2025-10-01 09:44:46 +02:00
10 changed files with 22 additions and 54 deletions
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -2566,7 +2566,7 @@ static int setup_hostname(void) {
        return 0;
 }

-static int setup_journal(const char *directory, uid_t uid_shift, uid_t uid_range) {
+static int setup_journal(const char *directory) {
        _cleanup_free_ char *d = NULL;
        sd_id128_t this_id;
        bool try;
@ -2693,20 +2693,11 @@ static int setup_journal(const char *directory, uid_t uid_shift, uid_t uid_range
        if (r < 0)
                return log_error_errno(r, "Failed to create %s: %m", q);

-        return mount_custom(
-                        directory,
-                        &(CustomMount) {
-                                .type = CUSTOM_MOUNT_BIND,
-                                .options = (char*) (uid_is_valid(uid_shift) ? "rootidmap" : NULL),
-                                .source = p,
-                                .destination = p,
-                                .destination_uid = UID_INVALID,
-                        },
-                        /* n = */ 1,
-                        uid_shift,
-                        uid_range,
-                        arg_selinux_apifs_context,
-                        MOUNT_NON_ROOT_ONLY);
+        r = mount_nofollow_verbose(LOG_DEBUG, p, q, NULL, MS_BIND, NULL);
+        if (r < 0)
+                return log_error_errno(r, "Failed to bind mount journal from host into guest: %m");
+
+        return 0;
 }

 static int drop_capabilities(uid_t uid) {
@ -4279,7 +4270,7 @@ static int outer_child(
        if (r < 0)
                return r;

-        r = setup_journal(directory, chown_uid, chown_range);
+        r = setup_journal(directory);
        if (r < 0)
                return r;

--- a/src/test/test-install-root.c
+++ b/src/test/test-install-root.c
@ -1203,7 +1203,7 @@ TEST(verify_alias) {
        verify_one(&bare_template, "foo.target.wants/plain.socket", -EXDEV, NULL);
        verify_one(&bare_template, "foo.target.wants/plain@.service", -EXDEV, NULL);
         /* Name mismatch: we cannot allow this, because plain@foo.service would be pulled in by foo.target,
-          * but would not be resolvable on its own, since systemd doesn't know how to load the fragment. */
+          * but would not be resolveable on its own, since systemd doesn't know how to load the fragment. */
        verify_one(&bare_template, "foo.target.wants/plain@foo.service", -EXDEV, NULL);
        verify_one(&bare_template, "foo.target.wants/template1@foo.service", 0, NULL);
        verify_one(&bare_template, "foo.target.wants/service", -EXDEV, NULL);
--- a/test/integration-tests/TEST-16-EXTEND-TIMEOUT/TEST-16-EXTEND-TIMEOUT.units/fail-stop.service
+++ b/test/integration-tests/TEST-16-EXTEND-TIMEOUT/TEST-16-EXTEND-TIMEOUT.units/fail-stop.service
@ -12,5 +12,5 @@ RuntimeMaxSec=4
 Environment=SERVICE=fail_stop extend_timeout_interval=5 sleep_interval=7 start_intervals=0 run_intervals=0 stop_intervals=2
 ExecStart=/usr/lib/systemd/tests/testdata/TEST-16-EXTEND-TIMEOUT.units/extend-timeout.sh
 # Due to 6041a7ee2c1bbff6301082f192fc1b0882400d42 SIGTERM isn't sent as the service shuts down with STOPPING=1
-# This file makes the test assess.sh quicker by notifying it that this test has finished.
+# This file makes the test assess.sh quicker by notifing it that this test has finished.
 ExecStopPost=/bin/bash -c '[[ $SERVICE_RESULT == timeout && $EXIT_CODE == killed ]] && touch /fail_runtime.terminated'
--- a/test/knot-data/zones/test.zone
+++ b/test/knot-data/zones/test.zone
@ -23,4 +23,4 @@ unsigned              NS   ns1.unsigned
 svcb                  SVCB  1   .   alpn=dot ipv4hint=10.0.0.1 ipv6hint=fd00:dead:beef:cafe::1
 https                 HTTPS 1   .   alpn="h2,h3"

-delegation.exercise   A 1.2.3.4
+delegation.excercise A 1.2.3.4
--- a/test/units/TEST-10-MOUNT.sh
+++ b/test/units/TEST-10-MOUNT.sh
@ -88,7 +88,7 @@ check_dependencies() {
    # event source will be retriggered when /run/mount/utab is updated, and the mount unit will be updated
    # again with the userspace options. Typically, the window between the two calls is very short, but when
    # the mount event source is ratelimited after the first event, processing the second event may be delayed
-    # about 1 second. Hence, here we need to wait for a while.
+    # about 1 secound. Hence, here we need to wait for a while.
    timeout 10 bash -c 'until systemctl show --property=After --value tmp-deptest.mount | grep -q -F remote-fs-pre.target; do sleep .1; done'
    after=$(systemctl show --property=After --value tmp-deptest.mount)
    assert_not_in "local-fs-pre.target" "$after"
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@ -1446,28 +1446,4 @@ testcase_unpriv_dir() {
    rm -rf "$root"
 }

-testcase_link_journa_hostl() {
-    local root hoge i
-
-    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.link-journal.XXX)"
-    create_dummy_container "$root"
-
-    systemd-id128 new > "$root"/etc/machine-id
-
-    mkdir -p /var/log/journal
-
-    hoge="/var/log/journal/$(cat "$root"/etc/machine-id)/hoge"
-
-    for i in no yes pick; do
-        systemd-nspawn \
-            --directory="$root" --private-users="$i" --link-journal=host \
-            bash -xec 'p="/var/log/journal/$(cat /etc/machine-id)"; mountpoint "$p"; [[ "$(stat "$p" --format=%u)" == 0 ]]; touch "$p/hoge"'
-
-        [[ "$(stat "$hoge" --format=%u)" == 0 ]]
-        rm "$hoge"
-    done
-
-    rm -fr "$root"
-}
-
 run_testcases
--- a/test/units/TEST-15-DROPIN.sh
+++ b/test/units/TEST-15-DROPIN.sh
@ -335,7 +335,7 @@ testcase_transient_slice_dropins() {
    # FIXME: implement reloading of individual units.
    #
    # The settings here are loaded twice. For most settings it doesn't matter,
-    # but Documentation is not deduplicated, so we currently get repeated entries
+    # but Documentation is not deduplicated, so we current get repeated entried
    # which is a bug.

    mkdir -p /etc/systemd/system/slice.d
--- a/test/units/TEST-65-ANALYZE.sh
+++ b/test/units/TEST-65-ANALYZE.sh
@ -982,13 +982,13 @@ systemd-analyze security --threshold=90 --offline=true \
                           --security-policy=/tmp/testfile.json \
                           --root=/tmp/img/ testfile.service

-# The strict profile adds a lot of sandboxing options
+# The strict profile adds a lot of sanboxing options
 systemd-analyze security --threshold=25 --offline=true \
                           --security-policy=/tmp/testfile.json \
                           --profile=strict \
                           --root=/tmp/img/ testfile.service

-# The trusted profile doesn't add any sandboxing options
+# The trusted profile doesn't add any sanboxing options
 (! systemd-analyze security --threshold=25 --offline=true \
                           --security-policy=/tmp/testfile.json \
                           --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@ -1346,28 +1346,28 @@ testcase_15_wait_online_dns() {
 }

 testcase_delegate() {
-    # Before we install the delegation file the DNS name should be directly resolvable via our DNS server
-    run resolvectl query delegation.exercise.test
+    # Before we install the delegation file the DNS name should be directly resolveable via our DNS server
+    run resolvectl query delegation.excercise.test
    grep -qF "1.2.3.4" "$RUN_OUT"

    mkdir -p /run/systemd/dns-delegate.d/
    cat >/run/systemd/dns-delegate.d/testcase.dns-delegate <<EOF
 [Delegate]
 DNS=192.168.77.78
-Domains=exercise.test
+Domains=excercise.test
 EOF
    systemctl reload systemd-resolved
    resolvectl status

    # Now that we installed the delegation the resolution should fail, because nothing is listening on that IP address
-    (! resolvectl query delegation.exercise.test)
+    (! resolvectl query delegation.excercise.test)

    # Now make that IP address connectible
    ip link add delegate0 type dummy
    ip addr add 192.168.77.78 dev delegate0

    # This should work now
-    run resolvectl query delegation.exercise.test
+    run resolvectl query delegation.excercise.test
    grep -qF "1.2.3.4" "$RUN_OUT"

    ip link del delegate0
@ -1376,13 +1376,13 @@ EOF
    systemctl restart systemd-resolved

    # Should no longer work
-    (! resolvectl query delegation.exercise.test)
+    (! resolvectl query delegation.excercise.test)

    rm /run/systemd/dns-delegate.d/testcase.dns-delegate
    systemctl reload systemd-resolved

    # Should work again without delegation in the mix
-    run resolvectl query delegation.exercise.test
+    run resolvectl query delegation.excercise.test
    grep -qF "1.2.3.4" "$RUN_OUT"
 }

--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@ -36,6 +36,7 @@ ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
 SystemCallArchitectures=native