IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
These are the most visible and hard requirements, as we use options that
busybox does not provide, so list them explicitly to avoid surprises
(cherry picked from commit 164070e497f36b6d8055e4338e07188dd975f6f2)
(cherry picked from commit 0dc9f7335d37be2a90f34e20f04573331bf3e4d3)
(cherry picked from commit facb134183d72c31636f09bcae080cf9337a6877)
We would print "Current command vanished from the unit file, execution of
the command list won't be resumed." as a warning, but most of the time there
is nothing to resume, because a unit has just one command. So let's detect
the case where the command that was active is the last command in the sequence
and skip the warning.
I was considering how to store the information that the command is last. An
important consideration is not to use a format that would confuse older versions
of systemd. (It wouldn't be a big problem if older systemd just refused the
new serialization, since we require systemd to be newer, but we should avoid
the case where the deserialization is "successful", but actually incorrect.)
Similarly, the deserialization from the old systemd must not confuse new systemd.
For this command, we have a list of arguments at the end, so just adding a
new field either in the middle or at the end is problematic because it's hard
to ensure that we don't mix up the positional and variable arguments.
We actually need to store just one bit of information, so '+' is prefixed on
the index of the last command and used by new systemd to skip the warning.
When deserializing from older systemd, '+' is not present, so we detect all
commands as "not last", and still emit the warning, so we err on the side of
caution. If the user were to deserialize from newer to older systemd, nothing
untoward would happen, because the '+' is ignored. (Users shouldn't do this,
but we know that this occasionally happens with initrds or exitrds and package
downgrades.)
(cherry picked from commit a99bd455b59b7922a1b1af480b209263a4d3c659)
(cherry picked from commit 9bb72a4e9694ec301d89861e349eb31fbf1aba16)
(cherry picked from commit a71be850b58bdba2ac11566ee1a268a9b00e36d6)
I expected this to work, but our tests did not cover this
explicitly.
(cherry picked from commit 8eb491f4993c6080e9724c0359a87c64c460605e)
(cherry picked from commit 7c0ac515c8094fd62c100477fa293aa31f97e2c4)
(cherry picked from commit 36c35e765db478d5f72cdd70cd663baa865ad43a)
(cherry picked from commit 502096b56593919fc947415f6e32bcb680728dac)
(cherry picked from commit e811aead84ec71926c4b53756a69f75f5b30aaa8)
(cherry picked from commit b4df64597b48a78028f695e50db9d9e74a3767e6)
If the device access policy is restricted, add implicitly access to the TPM
if at least one encrypted credential needs to be loaded.
Fixes https://github.com/systemd/systemd/issues/26042
(cherry picked from commit 398dc7d39b9a877e71529f0e0b139329e4c6992e)
(cherry picked from commit f0126ad7f90a37c6c81e735726a3bbea1aa6d4d7)
(cherry picked from commit 158760941f6f59f6307a49455ce1af5db97b67c9)
This effectively reverts commit ff86c92e3043f71fc801cf687600a480ee8f6778,
and re-apply 49f3ee7e74c714f55aab395c080b1099fc17f7fd.
The change was dropped due to the process name was not correctly logged,
but the issue was fixed by dd15e4cb57129b915e01495e113696bfe0b70214.
Let's set the child process name again.
(cherry picked from commit e955a7f460adadf54da7bfb62f04cbff16ca5941)
(cherry picked from commit 62055cfd4bf2355abb3c0ccb52a5802b41d0ec92)
(cherry picked from commit a87c01d20246429a53ebfac48e9bdba4eed019f7)
Our logging uses program_invocation_short_name. Without this patch,
logs from forked client may become broken; spuriously truncated or
the short invocation name is not completely shown in the log.
(cherry picked from commit dd15e4cb57129b915e01495e113696bfe0b70214)
(cherry picked from commit ce4726468dc02bd7383cd7d90c8769576c6973e3)
(cherry picked from commit 7a862d9d1a7196a5576720959849f45fc68b041c)
(cherry picked from commit 375ffdba43f6dac5f4b1222d4e345f7cdf868f8c)
(cherry picked from commit 31b7785814fa9e82a1d48e4b5a6b1f6df1110b03)
(cherry picked from commit 828e73a7bb17cf8ec4a0f90004a878fcc839add5)
If any query makes it to the end of install_info_follow() then I think symlink_target is set to NULL.
If that is followed by -EXDEV from unit_file_load_or_readlink(), then that causes basename(NULL)
which segfaults pid 1.
This is triggered by eg. "systemctl status crond" in RHEL9 if
/etc/systemd/system/crond.service
-> /ram/etc/systemd/system/crond.service
-> /usr/lib/systemd/system/.crond.service.blah.blah
-> /usr/lib/systemd/system/crond.service
(cherry picked from commit 19cfda9fc3c60de21a362ebb56bcb9f4a9855e85)
(cherry picked from commit 015b0ca9286471c05fe88cfa277dd82e20537ba8)
(cherry picked from commit 9a906fae890904284fe91e29b6bdcb64429fecba)
(cherry picked from commit 7b2f84e3f2c5cf84ca39a054493979a8960a9d47)
(cherry picked from commit 6d8885af572bfa662bc3b74ebc4831c6e8a155ce)
(cherry picked from commit 3ae34059895a12b99e3f312316f0a0f57d1c5abd)
(cherry picked from commit 17be6f270907eff274df80e91e1d323cb04f266f)
(cherry picked from commit aa79d157af49bc8e5664b881b27057d6bc589633)
(cherry picked from commit 8a91017dad2d741020a8e8c584374ec7a95d7eec)
(cherry picked from commit 3774ff06f25335c2a049585f0ecb486a3da58e5e)
(cherry picked from commit 5bad071f73bab88ee2b7c0891e40e76f8d579755)
(cherry picked from commit 4aa6be359f509eeaf3ded290489136513c24ce2a)
In https://bugzilla.redhat.com/show_bug.cgi?id=2156900 sysusers was reporting a
conflict between the following lines:
u root 0:0 "Super User" /root /bin/bash
u root 0 "Super User" /root
The problem is that those configurations are indeed not equivalent. If group 0
exists with a different name, the first line would just create the user, but the
second line would create a 'root' group with a different GID. The second
behaviour seems definitely wrong. (Or at least more confusing in practice than
the first one. The system is in a strange shape, but the second approach takes
an additional step than is worse than doing nothing.)
When this line was initially added, we didn't have the uid:gid functionality for
'u', so we didn't think about this too much. But now we do, so we should use it.
$ build/systemd-sysusers --root=/var/tmp/inst7 --inline 'g foobar 0'
Creating group 'foobar' with GID 0.
$ build/systemd-sysusers --root=/var/tmp/inst7 --inline 'u root 0 "Zuper zuper"'
src/sysusers/sysusers.c:1365: Creating group 'root' with GID 999.
src/sysusers/sysusers.c:1115: Suggested user ID 0 for root already used.
src/sysusers/sysusers.c:1183: Creating user 'root' (Zuper zuper) with UID 999 and GID 999.
vs.
$ build/systemd-sysusers --root=/var/tmp/inst7 --inline 'u root 0:0 "Zuper zuper"'
src/sysusers/sysusers.c:1183: Creating user 'root' (Zuper zuper) with UID 0 and GID 0.
(cherry picked from commit 49bb7fe5f88fc35b8529d7d8dfcd4c151a9aaf1a)
(cherry picked from commit 8ad3d68acd7202afb35660eea49fe8c9f92609b8)
(cherry picked from commit c8b6bc7530030568bb980a66aa8e1b6517998c58)
Despite popular belief, the default file extracted by GNU tar is not stdin. It
is the value of the TAPE environment variable, falling back on a compile-time
constant. On my system, the default value is /dev/full, which causes tar to
just spin forever due to --ignore-zeros. Always specifying this flag is the
safe thing to do.
~$ tar --show-defaults
--format=gnu -f/dev/full -b20 --quoting-style=escape
--rmt-command=/usr/sbin/grmt
See also: ``(tar)defaults'', available via Info viewers, and in HTML form at:
https://www.gnu.org/s/tar/manual/html_node/defaults.html
(cherry picked from commit 181eea677dd364d2b22dc691647792142b271074)
(cherry picked from commit 817b8441c481cec71689a8ccac727d85e3ba549b)
(cherry picked from commit 48f3e2d5c5cfba01405a609a5bd4d54071243c13)
If we receive a header only message, and the server is running in relay
mode, then the assertion was triggered.
Fixes#26151.
(cherry picked from commit b52031dbbcabe4b1e3016ba64d4a2822740188bc)
(cherry picked from commit 7aeb2a8d4ea660ad863e7b2c5432f64f903f1cd5)
(cherry picked from commit 41fdc8ed32408d598ddafc7feb3beece7f654262)
If we don't have CAP_NET_BIND_SERVICE, we won't be able to bind
the stub listener socket, so let's skip creating it and log a warning.
We do the same for the extra stubs if they're configured on privileged
ports.
(cherry picked from commit 0398c084efba664e44625d82f2be72e18c952678)
(cherry picked from commit ab877f7072728420e49d179bca310a698cf9994c)
(cherry picked from commit 2a36784277756c3a5e424efdd671a7a33bc8e128)
If we're in a user namespace but not unsharing the network namespace,
we won't be able to bind any privileged ports even with
CAP_NET_BIND_SERVICE, so let's drop it from the retained capabilities
so services can condition themselves on that.
(cherry picked from commit 2642d22adc66771bd8bbb4187dc3de5472d04ad6)
(cherry picked from commit 3a49291f4b82e746294df1772e9ab7eb957a9771)
(cherry picked from commit 5037e0d27bc40594f9f7e7298ee38a3540ac4aa8)
Add a test that verifies a deleted alternative name is restored on error
in rtnl_set_link_name().
(cherry picked from commit b338a8bb402a3ab241a617e096b21ae6a7b7badf)
(cherry picked from commit 7299341bd1e114d2ef29539f4b0b5b5da9900120)
(cherry picked from commit 37df773b230cebc65fae045abc6b17f4c1489cab)
If a current alternative name is to be used to rename a network
interface, the alternative name must be removed first. If interface
renaming fails, restore the alternative name that was deleted if
necessary.
(cherry picked from commit 4d600667f8af2985850b03a46357e068d3fb8570)
(cherry picked from commit 42d8817bd652731a25facebb4d6db7ee822774c2)
(cherry picked from commit a536073a62bdc37d6190603bc9f41d364f41387b)
Commit 434a348380 ("netlink: do not fail when new interface name is
already used as an alternative name") added logic to set the old
interface name as an alternative name, but only when the new name is
currently an alternative name. This is not the desired outcome in most
cases, and the important part of this commit was to delete the new name
from the list of alternative names if necessary.
(cherry picked from commit 080afbb57c4b2d592c5cf77ab10c6e0be74f0732)
(cherry picked from commit 3dc5b19f10916e15adb9071057fe877a958daea8)
(cherry picked from commit facb873e6ffe1fd3e2f89cee2ed80756a849460a)
When configuring a link's alternative names, the link's new name to-be
is not allowed to be included because interface renaming will fail if
the new name is already present as an alternative name. However,
rtnl_set_link_name will delete the conflicting alternative name before
renaming the device, if necessary.
Allow the new link name to be set as an alternative name before the
device is renamed. This means that if the rename is later skipped (i.e.
because the link is already up), then the name can at least still be
present as an alternative name.
(cherry picked from commit d0b31efc1ab7f6826ad834cf6b9e371bf73776aa)
(cherry picked from commit 7918496dcf2d6c06a8cd8626c23d2a463343a9df)
(cherry picked from commit ba896a6de0335fca9a5b2ee4ad087c8b640b66c1)
This ensures that cg_kill_items returns the correct value to let the
manager know that a process was killed.
(cherry picked from commit 500cd2e83b8246fbf20d99db898039cfba746223)
(cherry picked from commit 86686e4292fed7ce150156439fbda690bac2ad68)
(cherry picked from commit 64d728921401ac30476d9b0874e621520fb7f5ea)
Linux kernel's bpf-next contains BPF LSM support for s390x. systemd's
test-bpf-lsm currently fails with this kernel.
This is an endianness issue: in the restrict_fs bpf program,
magic_number has type unsigned long (64 bits on s390x), but magic_map
keys are uint32_t (32 bits). Accessing magic_map using 64-bit keys may
work by accident on little-endian systems, but fails hard on big-endian
ones.
Fix by casting magic_number to uint32_t.
(cherry picked from commit 907046282c27ee2ced5e22abb80ed8df2e157baf)
(cherry picked from commit f62e7b470441643d07b23706ac943216a5cdfc97)
(cherry picked from commit 25cb55890ec9a1bd7367e7a84a4df3a3287c7622)
Follow-up for c95df5879eeb2cec8bc8eec2cfa7e741e1d9469f.
Fixes#26196.
(cherry picked from commit 2cb1cabb412850e88eaf26feec663674e2c4f664)
(cherry picked from commit 318b6f60b8f91846331c2a4c65347c75b1203104)
(cherry picked from commit 0f967fba156e74fd5071fee65e318d6332c81dcc)
RFC3442 specifies option 121 (Classless Static Routes) that allow a DHCP
server to push arbitrary routes to a client. It has a Local Subnet
Routes section expliciting the behavior of routes with a null (0.0.0.0)
gateway.
Such routes are to be installed on the interface with a Link scope, to
mark them as directly available on the link without any gateway.
Networkd currently drops those routes, which is against the RFC, as
Linux has proper support for such routes.
Fixes: 7f20627 ("network: dhcp4: ignore gateway in static routes if destination is link-local or in the same network")
(cherry picked from commit 1d84a3c7792a8910b05904937c703307ca19740f)
(cherry picked from commit b0f514ba567a1f6321f6b7f1ded038f8090c70f0)
(cherry picked from commit ee6475d31815fe3e012d48ef7302a5d73e3a8a5d)
"resolvectl status" shows per-link DNS servers separately from global
ones. When querying the global list, it will contain both per-link and
global servers however. Thus, to not show duplicate info we filter all
entries that actually have a non-zero ifindex set (under the assumption
that that's a per-link server).
This doesn't work if people configured 127.0.0.1 as global server
though, as we'll add ifindex 1 to it since
6e32414a66ff8dbcef233981a7066684d903ee9f unconditionally even for global
servers.
Let's address that by excluding entries with ifindex 1 from suppression.
This is safe as resolved ignores loopback ifaces, hence never will have
per-link servers on ifindex 1.
Note that this splits up the "with_ifindex" parameter into a second
parameter "only_global", since they semantically do two different
things. One controls whether we shall expect/parse an ifindex dbus
field. The other controls whether we shall filter all ifindex values set
!= 0. These are effectively always used in conjunction hence making them
the same actually worked. However this is utterly confusing I think,
which as I guess is resulting in the confusion around #25796 (which
removes the whole check)
Replaces: #25796
(cherry picked from commit 889a1b9f4e799b31f1be06db74708aa8beb70829)
(cherry picked from commit b71ade8779002d7feb61a43bc8c2d8325b3d6750)
(cherry picked from commit fa04709a3daacb6e201460be2dd610f6b85778f3)
(cherry picked from commit a5e6c8498ca375bafa865d5e46fa95e9313871ad)
(cherry picked from commit ed26f98f2f0559aee242836e71832a77a7000dbb)
(cherry picked from commit 87307bfdd107fc40440456cfcbf550f4bd679751)
This ensures that udev scripts using `TAG-="..."` and expecting later
udev rules to honor it will work properly. An use case is removing the
`uaccess` tag from a device without overriding the original file and
ensuring that `73-seat-uaccess.rules` won't run the uaccess builtin later.
(cherry picked from commit 310249903986957997b76bc52441cabb5843aad8)
(cherry picked from commit 7d4ea095d5e3e5aa87761c6c0f5f30287596dd75)
(cherry picked from commit ca948c9601714c8de53a87a548dfad05fef37c40)
The text said /dev/tty* as a whole was the VT subsystem and that VT is
not supported in containers.
But that's not accurate as /dev/tty* will match /dev/tty too and that
one device node is special and is not related to VT: it always points to
the current process own controlling tty, regardless what that is.
hence, rewrite /dev/tty* as /dev/tty[0-9]*.
(cherry picked from commit 6ae5c39af1da5b0b6e49278e7a33158d49ec04a5)
(cherry picked from commit f3d620f5d2c26c546d9a5c410c3aa68329b74330)
(cherry picked from commit b4e56b13a98567a113a495f754258529996806b1)
We want to make use of that when formatting file systems, hence let's
pull in these modules explicitly.
(This is necessary because we are an early boot service that might run
before systemd-tmpfiles-dev.service, which creates /dev/loop-control and
/dev/mapper/control.)
Alternatively we could just order ourselves after
systemd-tmpfiles-dev.service, but I think there's value in adding an
explicit minimal ordering here, since we know what we'll need.
Fixes: #25775
(cherry picked from commit ce7dcfd6b00b8099d1793d04bcfa9968ca4a0d96)
(cherry picked from commit 3856b97f8bcbde01b1e2ceb3b008513a2327d64d)
(cherry picked from commit 208153c32bb6b355436fc6a8679cba1cd4d4078d)
Follow-up for 8f1359bf854e9683e4e0b89fd3a537e0d82d4b95
(cherry picked from commit 143a1f1039d992001d2f2f35b2e6ba07f8a52af7)
(cherry picked from commit 67467efd58b0b9814e92dfaa1edc21ebf2c830e7)
(cherry picked from commit 923264e0345fdf2a949ef1eb1b4ccef50457fb20)
Added bash and zsh completions for oomctl arguments and commands.
Related To: #22118
(cherry picked from commit de0988f9d2b23580d31e857991337927a5735fe1)
(cherry picked from commit 0d9e6d76be9afb32a694cb3b00e2028048910d96)
(cherry picked from commit 31bb2ef7ea6a9cb3759ef09f7ee668434036a507)
(cherry picked from commit 1ee30b0ea98ec3e69faec54a107af8a06c61dca6)
The test depends on /sys being writable, so let's skip it when /sys
is read-only.
(cherry picked from commit 34b5977015a557840988e825ac116a7f09d0be75)
(cherry picked from commit 4dc37994e283d2e8af612519fd3fac195fc47e56)
(cherry picked from commit 0acf4d71e02d99b64c1644c2df3775c07a82aba1)
linux/btrfs.h needs to be included after sys/mount.h, as since [0]
linux/btrfs.h includes linux/fs.h causing build errors:
```
In file included from /usr/include/linux/fs.h:19,
from ../src/basic/linux/btrfs.h:29,
from ../src/partition/growfs.c:6:
/usr/include/sys/mount.h:35:3: error: expected identifier before numeric constant
35 | MS_RDONLY = 1, /* Mount read-only. */
| ^~~~~~~~~
[1222/2169] Compiling C object systemd-creds.p/src_creds_creds.c.o
ninja: build stopped: subcommand failed.
```
See: https://github.com/systemd/systemd/issues/8507
[0] a28135303a
(cherry picked from commit ed614f17fc9f3876b2178db949df42a2605f6895)
(cherry picked from commit 8f84df0da357128f1275933cd8aab4c5efad5767)
(cherry picked from commit 1fc632e15162e0cd02cadc2b8f7fcf1d3b718cbb)
IPPROTO_L2TP was moved from linux/l2tp.h to linux/in.h [0], so let's
reflect that change to fix build with newer kernels:
```
In file included from ../src/libsystemd/sd-netlink/netlink-types-genl.c:10:
../src/basic/linux/l2tp.h:16: error: "IPPROTO_L2TP" redefined [-Werror]
16 | #define IPPROTO_L2TP 115
|
In file included from ../src/libsystemd/sd-netlink/netlink-types-genl.c:3:
/usr/include/netinet/in.h:85: note: this is the location of the previous definition
85 | #define IPPROTO_L2TP IPPROTO_L2TP
|
cc1: all warnings being treated as errors
```
When at it, update the rest of the headers we ship as well.
[0] 65b32f801b
(cherry picked from commit a95ff98ec40edad2825c824a186f44454120cf1f)
(cherry picked from commit 240513cecaeca035706a618161d0141a9f1267be)
(cherry picked from commit 4bc291c1d4a97de93eb4015115516d6e7c07da00)
(cherry picked from commit 84e5b9225d12f8a1a7d414ef01f97fcd6881c14f)
(cherry picked from commit 07e4787106fb0a551f73d0a0ec4c6c8e7c958c7d)
(cherry picked from commit bd32bbebd5ea7bb5ae5fefe9d9a26e7f0bf5c635)
If we add a drop-in for init.scope (e.g.: to set some memory limit),
it will be loaded long after the cgroup has already been realized.
Do it again when creating the special unit.
(cherry picked from commit 020b2e41ea776cff73392da8084a0725b590d245)
(cherry picked from commit 786b7a7208cfb585b70659a8e3ac5180e85d0647)
(cherry picked from commit ffa329c45c945256f1ee397c1a5f56ce8dded412)
Since c78d18215b D-Bus services now have 60s to start, but the client
side (sd-bus) still waits only for 25s before giving up:
```
[ 226.196380] testsuite-71.sh[556]: + assert_in 'Static hostname: H' ''
[ 226.332965] testsuite-71.sh[576]: + set +ex
[ 226.332965] testsuite-71.sh[576]: FAIL: 'Static hostname: H' not found in:
[ 228.910782] sh[577]: + systemctl poweroff --no-block
[ 232.255584] hostnamectl[565]: Failed to query system properties: Connection timed out
[ 236.827514] systemd[1]: end.service: Consumed 2.131s CPU time.
[ 237.476969] dbus-daemon[566]: [system] Successfully activated service 'org.freedesktop.hostname1'
[ 237.516308] systemd[1]: system-modprobe.slice: Consumed 1.533s CPU time.
[ 237.794635] systemd[1]: testsuite-71.service: Main process exited, code=exited, status=1/FAILURE
[ 237.818469] systemd[1]: testsuite-71.service: Failed with result 'exit-code'.
[ 237.931415] systemd[1]: Failed to start testsuite-71.service.
[ 238.000833] systemd[1]: testsuite-71.service: Consumed 5.651s CPU time.
[ 238.181030] systemd[1]: Reached target testsuite.target.
```
Let's override the timeout in sd-bus as well to mitigate this.
Follow-up to c78d18215b3e5b0f0896ddb1d0d72c666b5e830b.
(cherry picked from commit e0cbb739113b9e2fbb67b27099430c351f03315c)
(cherry picked from commit e4ed752f2313c74b9d5ae3aeb947c150babe061a)
(cherry picked from commit f69dc64d38810ab8dbc5d0932dd5145be5a5fd14)
Unit that requires its own mount namespace creates a temporary directory
to implement dynamic bind mounts (org.freedesktop.systemd1.Manager.BindMountUnit).
However, this directory is never removed and they will accumulate for
each unique unit (e.g. templated units of systemd-coredump@).
Attach the auxiliary runtime directory existence to lifetime of other
"runtime" only per-unit directories.
(cherry picked from commit b9f976fb45635e09cd709dbedd0afb03d4b73c05)
(cherry picked from commit 80e8340ec49d0da3744cdf81f82202e13b0fad3b)
(cherry picked from commit fd260cb37e3441b851c7fee4825d5b6af17f66ca)
Currently, sd-dhcp-server accepts spurious client IDs, then the leases
exposed by networkd may be invalid. Let's make networkctl gracefully
show such leases.
Fixes#25984.
(cherry picked from commit 841dfd3dc0dd370a21f190a5b7b870db1c95f7e6)
(cherry picked from commit a674a398e707a821e4148ace80cfdf68d2fd496f)
(cherry picked from commit 088d6c8521a6aaf16b774a2a6e02eca2cb876534)
When the target (Where=) of a mount does not exist, systemd tries to
create it. But previously, it'd always been created as a directory. That
doesn't work if one wants to bind-mount a file to a target that doesn't
exist.
Fixes: #17184
(cherry picked from commit 218cfe23354397ded28ac898f82b52724f48dae7)
(cherry picked from commit 25e30725d7d31d747a40a5c0ab387dc9f48f09e3)
(cherry picked from commit 48251e428fc7fb2cd718c5864138df59f0b692a7)
In make_credential_host_secret, the credential.secret file is generated
first as a temporary anonymous file that is later instantiated with
linkat(2). This system call requires CAP_DAC_READ_SEARCH capability
when the flag AT_EMPTY_PATH is used.
This patch check if the capability is effective, and if not uses the
alternative codepath for creating named temporary files.
Non-root users can now create per-user credentials with:
export SYSTEMD_CREDENTIAL_SECRET=$HOME/.config/systemd/credential.secret
systemd-creds setup
Signed-off-by: Alberto Planas <aplanas@suse.com>
(cherry picked from commit 1615578f2792fdeecaf65606861bd3db9eb949c3)
(cherry picked from commit 432ec5a654d5b8b123472ab64b29d9b5baf3cbf2)
(cherry picked from commit d7c8b1b7095b3e80b4e0dc354e1d69cb987c075e)
When these partitions are probed by gpt-auto,
they will always be hardened with such options.
See also: https://github.com/systemd/systemd/issues/25776#issuecomment-1364115711Closes#25776
(cherry picked from commit d708293d436516823e0e4bfb02c54365820fd8c6)
(cherry picked from commit 49804cfb71d3a79f433096e4cfb5616980171336)
(cherry picked from commit ebe67b6e885f2f8d0b9a9b72da9d7ce9b6f18b92)
Follow-up for f2f7785d7a47ffa48ac929648794e1288509ddd8.
Fixes#26033.
(cherry picked from commit 2cbb171d20a07ec0a25296f167b0385de102d74e)
(cherry picked from commit 89e86ad8df4b87092264e49bcfba8053eb74822d)
(cherry picked from commit abcd25b66e9f929572552f53337c65ddc16c24af)
