Merge 18c36b1e24 into 0e44a351ea

If the editor that invokes mkosi.clangd is a flatpak, let's make sure
that mkosi is run on the host and not in the flatpak sandbox since it
won't be installed there.

.github/workflows/linter.yml

@@ -37,7 +37,7 @@ jobs:
           VALIDATE_GITHUB_ACTIONS: true
 
       - name: Check that tabs are not used in Python code
-        run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py'
+        run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py test/integration-test-wrapper.py'
 
       - name: Install ruff and mypy
         run: |
@@ -47,14 +47,14 @@ jobs:
       - name: Run mypy
         run: |
           python3 -m mypy --version
-          python3 -m mypy src/ukify/ukify.py
+          python3 -m mypy src/ukify/ukify.py test/integration-test-wrapper.py
 
       - name: Run ruff check
         run: |
           ruff --version
-          ruff check src/ukify/ukify.py
+          ruff check src/ukify/ukify.py test/integration-test-wrapper.py
 
       - name: Run ruff format
         run: |
           ruff --version
-          ruff format --check src/ukify/ukify.py
+          ruff format --check src/ukify/ukify.py test/integration-test-wrapper.py

.github/workflows/mkosi.yml

@@ -105,7 +105,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@8976a0abb19221e65300222f2d33067970cca0f1
+      - uses: systemd/mkosi@0825cca8084674ec8fa27502134b1bc601f79e0c
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location

mkosi.clangd

@@ -1,12 +1,18 @@
 #!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
-MKOSI_CONFIG="$(mkosi --json summary | jq -r .Images[-1])"
+if command -v flatpak-spawn >/dev/null; then
+    SPAWN=(flatpak-spawn --host)
+else
+    SPAWN=()
+fi
+
+MKOSI_CONFIG="$("${SPAWN[@]}" --host mkosi --json summary | jq -r .Images[-1])"
 DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")"
 RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")"
 ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")"
 
-exec mkosi \
+exec "${SPAWN[@]}" mkosi \
     --incremental=strict \
     --build-sources-ephemeral=no \
     --format=none \

mkosi.conf.d/05-tools/mkosi.conf.d/arch.conf

@@ -6,10 +6,12 @@ ToolsTreeDistribution=arch
 [Build]
 ToolsTreePackages=
         cryptsetup
+        github-cli
         libcap
         libmicrohttpd
         python-jinja
         python-pytest
         ruff
+        shellcheck
         tpm2-tss
         util-linux-libs

mkosi.conf.d/05-tools/mkosi.conf.d/centos-fedora.conf

@@ -16,3 +16,4 @@ ToolsTreePackages=
         tpm2-tss-devel
         python3-jinja2
         python3-pytest
+        shellcheck

mkosi.conf.d/05-tools/mkosi.conf.d/debian-ubuntu.conf

@@ -6,6 +6,7 @@ ToolsTreeDistribution=|ubuntu
 
 [Build]
 ToolsTreePackages=
+        gh
         libblkid-dev
         libcap-dev
         libcryptsetup-dev
@@ -16,3 +17,4 @@ ToolsTreePackages=
         libtss2-dev
         python3-jinja2
         python3-pytest
+        shellcheck

mkosi.conf.d/05-tools/mkosi.conf.d/fedora.conf

@@ -5,4 +5,5 @@ ToolsTreeDistribution=fedora
 
 [Build]
 ToolsTreePackages=
+        gh
         ruff

mkosi.conf.d/05-tools/mkosi.conf.d/opensuse.conf

@@ -5,6 +5,7 @@ ToolsTreeDistribution=opensuse
 
 [Build]
 ToolsTreePackages=
+        gh
         pkgconfig(blkid)
         pkgconfig(libcap)
         pkgconfig(libcryptsetup)
@@ -16,3 +17,4 @@ ToolsTreePackages=
         tss2-devel
         python3-jinja2
         python3-pytest
+        ShellCheck

mkosi.images/build/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -13,6 +13,7 @@ Environment=
 
 [Content]
 Packages=
+        clang-devel
         compiler-rt
         gdb
         git-core

mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.conf

@@ -15,6 +15,7 @@ Environment=
 [Content]
 Packages=
         apt
+        clangd
         erofs-utils
         git-core
         libclang-rt-dev

mkosi.images/build/mkosi.conf.d/opensuse/mkosi.conf

@@ -12,6 +12,7 @@ Environment=
 
 [Content]
 Packages=
+        clang
         diffutils
         erofs-utils
         gcc-c++

mkosi.sanitizers/mkosi.postinst

@@ -57,6 +57,8 @@ wrap=(
     delv
     dhcpd
     dig
+    dnf
+    dnf5
     dmsetup
     dnsmasq
     findmnt
@@ -93,7 +95,7 @@ wrap=(
 )
 
 for bin in "${wrap[@]}"; do
-    if ! mkosi-chroot command -v "$bin" >/dev/null; then
+    if ! mkosi-chroot bash -c "command -v $bin" >/dev/null; then
         continue
     fi
 
@@ -103,7 +105,7 @@ for bin in "${wrap[@]}"; do
         enable_lsan=0
     fi
 
-    target="$(mkosi-chroot command -v "$bin")"
+    target="$(mkosi-chroot bash -c "command -v $bin")"
 
     mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig"
 

src/basic/cgroup-util.c

@@ -28,6 +28,7 @@
 #include "mkdir.h"
 #include "parse-util.h"
 #include "path-util.h"
+#include "pidfd-util.h"
 #include "process-util.h"
 #include "set.h"
 #include "special.h"
@@ -72,6 +73,28 @@ int cg_cgroupid_open(int cgroupfs_fd, uint64_t id) {
         return fd;
 }
 
+int cg_path_from_cgroupid(int cgroupfs_fd, uint64_t id, char **ret) {
+        _cleanup_close_ int cgfd = -EBADF;
+        int r;
+
+        cgfd = cg_cgroupid_open(cgroupfs_fd, id);
+        if (cgfd < 0)
+                return cgfd;
+
+        _cleanup_free_ char *path = NULL;
+
+        r = fd_get_path(cgfd, &path);
+        if (r < 0)
+                return r;
+
+        if (isempty(path_startswith(path, "/sys/fs/cgroup/")))
+                return -EINVAL;
+
+        if (ret)
+                *ret = TAKE_PTR(path);
+        return 0;
+}
+
 static int cg_enumerate_items(const char *controller, const char *path, FILE **ret, const char *item) {
         _cleanup_free_ char *fs = NULL;
         FILE *f;
@@ -826,6 +849,16 @@ int cg_pidref_get_path(const char *controller, const PidRef *pidref, char **ret_
         if (!pidref_is_set(pidref))
                 return -ESRCH;
 
+        if (pidref->fd >= 0) {
+                uint64_t cgroup_id;
+
+                r = pidfd_get_cgroupid(pidref->fd, &cgroup_id);
+                if (r >= 0)
+                        return cg_path_from_cgroupid(/* cgroupfs_fd = */ -EBADF, cgroup_id, ret_path);
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(r))
+                        return r;
+        }
+
         r = cg_pid_get_path(controller, pidref->pid, &path);
         if (r < 0)
                 return r;

src/basic/cgroup-util.h

@@ -183,6 +183,8 @@ typedef enum CGroupUnified {
 int cg_path_open(const char *controller, const char *path);
 int cg_cgroupid_open(int fsfd, uint64_t id);
 
+int cg_path_from_cgroupid(int cgroupfs_fd, uint64_t id, char **ret);
+
 typedef enum CGroupFlags {
         CGROUP_SIGCONT            = 1 << 0,
         CGROUP_IGNORE_SELF        = 1 << 1,

src/basic/meson.build

@@ -72,6 +72,7 @@ basic_sources = files(
         'parse-util.c',
         'path-util.c',
         'percent-util.c',
+        'pidfd-util.c',
         'pidref.c',
         'prioq.c',
         'proc-cmdline.c',

src/basic/missing_pidfd.h

@@ -0,0 +1,43 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <linux/types.h>
+
+#define PIDFS_IOCTL_MAGIC 0xFF
+
+#ifndef PIDFD_GET_CGROUP_NAMESPACE
+#  define PIDFD_GET_CGROUP_NAMESPACE              _IO(PIDFS_IOCTL_MAGIC, 1)
+#  define PIDFD_GET_IPC_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 2)
+#  define PIDFD_GET_MNT_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 3)
+#  define PIDFD_GET_NET_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 4)
+#  define PIDFD_GET_PID_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 5)
+#  define PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE    _IO(PIDFS_IOCTL_MAGIC, 6)
+#  define PIDFD_GET_TIME_NAMESPACE                _IO(PIDFS_IOCTL_MAGIC, 7)
+#  define PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE   _IO(PIDFS_IOCTL_MAGIC, 8)
+#  define PIDFD_GET_USER_NAMESPACE                _IO(PIDFS_IOCTL_MAGIC, 9)
+#  define PIDFD_GET_UTS_NAMESPACE                 _IO(PIDFS_IOCTL_MAGIC, 10)
+#endif
+
+#ifndef PIDFD_GET_INFO
+struct pidfd_info {
+        __u64 mask;
+        __u64 cgroupid;
+        __u32 pid;
+        __u32 tgid;
+        __u32 ppid;
+        __u32 ruid;
+        __u32 rgid;
+        __u32 euid;
+        __u32 egid;
+        __u32 suid;
+        __u32 sgid;
+        __u32 fsuid;
+        __u32 fsgid;
+        __u32 spare0[1];
+};
+
+#define PIDFD_GET_INFO          _IOWR(PIDFS_IOCTL_MAGIC, 11, struct pidfd_info)
+#define PIDFD_INFO_PID          (1UL << 0)
+#define PIDFD_INFO_CREDS        (1UL << 1)
+#define PIDFD_INFO_CGROUPID     (1UL << 2)
+#endif

src/basic/pidfd-util.c

@@ -0,0 +1,161 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+#include "errno-util.h"
+#include "fd-util.h"
+#include "fileio.h"
+#include "macro.h"
+#include "memory-util.h"
+#include "missing_magic.h"
+#include "missing_pidfd.h"
+#include "parse-util.h"
+#include "path-util.h"
+#include "pidfd-util.h"
+#include "stat-util.h"
+#include "string-util.h"
+
+static bool pidfd_get_info_supported = true;
+
+static bool ERRNO_IS_NEG_PIDFD_IOCTL_NOT_SUPPORTED(intmax_t r) {
+        return IN_SET(r, -ENOTTY, -EINVAL);
+}
+_DEFINE_ABS_WRAPPER(PIDFD_IOCTL_NOT_SUPPORTED);
+
+static int pidfd_get_pid_fdinfo(int fd, pid_t *ret) {
+        char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
+        _cleanup_free_ char *fdinfo = NULL;
+        int r;
+
+        assert(fd >= 0);
+
+        xsprintf(path, "/proc/self/fdinfo/%i", fd);
+
+        r = read_full_virtual_file(path, &fdinfo, NULL);
+        if (r == -ENOENT)
+                return proc_fd_enoent_errno();
+        if (r < 0)
+                return r;
+
+        char *p = find_line_startswith(fdinfo, "Pid:");
+        if (!p)
+                return -ENOTTY; /* not a pidfd? */
+
+        p = skip_leading_chars(p, /* bad = */ NULL);
+        p[strcspn(p, WHITESPACE)] = 0;
+
+        if (streq(p, "0"))
+                return -EREMOTE; /* PID is in foreign PID namespace? */
+        if (streq(p, "-1"))
+                return -ESRCH;   /* refers to reaped process? */
+
+        return parse_pid(p, ret);
+}
+
+static int pidfd_get_pid_ioctl(int fd, pid_t *ret) {
+        struct pidfd_info info = { .mask = PIDFD_INFO_PID };
+
+        assert(fd >= 0);
+
+        if (ioctl(fd, PIDFD_GET_INFO, &info) < 0)
+                return -errno;
+
+        assert(FLAGS_SET(info.mask, PIDFD_INFO_PID));
+
+        if (ret)
+                *ret = info.pid;
+        return 0;
+}
+
+int pidfd_get_pid(int fd, pid_t *ret) {
+        int r;
+
+        /* Converts a pidfd into a pid. We try ioctl(PIDFD_GET_INFO) (kernel 6.13+) first,
+         * /proc/self/fdinfo/ as fallback. Well known errors:
+         *
+         *    -EBADF   → fd invalid
+         *    -ESRCH   → fd valid, but process is already reaped
+         *
+         * pidfd_get_pid_fdinfo() might additionally fail for other reasons:
+         *
+         *    -ENOSYS  → /proc/ not mounted
+         *    -ENOTTY  → fd valid, but not a pidfd
+         *    -EREMOTE → fd valid, but pid is in another namespace we cannot translate to the local one
+         */
+
+        assert(fd >= 0);
+
+        if (pidfd_get_info_supported) {
+                r = pidfd_get_pid_ioctl(fd, ret);
+                if (!ERRNO_IS_NEG_PIDFD_IOCTL_NOT_SUPPORTED(r))
+                        return r;
+
+                pidfd_get_info_supported = false;
+        }
+
+        return pidfd_get_pid_fdinfo(fd, ret);
+}
+
+int pidfd_verify_pid(int pidfd, pid_t pid) {
+        pid_t current_pid;
+        int r;
+
+        assert(pidfd >= 0);
+        assert(pid > 0);
+
+        r = pidfd_get_pid(pidfd, &current_pid);
+        if (r < 0)
+                return r;
+
+        return current_pid != pid ? -ESRCH : 0;
+}
+
+int pidfd_get_cgroupid(int fd, uint64_t *ret) {
+        struct pidfd_info info = { .mask = PIDFD_INFO_CGROUP };
+
+        assert(fd >= 0);
+
+        if (!pidfd_get_info_supported)
+                return -EOPNOTSUPP;
+
+        if (ioctl(fd, PIDFD_GET_INFO, &info) < 0) {
+                if (ERRNO_IS_PIDFD_IOCTL_NOT_SUPPORTED(errno)) {
+                        pidfd_get_info_supported = false;
+                        return -EOPNOTSUPP;
+                }
+
+                return -errno;
+        }
+
+        if (!FLAGS_SET(info.mask, PIDFD_INFO_CGROUP))
+                return -ENODATA;
+
+        if (ret)
+                *ret = info.cgroupid;
+        return 0;
+}
+
+int pidfd_get_inode_id(int fd, uint64_t *ret) {
+        static int cached_supported = -1;
+        int r;
+
+        assert(fd >= 0);
+
+        if (cached_supported < 0) {
+                cached_supported = fd_is_fs_type(fd, PID_FS_MAGIC);
+                if (cached_supported < 0)
+                        return cached_supported;
+        }
+        if (cached_supported == 0)
+                return -EOPNOTSUPP;
+
+        struct stat st;
+
+        if (fstat(fd, &st) < 0)
+                return -errno;
+
+        if (ret)
+                *ret = (uint64_t) st.st_ino;
+        return 0;
+}

src/basic/pidfd-util.h

@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <stdint.h>
+#if HAVE_PIDFD_OPEN
+#include <sys/pidfd.h>
+#endif
+#include <sys/types.h>
+
+int pidfd_get_pid(int fd, pid_t *ret);
+int pidfd_verify_pid(int pidfd, pid_t pid);
+
+int pidfd_get_cgroupid(int fd, uint64_t *ret);
+
+int pidfd_get_inode_id(int fd, uint64_t *ret);

src/basic/pidref.c

@@ -1,36 +1,14 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
-#if HAVE_PIDFD_OPEN
-#include <sys/pidfd.h>
-#endif
-
 #include "errno-util.h"
 #include "fd-util.h"
-#include "missing_magic.h"
 #include "missing_syscall.h"
 #include "missing_wait.h"
 #include "parse-util.h"
+#include "pidfd-util.h"
 #include "pidref.h"
 #include "process-util.h"
 #include "signal-util.h"
-#include "stat-util.h"
-
-static int pidfd_inode_ids_supported(void) {
-        static int cached = -1;
-
-        if (cached >= 0)
-                return cached;
-
-        _cleanup_close_ int fd = pidfd_open(getpid_cached(), 0);
-        if (fd < 0) {
-                if (ERRNO_IS_NOT_SUPPORTED(errno))
-                        return (cached = false);
-
-                return -errno;
-        }
-
-        return (cached = fd_is_fs_type(fd, PID_FS_MAGIC));
-}
 
 int pidref_acquire_pidfd_id(PidRef *pidref) {
         int r;
@@ -49,19 +27,14 @@ int pidref_acquire_pidfd_id(PidRef *pidref) {
         if (pidref->fd_id > 0)
                 return 0;
 
-        r = pidfd_inode_ids_supported();
+        r = pidfd_get_inode_id(pidref->fd, &pidref->fd_id);
-        if (r < 0)
+        if (r < 0) {
-                return r;
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(r))
-        if (r == 0)
+                        log_debug_errno(r, "Failed to get inode number of pidfd for pid " PID_FMT ": %m",
-                return -EOPNOTSUPP;
-
-        struct stat st;
-
-        if (fstat(pidref->fd, &st) < 0)
-                return log_debug_errno(errno, "Failed to get inode number of pidfd for pid " PID_FMT ": %m",
                                         pidref->pid);
+                return r;
+        }
 
-        pidref->fd_id = (uint64_t) st.st_ino;
         return 0;
 }
 

src/basic/process-util.c

@@ -1874,59 +1874,6 @@ int get_oom_score_adjust(int *ret) {
         return 0;
 }
 
-int pidfd_get_pid(int fd, pid_t *ret) {
-        char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
-        _cleanup_free_ char *fdinfo = NULL;
-        int r;
-
-        /* Converts a pidfd into a pid. Well known errors:
-         *
-         *    -EBADF   → fd invalid
-         *    -ENOSYS  → /proc/ not mounted
-         *    -ENOTTY  → fd valid, but not a pidfd
-         *    -EREMOTE → fd valid, but pid is in another namespace we cannot translate to the local one
-         *    -ESRCH   → fd valid, but process is already reaped
-         */
-
-        assert(fd >= 0);
-
-        xsprintf(path, "/proc/self/fdinfo/%i", fd);
-
-        r = read_full_virtual_file(path, &fdinfo, NULL);
-        if (r == -ENOENT)
-                return proc_fd_enoent_errno();
-        if (r < 0)
-                return r;
-
-        char *p = find_line_startswith(fdinfo, "Pid:");
-        if (!p)
-                return -ENOTTY; /* not a pidfd? */
-
-        p = skip_leading_chars(p, /* bad = */ NULL);
-        p[strcspn(p, WHITESPACE)] = 0;
-
-        if (streq(p, "0"))
-                return -EREMOTE; /* PID is in foreign PID namespace? */
-        if (streq(p, "-1"))
-                return -ESRCH;   /* refers to reaped process? */
-
-        return parse_pid(p, ret);
-}
-
-int pidfd_verify_pid(int pidfd, pid_t pid) {
-        pid_t current_pid;
-        int r;
-
-        assert(pidfd >= 0);
-        assert(pid > 0);
-
-        r = pidfd_get_pid(pidfd, &current_pid);
-        if (r < 0)
-                return r;
-
-        return current_pid != pid ? -ESRCH : 0;
-}
-
 static int rlimit_to_nice(rlim_t limit) {
         if (limit <= 1)
                 return PRIO_MAX-1; /* i.e. 19 */

src/basic/process-util.h

@@ -251,9 +251,6 @@ assert_cc(TASKS_MAX <= (unsigned long) PID_T_MAX);
 /* Like TAKE_PTR() but for pid_t, resetting them to 0 */
 #define TAKE_PID(pid) TAKE_GENERIC(pid, pid_t, 0)
 
-int pidfd_get_pid(int fd, pid_t *ret);
-int pidfd_verify_pid(int pidfd, pid_t pid);
-
 int setpriority_closest(int priority);
 
 _noreturn_ void freeze(void);

src/libsystemd/sd-event/sd-event.c

@@ -1,9 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <sys/epoll.h>
-#if HAVE_PIDFD_OPEN
-#include <sys/pidfd.h>
-#endif
 #include <sys/timerfd.h>
 #include <sys/wait.h>
 
@@ -31,6 +28,7 @@
 #include "origin-id.h"
 #include "path-util.h"
 #include "prioq.h"
+#include "pidfd-util.h"
 #include "process-util.h"
 #include "psi-util.h"
 #include "set.h"

src/libsystemd/sd-login/sd-login.c

@@ -22,6 +22,7 @@
 #include "macro.h"
 #include "parse-util.h"
 #include "path-util.h"
+#include "pidfd-util.h"
 #include "process-util.h"
 #include "socket-util.h"
 #include "stdio-util.h"

src/nsresourced/userns-registry.c

@@ -525,49 +525,20 @@ int userns_info_add_cgroup(UserNamespaceInfo *userns, uint64_t cgroup_id) {
 }
 
 static int userns_destroy_cgroup(uint64_t cgroup_id) {
-        _cleanup_close_ int cgroup_fd = -EBADF, parent_fd = -EBADF;
+        _cleanup_free_ char *path = NULL;
         int r;
 
-        cgroup_fd = cg_cgroupid_open(/* cgroupfsfd= */ -EBADF, cgroup_id);
+        r = cg_path_from_cgroupid(/* cgroupfs_fd = */ -EBADF, cgroup_id, &path);
-        if (cgroup_fd == -ESTALE) {
+        if (r == -ESTALE) {
-                log_debug_errno(cgroup_fd, "Control group %" PRIu64 " already gone, ignoring: %m", cgroup_id);
+                log_debug_errno(r, "Control group %" PRIu64 " already gone, ignoring.", cgroup_id);
                 return 0;
         }
-        if (cgroup_fd < 0)
-                return log_debug_errno(errno, "Failed to open cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
-
-        _cleanup_free_ char *path = NULL;
-        r = fd_get_path(cgroup_fd, &path);
         if (r < 0)
                 return log_debug_errno(r, "Failed to get path of cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
 
-        const char *e = path_startswith(path, "/sys/fs/cgroup/");
+        log_debug("Destroying cgroup %" PRIu64 " (%s)", cgroup_id, path);
-        if (!e)
-                return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Got cgroup path that doesn't start with /sys/fs/cgroup/, refusing: %s", path);
-        if (isempty(e))
-                return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Got root cgroup path, which can't be right, refusing.");
 
-        log_debug("Path of cgroup %" PRIu64 " is: %s", cgroup_id, path);
+        r = rm_rf(path, REMOVE_ROOT|REMOVE_ONLY_DIRECTORIES|REMOVE_CHMOD);
-
-        _cleanup_free_ char *fname = NULL;
-        r = path_extract_filename(path, &fname);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to extract name of cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
-
-        parent_fd = openat(cgroup_fd, "..", O_CLOEXEC|O_DIRECTORY);
-        if (parent_fd < 0)
-                return log_debug_errno(errno, "Failed to open parent cgroup of %" PRIu64 ", ignoring: %m", cgroup_id);
-
-        /* Safety check, never leave cgroupfs */
-        r = fd_is_fs_type(parent_fd, CGROUP2_SUPER_MAGIC);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to determine if parent directory of cgroup %" PRIu64 " is still a cgroup, ignoring: %m", cgroup_id);
-        if (!r)
-                return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Parent directory of cgroup %" PRIu64 " is not a cgroup, refusing.", cgroup_id);
-
-        cgroup_fd = safe_close(cgroup_fd);
-
-        r = rm_rf_child(parent_fd, fname, REMOVE_ONLY_DIRECTORIES|REMOVE_PHYSICAL|REMOVE_CHMOD);
         if (r < 0)
                 log_debug_errno(r, "Failed to remove delegated cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
 

src/ukify/ukify.py

@@ -467,7 +467,7 @@ class SignTool:
         raise NotImplementedError()
 
     @staticmethod
-    def from_string(name) -> type['SignTool']:
+    def from_string(name: str) -> type['SignTool']:
         if name == 'pesign':
             return PeSign
         elif name == 'sbsign':

test/integration-test-wrapper.py

@@ -1,8 +1,7 @@
 #!/usr/bin/python3
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
-'''Test wrapper command for driving integration tests.
+"""Test wrapper command for driving integration tests."""
-'''
 
 import argparse
 import json
@@ -13,7 +12,6 @@ import sys
 import textwrap
 from pathlib import Path
 
-
 EMERGENCY_EXIT_DROPIN = """\
 [Unit]
 Wants=emergency-exit.service
@@ -34,7 +32,7 @@ ExecStart=false
 """
 
 
-def main():
+def main() -> None:
     parser = argparse.ArgumentParser(description=__doc__)
     parser.add_argument('--mkosi', required=True)
     parser.add_argument('--meson-source-dir', required=True, type=Path)
@@ -46,34 +44,43 @@ def main():
     parser.add_argument('--slow', action=argparse.BooleanOptionalAction)
     parser.add_argument('--vm', action=argparse.BooleanOptionalAction)
     parser.add_argument('--exit-code', required=True, type=int)
-    parser.add_argument('mkosi_args', nargs="*")
+    parser.add_argument('mkosi_args', nargs='*')
     args = parser.parse_args()
 
-    if not bool(int(os.getenv("SYSTEMD_INTEGRATION_TESTS", "0"))):
+    if not bool(int(os.getenv('SYSTEMD_INTEGRATION_TESTS', '0'))):
-        print(f"SYSTEMD_INTEGRATION_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
+        print(
+            f'SYSTEMD_INTEGRATION_TESTS=1 not found in environment, skipping {args.name}',
+            file=sys.stderr,
+        )
         exit(77)
 
-    if args.slow and not bool(int(os.getenv("SYSTEMD_SLOW_TESTS", "0"))):
+    if args.slow and not bool(int(os.getenv('SYSTEMD_SLOW_TESTS', '0'))):
-        print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
+        print(
+            f'SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}',
+            file=sys.stderr,
+        )
         exit(77)
 
-    if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
+    if args.vm and bool(int(os.getenv('TEST_NO_QEMU', '0'))):
-        print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
+        print(f'TEST_NO_QEMU=1, skipping {args.name}', file=sys.stderr)
         exit(77)
 
-    for s in os.getenv("TEST_SKIP", "").split():
+    for s in os.getenv('TEST_SKIP', '').split():
         if s in args.name:
-            print(f"Skipping {args.name} due to TEST_SKIP", file=sys.stderr)
+            print(f'Skipping {args.name} due to TEST_SKIP', file=sys.stderr)
             exit(77)
 
-    keep_journal = os.getenv("TEST_SAVE_JOURNAL", "fail")
+    keep_journal = os.getenv('TEST_SAVE_JOURNAL', 'fail')
-    shell = bool(int(os.getenv("TEST_SHELL", "0")))
+    shell = bool(int(os.getenv('TEST_SHELL', '0')))
 
     if shell and not sys.stderr.isatty():
-        print(f"--interactive must be passed to meson test to use TEST_SHELL=1", file=sys.stderr)
+        print(
+            '--interactive must be passed to meson test to use TEST_SHELL=1',
+            file=sys.stderr,
+        )
         exit(1)
 
-    name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")
+    name = args.name + (f'-{i}' if (i := os.getenv('MESON_TEST_ITERATION')) else '')
 
     dropin = textwrap.dedent(
         """\
@@ -84,14 +91,14 @@ def main():
 
     if not shell:
         dropin += textwrap.dedent(
-            f"""
+            """
             [Unit]
             SuccessAction=exit
             SuccessActionExitStatus=123
             """
         )
 
-    if os.getenv("TEST_MATCH_SUBTEST"):
+    if os.getenv('TEST_MATCH_SUBTEST'):
         dropin += textwrap.dedent(
             f"""
             [Service]
@@ -99,7 +106,7 @@ def main():
             """
         )
 
-    if os.getenv("TEST_MATCH_TESTCASE"):
+    if os.getenv('TEST_MATCH_TESTCASE'):
         dropin += textwrap.dedent(
             f"""
             [Service]
@@ -116,7 +123,7 @@ def main():
             """
         )
 
-        journal_file = (args.meson_build_dir / (f"test/journal/{name}.journal")).absolute()
+        journal_file = (args.meson_build_dir / (f'test/journal/{name}.journal')).absolute()
         journal_file.unlink(missing_ok=True)
     elif not shell:
         dropin += textwrap.dedent(
@@ -136,54 +143,60 @@ def main():
         *(['--forward-journal', journal_file] if journal_file else []),
         *(
             [
-                '--credential',
+                '--credential', f'systemd.extra-unit.emergency-exit.service={shlex.quote(EMERGENCY_EXIT_SERVICE)}',  # noqa: E501
-                f"systemd.extra-unit.emergency-exit.service={shlex.quote(EMERGENCY_EXIT_SERVICE)}",
+                '--credential', f'systemd.unit-dropin.emergency.target={shlex.quote(EMERGENCY_EXIT_DROPIN)}',
-                '--credential',
-                f"systemd.unit-dropin.emergency.target={shlex.quote(EMERGENCY_EXIT_DROPIN)}",
             ]
             if not sys.stderr.isatty()
             else []
         ),
-        '--credential',
+        '--credential', f'systemd.unit-dropin.{args.unit}={shlex.quote(dropin)}',
-        f"systemd.unit-dropin.{args.unit}={shlex.quote(dropin)}",
         '--runtime-network=none',
         '--runtime-scratch=no',
         *args.mkosi_args,
-        '--qemu-firmware', args.firmware,
+        '--qemu-firmware',
-        *(['--qemu-kvm', 'no'] if int(os.getenv("TEST_NO_KVM", "0")) else []),
+        args.firmware,
+        *(['--qemu-kvm', 'no'] if int(os.getenv('TEST_NO_KVM', '0')) else []),
         '--kernel-command-line-extra',
-        ' '.join([
+        ' '.join(
+            [
                 'systemd.hostname=H',
-            f"SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/{args.name}.units:/usr/lib/systemd/tests/testdata/units:",
+                f'SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/{args.name}.units:/usr/lib/systemd/tests/testdata/units:',
-            *([f"systemd.unit={args.unit}"] if not shell else []),
+                *([f'systemd.unit={args.unit}'] if not shell else []),
                 'systemd.mask=systemd-networkd-wait-online.service',
                 *(
                     [
-                    "systemd.mask=serial-getty@.service",
+                        'systemd.mask=serial-getty@.service',
-                    "systemd.show_status=error",
+                        'systemd.show_status=error',
-                    "systemd.crash_shell=0",
+                        'systemd.crash_shell=0',
-                    "systemd.crash_action=poweroff",
+                        'systemd.crash_action=poweroff',
                     ]
                     if not sys.stderr.isatty()
                     else []
                 ),
-        ]),
+            ]
+        ),
         '--credential', f"journal.storage={'persistent' if sys.stderr.isatty() else args.storage}",
         *(['--runtime-build-sources=no'] if not sys.stderr.isatty() else []),
         'qemu' if args.vm or os.getuid() != 0 else 'boot',
-    ]
+    ]  # fmt: skip
 
     result = subprocess.run(cmd)
 
     # On Debian/Ubuntu we get a lot of random QEMU crashes. Retry once, and then skip if it fails again.
     if args.vm and result.returncode == 247 and args.exit_code != 247:
+        if journal_file:
             journal_file.unlink(missing_ok=True)
         result = subprocess.run(cmd)
         if args.vm and result.returncode == 247 and args.exit_code != 247:
-            print(f"Test {args.name} failed due to QEMU crash (error 247), ignoring", file=sys.stderr)
+            print(
+                f'Test {args.name} failed due to QEMU crash (error 247), ignoring',
+                file=sys.stderr,
+            )
             exit(77)
 
-    if journal_file and (keep_journal == "0" or (result.returncode in (args.exit_code, 77) and keep_journal == "fail")):
+    if journal_file and (
+        keep_journal == '0' or (result.returncode in (args.exit_code, 77) and keep_journal == 'fail')
+    ):
         journal_file.unlink(missing_ok=True)
 
     if shell or result.returncode in (args.exit_code, 77):
@@ -192,31 +205,33 @@ def main():
     if journal_file:
         ops = []
 
-        if os.getenv("GITHUB_ACTIONS"):
+        if os.getenv('GITHUB_ACTIONS'):
-            id = os.environ["GITHUB_RUN_ID"]
+            id = os.environ['GITHUB_RUN_ID']
-            iteration = os.environ["GITHUB_RUN_ATTEMPT"]
+            iteration = os.environ['GITHUB_RUN_ATTEMPT']
             j = json.loads(
                 subprocess.run(
                     [
                         args.mkosi,
-                        "--directory", os.fspath(args.meson_source_dir),
+                        '--directory', os.fspath(args.meson_source_dir),
-                        "--json",
+                        '--json',
-                        "summary",
+                        'summary',
                     ],
                     stdout=subprocess.PIPE,
                     text=True,
                 ).stdout
+            )  # fmt: skip
+            distribution = j['Images'][-1]['Distribution']
+            release = j['Images'][-1]['Release']
+            artifact = f'ci-mkosi-{id}-{iteration}-{distribution}-{release}-failed-test-journals'
+            ops += [f'gh run download {id} --name {artifact} -D ci/{artifact}']
+            journal_file = Path(f'ci/{artifact}/test/journal/{name}.journal')
+
+        ops += [f'journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info']
+
+        print(
+            "Test failed, relevant logs can be viewed with: \n\n" f"{(' && '.join(ops))}\n",
+            file=sys.stderr,
         )
-            distribution = j["Images"][-1]["Distribution"]
-            release = j["Images"][-1]["Release"]
-            artifact = f"ci-mkosi-{id}-{iteration}-{distribution}-{release}-failed-test-journals"
-            ops += [f"gh run download {id} --name {artifact} -D ci/{artifact}"]
-            journal_file = Path(f"ci/{artifact}/test/journal/{name}.journal")
-
-        ops += [f"journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info"]
-
-        print("Test failed, relevant logs can be viewed with: \n\n"
-              f"{(' && '.join(ops))}\n", file=sys.stderr)
 
     # 0 also means we failed so translate that to a non-zero exit code to mark the test as failed.
     exit(result.returncode or 1)