2026-03-25 16:25:04 +01:00
13 changed files with 30 additions and 64 deletions
--- a/hwdb.d/60-keyboard.hwdb
+++ b/hwdb.d/60-keyboard.hwdb
@ -2132,8 +2132,8 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnINET:pnP325J:*
 # Home: LeftCtrl + Esc -> LeftMeta  (ignore LeftCtrl, map Esc to LeftMeta)
 # Back: Backspace      -> back      (map backspace to back)
 evdev:name:FTSC1000:00 2808:509C Keyboard:dmi:*:svnXiaomiInc:pnMipad2:*
- KEYBOARD_KEY_700e0=reserved                            # LeftCtrl -> ignore
+ KEYBOARD_KEY_700e0=unknown                             # LeftCtrl -> ignore
- KEYBOARD_KEY_700e3=reserved                            # LeftMeta -> ignore
+ KEYBOARD_KEY_700e3=unknown                             # LeftMeta -> ignore
 KEYBOARD_KEY_70016=menu                                # S -> menu
 KEYBOARD_KEY_70029=leftmeta                            # Esc -> LeftMeta (Windows key / Win8 tablets home)
 KEYBOARD_KEY_7002a=back                                # Backspace -> back
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -3195,11 +3195,10 @@ SystemCallErrorNumber=EPERM</programlisting>
        ignored; both the backslash and the following character are preserved verbatim. Leading and trailing
        whitespace outside of the double quotes is discarded.</para>
-        <para>The argument passed should be an absolute filename or wildcard expression. If the file does not
+        <para>The argument passed should be an absolute filename or wildcard expression, optionally prefixed with
-        exist, cannot be read, or contains invalid content, the service will fail to start. To make the file
+        <literal>-</literal>, which indicates that if the file does not exist, it will not be read and no error or
-        optional, prefix the path with <literal>-</literal>, which causes all errors related to the file to be
+        warning message is logged. This option may be specified more than once in which case all specified files are
-        silently ignored. This option may be specified more than once in which case all specified files are read.
+        read. If the empty string is assigned to this option, the list of file to read is reset, all prior assignments
        If the empty string is assigned to this option, the list of files to read is reset, all prior assignments
        have no effect.</para>
        <para>The files listed with this directive will be read shortly before the process is executed (more
--- a/meson.build
+++ b/meson.build
@ -1746,8 +1746,6 @@ if conf.get('BPF_FRAMEWORK') == 1
        bpf_clang_flags = [
                '-std=gnu17',
                '-Wno-compare-distinct-pointer-types',
                '-Wno-microsoft-anon-tag',
                '-fms-extensions',
                '-fno-stack-protector',
                '-O2',
                '-target',
@ -1758,7 +1756,6 @@ if conf.get('BPF_FRAMEWORK') == 1
        bpf_gcc_flags = [
                '-std=gnu17',
                '-fms-extensions',
                '-fno-stack-protector',
                '-fno-ssa-phiopt',
                '-O2',
--- a/src/basic/basic-forward.h
+++ b/src/basic/basic-forward.h
@ -86,7 +86,6 @@ typedef enum CGroupFlags CGroupFlags;
 typedef enum CGroupMask CGroupMask;
 typedef enum ChaseFlags ChaseFlags;
 typedef enum ExtractFlags ExtractFlags;
 typedef enum ForkFlags ForkFlags;
 typedef enum Glyph Glyph;
 typedef enum ImageClass ImageClass;
 typedef enum JobMode JobMode;
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@ -8,7 +8,6 @@
 #include <sys/mount.h>
 #include <unistd.h>
 #include "dlfcn-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
@ -218,9 +217,6 @@ int namespace_open(
 int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd) {
        int r;
        /* Block dlopen() now, to avoid us inadvertently loading shared library from another namespace */
        block_dlopen();
        if (userns_fd >= 0) {
                /* Can't setns to your own userns, since then you could escalate from non-root to root in
                 * your own namespace, so check if namespaces are equal before attempting to enter. */
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@ -1703,7 +1703,6 @@ int pidref_safe_fork_full(
         * foreign environment. Note that this has no effect on NSS! (i.e. it only has effect on uses of our
         * dlopen_safe(), which we use comprehensively in our codebase, but glibc NSS doesn't bother, of
         * course.) */
        if (!FLAGS_SET(flags, FORK_ALLOW_DLOPEN))
        block_dlopen();
        if (flags & (FORK_DEATHSIG_SIGTERM|FORK_DEATHSIG_SIGINT|FORK_DEATHSIG_SIGKILL))
@ -1907,7 +1906,6 @@ int namespace_fork(
        /* This is much like safe_fork(), but forks twice, and joins the specified namespaces in the middle
         * process. This ensures that we are fully a member of the destination namespace, with pidns an all, so that
         * /proc/self/fd works correctly. */
        assert(!FLAGS_SET(flags, FORK_ALLOW_DLOPEN)); /* never allow loading shared library from another ns */
        r = safe_fork_full(outer_name,
                           NULL,
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@ -187,9 +187,8 @@ typedef enum ForkFlags {
        FORK_NEW_NETNS          = 1 << 20, /* Run child in its own network namespace                             💣 DO NOT USE IN THREADED PROGRAMS! 💣 */
        FORK_NEW_PIDNS          = 1 << 21, /* Run child in its own PID namespace                                 💣 DO NOT USE IN THREADED PROGRAMS! 💣 */
        FORK_FREEZE             = 1 << 22, /* Don't return in child, just call freeze() instead */
        FORK_ALLOW_DLOPEN       = 1 << 23, /* Do not block dlopen() in child */
-        _FORK_PID_ONLY          = 1 << 24, /* Don't open a pidfd referencing the child process */
+        _FORK_PID_ONLY          = 1 << 23, /* Don't open a pidfd referencing the child process */
 } ForkFlags;
 int pidref_safe_fork_full(
--- a/src/boot/stub.c
+++ b/src/boot/stub.c
@ -627,19 +627,16 @@ static EFI_STATUS load_addons(
                        return log_error_status(err, "Failed to find protocol in %ls: %m", items[i]);
                err = pe_memory_locate_sections(loaded_addon->ImageBase, unified_sections, sections);
-                if (err != EFI_SUCCESS) {
+                if (err != EFI_SUCCESS ||
-                        log_error_status(err,
+                    (!PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_CMDLINE) &&
                                         "Unable to locate embedded .cmdline/.dtb/.dtbauto/.initrd/.ucode sections in %ls, ignoring: %m",
                                         items[i]);
                        continue;
                }
                if (!PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_CMDLINE) &&
                     !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_DTB) &&
                     !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_DTBAUTO) &&
                     !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_INITRD) &&
-                    !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_UCODE)) {
+                     !PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_UCODE))) {
-                        log_debug("No applicable .cmdline/.dtb/.dtbauto/.initrd/.ucode sections found in %ls, ignoring.",
+                        if (err == EFI_SUCCESS)
                                err = EFI_NOT_FOUND;
                        log_error_status(err,
                                         "Unable to locate embedded .cmdline/.dtb/.dtbauto/.initrd/.ucode sections in %ls, ignoring: %m",
                                         items[i]);
                        continue;
                }
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -13,7 +13,6 @@
 #include "base-filesystem.h"
 #include "bitfield.h"
 #include "chase.h"
 #include "cryptsetup-util.h"
 #include "dev-setup.h"
 #include "devnum-util.h"
 #include "dissect-image.h"
@ -3853,8 +3852,6 @@ int refresh_extensions_in_namespace(
        if (r > 0)
                return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Target namespace is not separate, cannot reload extensions");
        (void) dlopen_cryptsetup();
        extension_dir = path_join(p->private_namespace_dir, "unit-extensions");
        if (!extension_dir)
                return log_oom_debug();
--- a/src/core/service.c
+++ b/src/core/service.c
@ -14,6 +14,7 @@
 #include "bus-error.h"
 #include "bus-util.h"
 #include "chase.h"
 #include "cryptsetup-util.h"
 #include "dbus-service.h"
 #include "dbus-unit.h"
 #include "devnum-util.h"
@ -2881,9 +2882,7 @@ static void service_enter_refresh_extensions(Service *s) {
        /* Given we are running from PID1, avoid doing potentially heavy I/O operations like opening images
         * directly, and instead fork a worker process. */
-        r = unit_fork_helper_process_full(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false,
+        r = unit_fork_helper_process(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false, &worker);
                                          FORK_ALLOW_DLOPEN, /* permit dlopen() to avoid load of libcryptsetup in pid1 */
                                          &worker);
        if (r < 0) {
                log_unit_error_errno(UNIT(s), r, "Failed to fork process to refresh extensions in unit's namespace: %m");
                goto fail;
@ -5563,6 +5562,8 @@ static int service_live_mount(
                                u->id);
        }
        (void) dlopen_cryptsetup();
        service_unwatch_control_pid(s);
        s->live_mount_result = SERVICE_SUCCESS;
        s->control_command = NULL;
@ -5583,9 +5584,7 @@ static int service_live_mount(
         * directly, and instead fork a worker process. We record the D-Bus message, so that we can reply
         * after the operation has finished. This way callers can wait on the message and know that the new
         * resource is available (or the operation failed) once they receive the response. */
-        r = unit_fork_helper_process_full(u, "(sd-mount-in-ns)", /* into_cgroup= */ false,
+        r = unit_fork_helper_process(u, "(sd-mount-in-ns)", /* into_cgroup= */ false, &worker);
                                          FORK_ALLOW_DLOPEN,
                                          &worker);
        if (r < 0) {
                log_unit_error_errno(u, r,
                                     "Failed to fork process to mount '%s' on '%s' in unit's namespace: %m",
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -5539,13 +5539,12 @@ int unit_set_exec_params(Unit *u, ExecParameters *p) {
        return 0;
 }
-int unit_fork_helper_process_full(Unit *u, const char *name, bool into_cgroup, ForkFlags flags, PidRef *ret) {
+int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef *ret) {
        CGroupRuntime *crt = NULL;
        pid_t pid;
        int r;
        assert(u);
        assert((flags & (FORK_RESET_SIGNALS|FORK_DETACH|FORK_WAIT)) == 0); /* these don't really make sense for manager */
        assert(ret);
        /* Forks off a helper process and makes sure it is a member of the unit's cgroup, if configured to
@ -5560,7 +5559,7 @@ int unit_fork_helper_process_full(Unit *u, const char *name, bool into_cgroup, F
                crt = unit_get_cgroup_runtime(u);
        }
-        r = safe_fork(name, FORK_REOPEN_LOG|FORK_DEATHSIG_SIGTERM|flags, &pid);
+        r = safe_fork(name, FORK_REOPEN_LOG|FORK_DEATHSIG_SIGTERM, &pid);
        if (r < 0)
                return r;
        if (r > 0) {
@ -5593,10 +5592,6 @@ int unit_fork_helper_process_full(Unit *u, const char *name, bool into_cgroup, F
        return 0;
 }
 int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef *ret) {
        return unit_fork_helper_process_full(u, name, into_cgroup, /* flags = */ 0, ret);
 }
 int unit_fork_and_watch_rm_rf(Unit *u, char **paths, PidRef *ret_pid) {
        _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
        int r;
--- a/src/core/unit.h
+++ b/src/core/unit.h
@ -1005,7 +1005,6 @@ int unit_acquire_invocation_id(Unit *u);
 int unit_set_exec_params(Unit *u, ExecParameters *p);
 int unit_fork_helper_process_full(Unit *u, const char *name, bool into_cgroup, ForkFlags flags, PidRef *ret);
 int unit_fork_helper_process(Unit *u, const char *name, bool into_cgroup, PidRef *ret);
 int unit_fork_and_watch_rm_rf(Unit *u, char **paths, PidRef *ret);
--- a/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/reload-timeout.sh
+++ b/test/integration-tests/TEST-80-NOTIFYACCESS/TEST-80-NOTIFYACCESS.units/reload-timeout.sh
@ -12,20 +12,8 @@ sync_in() {
 }
 wait_for_signal() {
    local notify="${1:?}"
    local p
    sleep infinity &
-    p=$!
+    wait "$!" || :
    # Notify readiness after 'sleep' is running to avoid race
    # condition where the SIGHUP is sent before 'sleep' is ready to
    # receive it and we get stuck
    if [ "$notify" -eq 1 ]; then
        systemd-notify --ready
    fi
    wait "$p" || :
 }
 sighup_handler() {
@ -36,14 +24,17 @@ trap sighup_handler SIGHUP
 export SYSTEMD_LOG_LEVEL=debug
-wait_for_signal 1
+systemd-notify --ready
 wait_for_signal
 systemd-notify --reloading
-wait_for_signal 0
+wait_for_signal
 systemd-notify --reloading
 sync_in ready
 systemd-notify --ready
-wait_for_signal 1
+wait_for_signal
 systemd-notify --reloading --ready
 exec sleep infinity