
-                return log_debug_errno(r, "Failed to re-mount '%s'%s: %m", mount_entry_path(m),
-                                       submounts ? " and its submounts" : "");
-        return 0;
-}
-
 static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) {
         assert(ns_info);
 
@@ -1681,17 +1660,6 @@ static int apply_mounts(
                 }
         }
 
-        /* Fourth round, flip the nosuid bits without a deny list. */
-        if (ns_info->mount_nosuid)
-                for (MountEntry *m = mounts; m < mounts + *n_mounts; ++m) {
-                        r = make_nosuid(m, proc_self_mountinfo);
-                        if (r < 0) {
-                                if (error_path && mount_entry_path(m))
-                                        *error_path = strdup(mount_entry_path(m));
-                                return r;
-                        }
-                }
-
         return 1;
 }
 

src/core/namespace.h

@@ -74,7 +74,6 @@ struct NamespaceInfo {
         bool mount_apivfs;
         bool protect_hostname;
         bool private_ipc;
-        bool mount_nosuid;
         ProtectHome protect_home;
         ProtectSystem protect_system;
         ProtectProc protect_proc;

src/network/networkctl.c

@@ -2993,45 +2993,6 @@ static int networkctl_main(int argc, char *argv[]) {
         return dispatch_verb(argc, argv, verbs, NULL);
 }
 
-static int check_netns_match(void) {
-        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
-        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
-        struct stat st;
-        uint64_t id;
-        int r;
-
-        r = sd_bus_open_system(&bus);
-        if (r < 0)
-                return log_error_errno(r, "Failed to connect system bus: %m");
-
-        r = sd_bus_get_property_trivial(
-                        bus,
-                        "org.freedesktop.network1",
-                        "/org/freedesktop/network1",
-                        "org.freedesktop.network1.Manager",
-                        "NamespaceId",
-                        &error,
-                        't',
-                        &id);
-        if (r < 0) {
-                log_debug_errno(r, "Failed to query network namespace of networkd, ignoring: %s", bus_error_message(&error, r));
-                return 0;
-        }
-        if (id == 0) {
-                log_debug("systemd-networkd.service not running in a network namespace (?), skipping netns check.");
-                return 0;
-        }
-
-        if (stat("/proc/self/ns/net", &st) < 0)
-                return log_error_errno(r, "Failed to determine our own network namespace ID: %m");
-
-        if (id != st.st_ino)
-                return log_error_errno(SYNTHETIC_ERRNO(EREMOTE),
-                                       "networkctl must be invoked in same network namespace as systemd-networkd.service.");
-
-        return 0;
-}
-
 static void warn_networkd_missing(void) {
 
         if (access("/run/systemd/netif/state", F_OK) >= 0)
@@ -3049,10 +3010,6 @@ static int run(int argc, char* argv[]) {
         if (r <= 0)
                 return r;
 
-        r = check_netns_match();
-        if (r < 0)
-                return r;
-
         warn_networkd_missing();
 
         return networkctl_main(argc, argv);

src/network/networkd-manager-bus.c

@@ -263,34 +263,6 @@ static int bus_method_describe(sd_bus_message *message, void *userdata, sd_bus_e
         return sd_bus_send(NULL, reply, NULL);
 }
 
-static int property_get_namespace_id(
-                sd_bus *bus,
-                const char *path,
-                const char *interface,
-                const char *property,
-                sd_bus_message *reply,
-                void *userdata,
-                sd_bus_error *error) {
-
-        uint64_t id = 0;
-        struct stat st;
-
-        assert(bus);
-        assert(reply);
-
-        /* Returns our own network namespace ID, i.e. the inode number of /proc/self/ns/net. This allows
-         * unprivileged clients to determine whether they are in the same network namespace as us (note that
-         * access to that path is restricted, thus they can't check directly unless privileged). */
-
-        if (stat("/proc/self/ns/net", &st) < 0) {
-                log_warning_errno(errno, "Failed to stat network namespace, ignoring: %m");
-                id = 0;
-        } else
-                id = st.st_ino;
-
-        return sd_bus_message_append(reply, "t", id);
-}
-
 const sd_bus_vtable manager_vtable[] = {
         SD_BUS_VTABLE_START(0),
 
@@ -300,7 +272,6 @@ const sd_bus_vtable manager_vtable[] = {
         SD_BUS_PROPERTY("IPv4AddressState", "s", property_get_address_state, offsetof(Manager, ipv4_address_state), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
         SD_BUS_PROPERTY("IPv6AddressState", "s", property_get_address_state, offsetof(Manager, ipv6_address_state), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
         SD_BUS_PROPERTY("OnlineState", "s", property_get_online_state, offsetof(Manager, online_state), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
-        SD_BUS_PROPERTY("NamespaceId", "t", property_get_namespace_id, 0, SD_BUS_VTABLE_PROPERTY_CONST),
 
         SD_BUS_METHOD_WITH_ARGS("ListLinks",
                                 SD_BUS_NO_ARGS,

test/test-network/conf/25-activation-policy.network

@@ -4,4 +4,3 @@ Name=test1
 [Network]
 Address=192.168.10.30/24
 Gateway=192.168.10.1
-IPv6AcceptRA=no

test/test-network/conf/25-nexthop-dummy.network

@@ -3,7 +3,6 @@ Name=dummy98
 
 [Network]
 Address=192.168.20.20/24
-IPv6AcceptRA=no
 
 [NextHop]
 Id=20

test/test-network/conf/25-wireguard-23-peers.network

@@ -4,7 +4,6 @@ Name=wg98
 [Network]
 Address=192.168.123.123/24
 Address=fd8d:4d6d:3ccb:0500::1/64
-IPv6AcceptRA=no
 
 # nat64 via 1
 [Route]

test/test-network/conf/25-wireguard.network

@@ -3,4 +3,3 @@ Name=wg99
 
 [Network]
 Address=192.168.124.1/24
-IPv6AcceptRA=no

test/test-network/conf/agent-client-peer.network

@@ -1,12 +1,9 @@
 [Match]
 Name=client-peer
-
 [Network]
 Address=192.168.6.2/24
 DHCPServer=yes
 IPForward=ipv4
-IPv6AcceptRA=no
-
 [DHCPServer]
 RelayTarget=192.168.5.1
 BindToInterface=no

test/test-network/conf/agent-client.network

@@ -1,7 +1,5 @@
 [Match]
 Name=client
-
 [Network]
 DHCP=yes
 IPForward=ipv4
-IPv6AcceptRA=no

test/test-network/conf/agent-server-peer.network

@@ -1,7 +1,5 @@
 [Match]
 Name=server-peer
-
 [Network]
 Address=192.168.5.2/24
 IPForward=ipv4
-IPv6AcceptRA=no

test/test-network/conf/agent-server.network

@@ -1,11 +1,9 @@
 [Match]
 Name=server
-
 [Network]
 Address=192.168.5.1/24
 IPForward=ipv4
 DHCPServer=yes
-IPv6AcceptRA=no
 
 [DHCPServer]
 BindToInterface=no

test/test-network/systemd-networkd-tests.py

@@ -2785,7 +2785,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
         for iteration in range(4):
             with self.subTest(iteration=iteration, expect_up=expect_up):
                 operstate = 'routable' if expect_up else 'off'
-                setup_state = 'configured' if expect_up else ('configuring' if iteration == 0 else None)
+                setup_state = 'configured' if expect_up else None
                 self.wait_operstate('test1', operstate, setup_state=setup_state, setup_timeout=20)
 
                 if expect_up: