1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-03 05:18:09 +03:00

v257 batch up to b5ea69f5ac (#35682)

This includes a revert of
2736295ddb
as that was identified as the first commit that introduced the boot
regression https://github.com/systemd/systemd/issues/35499
This commit is contained in:
Adrian Vovk 2024-12-19 22:25:48 +01:00 committed by GitHub
commit 47eea9ee9f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
46 changed files with 252 additions and 147 deletions

View File

@ -8,7 +8,7 @@ set -o pipefail
DISTRO="${DISTRO:-debian}" DISTRO="${DISTRO:-debian}"
RELEASE="${RELEASE:-bookworm}" RELEASE="${RELEASE:-bookworm}"
SALSA_URL="${SALSA_URL:-https://salsa.debian.org/systemd-team/systemd.git}" SALSA_URL="${SALSA_URL:-https://salsa.debian.org/systemd-team/systemd.git}"
BRANCH="${BRANCH:-debian/master}" BRANCH="${BRANCH:-ci/v257-stable}"
ARCH="${ARCH:-amd64}" ARCH="${ARCH:-amd64}"
CONTAINER="${RELEASE}-${ARCH}" CONTAINER="${RELEASE}-${ARCH}"
CACHE_DIR=/var/tmp CACHE_DIR=/var/tmp
@ -109,9 +109,6 @@ EOF
--env DPKG_DEB_COMPRESSOR_TYPE="none" \ --env DPKG_DEB_COMPRESSOR_TYPE="none" \
--env DEB_BUILD_PROFILES="pkg.systemd.upstream noudeb nodoc" \ --env DEB_BUILD_PROFILES="pkg.systemd.upstream noudeb nodoc" \
--env TEST_UPSTREAM=1 \ --env TEST_UPSTREAM=1 \
--skip-test localed-locale \
--skip-test localed-x11-keymap \
--skip-test build-with-static-libsystemd \
../systemd_*.dsc \ ../systemd_*.dsc \
-o "$ARTIFACTS_DIR" \ -o "$ARTIFACTS_DIR" \
-- lxc -s "$CONTAINER" \ -- lxc -s "$CONTAINER" \

View File

@ -15,7 +15,7 @@ auto_cancel:
when: "true" when: "true"
execution_time_limit: execution_time_limit:
hours: 1 hours: 2
blocks: blocks:
- name: "Setup & test" - name: "Setup & test"

View File

@ -64,6 +64,10 @@
override existing definitions. For tests, generators may be called with just one argument; the generator override existing definitions. For tests, generators may be called with just one argument; the generator
should assume that all three paths are the same in that case.</para> should assume that all three paths are the same in that case.</para>
<para>Generators executed by the system manager are invoked in a sandbox with a private writable
<filename>/tmp/</filename> directory and where most of the file system is read-only except for the
generator output directories.</para>
<para>Directory paths for generator output differ by priority: <filename>…/generator.early</filename> has <para>Directory paths for generator output differ by priority: <filename>…/generator.early</filename> has
priority higher than the admin configuration in <filename>/etc/</filename>, while priority higher than the admin configuration in <filename>/etc/</filename>, while
<filename>…/generator</filename> has lower priority than <filename>/etc/</filename> but higher than <filename>…/generator</filename> has lower priority than <filename>/etc/</filename> but higher than

View File

@ -74,7 +74,8 @@ KernelCommandLine=
oops=panic oops=panic
panic=-1 panic=-1
softlockup_panic=1 softlockup_panic=1
panic_on_warn=1 # Disabled due to BTRFS issue, waiting for the fix to become available
panic_on_warn=0
psi=1 psi=1
KernelModulesInitrdExclude=.* KernelModulesInitrdExclude=.*

View File

@ -15,7 +15,7 @@ ToolsTreePackages=
pkgconfig(libmicrohttpd) pkgconfig(libmicrohttpd)
pkgconfig(mount) pkgconfig(mount)
python3-ruff python3-ruff
tss2-devel tpm2-0-tss-devel
python3-jinja2 python3-jinja2
python3-pytest python3-pytest
ShellCheck ShellCheck

View File

@ -3,5 +3,5 @@
[Match] [Match]
Environment=NO_BUILD=1 Environment=NO_BUILD=1
[Content] [Build]
WithNetwork=yes WithNetwork=yes

View File

@ -8,8 +8,8 @@ Distribution=|ubuntu
Environment= Environment=
GIT_URL=https://salsa.debian.org/systemd-team/systemd.git GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
GIT_SUBDIR=debian GIT_SUBDIR=debian
GIT_BRANCH=debian/master GIT_BRANCH=ci/v257-stable
GIT_COMMIT=51cd22f3684725a1b199012555e7378f2f468c16 GIT_COMMIT=20150867b7123aa825e3320227aed642e6cc9a08
PKG_SUBDIR=debian PKG_SUBDIR=debian
[Content] [Content]

View File

@ -60,6 +60,9 @@ fi
# TODO: Drop when the spec is fixed (either the patch is adapted or not applied when building for upstream). # TODO: Drop when the spec is fixed (either the patch is adapted or not applied when building for upstream).
sed --in-place '/0009-pid1-handle-console-specificities-weirdness-for-s390.patch/d' "pkg/$PKG_SUBDIR/systemd.spec" sed --in-place '/0009-pid1-handle-console-specificities-weirdness-for-s390.patch/d' "pkg/$PKG_SUBDIR/systemd.spec"
# TODO: Drop when the opensuse spec uses README.md instead of README.testsuite.
sed --in-place 's/README.testsuite/README.md/' "pkg/$PKG_SUBDIR/systemd.spec"
build() { build() {
IFS= IFS=
# shellcheck disable=SC2046 # shellcheck disable=SC2046

View File

@ -67,7 +67,7 @@ _systemd_analyze() {
) )
local -A VERBS=( local -A VERBS=(
[STANDALONE]='time blame unit-files unit-paths exit-status compare-versions calendar timestamp timespan pcrs srk has-tpm2' [STANDALONE]='time blame unit-files unit-paths exit-status compare-versions calendar timestamp timespan pcrs srk has-tpm2 smbios11'
[CRITICAL_CHAIN]='critical-chain' [CRITICAL_CHAIN]='critical-chain'
[DOT]='dot' [DOT]='dot'
[DUMP]='dump' [DUMP]='dump'

View File

@ -577,7 +577,7 @@ static int vt_reset_keyboard(int fd) {
return RET_NERRNO(ioctl(fd, KDSKBMODE, kb)); return RET_NERRNO(ioctl(fd, KDSKBMODE, kb));
} }
static int terminal_reset_ioctl(int fd, bool switch_to_text) { int terminal_reset_ioctl(int fd, bool switch_to_text) {
struct termios termios; struct termios termios;
int r; int r;
@ -645,7 +645,7 @@ finish:
return r; return r;
} }
static int terminal_reset_ansi_seq(int fd) { int terminal_reset_ansi_seq(int fd) {
int r, k; int r, k;
assert(fd >= 0); assert(fd >= 0);
@ -675,35 +675,6 @@ static int terminal_reset_ansi_seq(int fd) {
return k < 0 ? k : r; return k < 0 ? k : r;
} }
void reset_dev_console_fd(int fd, bool switch_to_text) {
int r;
assert(fd >= 0);
_cleanup_close_ int lock_fd = lock_dev_console();
if (lock_fd < 0)
log_debug_errno(lock_fd, "Failed to lock /dev/console, ignoring: %m");
r = terminal_reset_ioctl(fd, switch_to_text);
if (r < 0)
log_warning_errno(r, "Failed to reset /dev/console, ignoring: %m");
unsigned rows, cols;
r = proc_cmdline_tty_size("/dev/console", &rows, &cols);
if (r < 0)
log_warning_errno(r, "Failed to get /dev/console size, ignoring: %m");
else if (r > 0) {
r = terminal_set_size_fd(fd, NULL, rows, cols);
if (r < 0)
log_warning_errno(r, "Failed to set configured terminal size on /dev/console, ignoring: %m");
} else
(void) terminal_fix_size(fd, fd);
r = terminal_reset_ansi_seq(fd);
if (r < 0)
log_warning_errno(r, "Failed to reset /dev/console using ANSI sequences, ignoring: %m");
}
int lock_dev_console(void) { int lock_dev_console(void) {
_cleanup_close_ int fd = -EBADF; _cleanup_close_ int fd = -EBADF;
int r; int r;
@ -737,7 +708,25 @@ int make_console_stdio(void) {
return log_error_errno(r, "Failed to make /dev/null stdin/stdout/stderr: %m"); return log_error_errno(r, "Failed to make /dev/null stdin/stdout/stderr: %m");
} else { } else {
reset_dev_console_fd(fd, /* switch_to_text= */ true); unsigned rows, cols;
r = terminal_reset_ioctl(fd, /* switch_to_text= */ true);
if (r < 0)
log_warning_errno(r, "Failed to reset terminal, ignoring: %m");
r = proc_cmdline_tty_size("/dev/console", &rows, &cols);
if (r < 0)
log_warning_errno(r, "Failed to get terminal size, ignoring: %m");
else if (r > 0) {
r = terminal_set_size_fd(fd, NULL, rows, cols);
if (r < 0)
log_warning_errno(r, "Failed to set configured terminal size, ignoring: %m");
} else
(void) terminal_fix_size(fd, fd);
r = terminal_reset_ansi_seq(fd);
if (r < 0)
log_warning_errno(r, "Failed to reset terminal using ANSI sequences, ignoring: %m");
r = rearrange_stdio(fd, fd, fd); /* This invalidates 'fd' both on success and on failure. */ r = rearrange_stdio(fd, fd, fd); /* This invalidates 'fd' both on success and on failure. */
if (r < 0) if (r < 0)

View File

@ -39,6 +39,8 @@
bool isatty_safe(int fd); bool isatty_safe(int fd);
int terminal_reset_ioctl(int fd, bool switch_to_text);
int terminal_reset_ansi_seq(int fd);
int terminal_reset_defensive(int fd, bool switch_to_text); int terminal_reset_defensive(int fd, bool switch_to_text);
int terminal_reset_defensive_locked(int fd, bool switch_to_text); int terminal_reset_defensive_locked(int fd, bool switch_to_text);
@ -101,7 +103,6 @@ bool tty_is_console(const char *tty) _pure_;
int vtnr_from_tty(const char *tty); int vtnr_from_tty(const char *tty);
const char* default_term_for_tty(const char *tty); const char* default_term_for_tty(const char *tty);
void reset_dev_console_fd(int fd, bool switch_to_text);
int lock_dev_console(void); int lock_dev_console(void);
int make_console_stdio(void); int make_console_stdio(void);

View File

@ -123,14 +123,14 @@ static int run(int argc, char *argv[]) {
log_setup(); log_setup();
r = proc_cmdline_get_bool("systemd.battery_check", PROC_CMDLINE_STRIP_RD_PREFIX|PROC_CMDLINE_TRUE_WHEN_MISSING, &arg_doit);
if (r < 0)
log_warning_errno(r, "Failed to parse systemd.battery_check= kernel command line option, ignoring: %m");
r = parse_argv(argc, argv); r = parse_argv(argc, argv);
if (r <= 0) if (r <= 0)
return r; return r;
r = proc_cmdline_get_bool("systemd.battery_check", PROC_CMDLINE_STRIP_RD_PREFIX|PROC_CMDLINE_TRUE_WHEN_MISSING, &arg_doit);
if (r < 0)
log_warning_errno(r, "Failed to parse systemd.battery_check= kernel command line option, ignoring: %m");
if (!arg_doit) { if (!arg_doit) {
log_info("Checking battery status and AC power existence is disabled by the kernel command line, skipping execution."); log_info("Checking battery status and AC power existence is disabled by the kernel command line, skipping execution.");
return 0; return 0;

View File

@ -131,10 +131,16 @@ static int signal_disconnected(sd_bus_message *message, void *userdata, sd_bus_e
assert(message); assert(message);
assert_se(bus = sd_bus_message_get_bus(message)); assert_se(bus = sd_bus_message_get_bus(message));
if (bus == m->api_bus) if (bus == m->api_bus) {
log_notice("Got disconnect on API bus.");
bus_done_api(m); bus_done_api(m);
if (bus == m->system_bus) }
if (bus == m->system_bus) {
/* If we are the system manager, this is already logged by the API bus. */
if (!MANAGER_IS_SYSTEM(m))
log_notice("Got disconnect on system bus.");
bus_done_system(m); bus_done_system(m);
}
if (set_remove(m->private_buses, bus)) { if (set_remove(m->private_buses, bus)) {
log_debug("Got disconnect on private connection."); log_debug("Got disconnect on private connection.");

View File

@ -245,18 +245,32 @@ unset:
} }
static int console_setup(void) { static int console_setup(void) {
if (getpid_cached() != 1)
return 0;
_cleanup_close_ int tty_fd = -EBADF; _cleanup_close_ int tty_fd = -EBADF;
unsigned rows, cols;
int r;
tty_fd = open_terminal("/dev/console", O_RDWR|O_NOCTTY|O_CLOEXEC); tty_fd = open_terminal("/dev/console", O_WRONLY|O_NOCTTY|O_CLOEXEC);
if (tty_fd < 0) if (tty_fd < 0)
return log_error_errno(tty_fd, "Failed to open /dev/console: %m"); return log_error_errno(tty_fd, "Failed to open /dev/console: %m");
/* We don't want to force text mode. Plymouth may be showing pictures already from initrd. */ /* We don't want to force text mode. plymouth may be showing
reset_dev_console_fd(tty_fd, /* switch_to_text= */ false); * pictures already from initrd. */
r = terminal_reset_ioctl(tty_fd, false);
if (r < 0)
return log_error_errno(r, "Failed to reset /dev/console: %m");
r = proc_cmdline_tty_size("/dev/console", &rows, &cols);
if (r < 0)
log_warning_errno(r, "Failed to get /dev/console size, ignoring: %m");
else {
r = terminal_set_size_fd(tty_fd, NULL, rows, cols);
if (r < 0)
log_warning_errno(r, "Failed to set /dev/console size, ignoring: %m");
}
r = terminal_reset_ansi_seq(tty_fd);
if (r < 0)
log_warning_errno(r, "Failed to reset /dev/console using ANSI sequences, ignoring: %m");
save_console_winsize_in_environment(tty_fd); save_console_winsize_in_environment(tty_fd);
@ -2977,7 +2991,7 @@ static void setup_console_terminal(bool skip_setup) {
(void) release_terminal(); (void) release_terminal();
/* Reset the console, but only if this is really init and we are freshly booted */ /* Reset the console, but only if this is really init and we are freshly booted */
if (!skip_setup) if (getpid_cached() == 1 && !skip_setup)
(void) console_setup(); (void) console_setup();
} }

View File

@ -77,6 +77,9 @@ static void manager_dump_header(Manager *m, FILE *f, const char *prefix) {
timestamp_is_set(t->realtime) ? FORMAT_TIMESTAMP(t->realtime) : timestamp_is_set(t->realtime) ? FORMAT_TIMESTAMP(t->realtime) :
FORMAT_TIMESPAN(t->monotonic, 1)); FORMAT_TIMESPAN(t->monotonic, 1));
} }
for (const char *n = sd_bus_track_first(m->subscribed); n; n = sd_bus_track_next(m->subscribed))
fprintf(f, "%sSubscribed: %s\n", strempty(prefix), n);
} }
void manager_dump(Manager *m, FILE *f, char **patterns, const char *prefix) { void manager_dump(Manager *m, FILE *f, char **patterns, const char *prefix) {

View File

@ -97,17 +97,20 @@ int action_setup_keys(void) {
state_size = FSPRG_stateinbytes(FSPRG_RECOMMENDED_SECPAR); state_size = FSPRG_stateinbytes(FSPRG_RECOMMENDED_SECPAR);
state = alloca_safe(state_size); state = alloca_safe(state_size);
log_info("Generating seed..."); if (!arg_quiet)
log_info("Generating seed...");
r = crypto_random_bytes(seed, seed_size); r = crypto_random_bytes(seed, seed_size);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to acquire random seed: %m"); return log_error_errno(r, "Failed to acquire random seed: %m");
log_info("Generating key pair..."); if (!arg_quiet)
log_info("Generating key pair...");
r = FSPRG_GenMK(NULL, mpk, seed, seed_size, FSPRG_RECOMMENDED_SECPAR); r = FSPRG_GenMK(NULL, mpk, seed, seed_size, FSPRG_RECOMMENDED_SECPAR);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to generate key pair: %m"); return log_error_errno(r, "Failed to generate key pair: %m");
log_info("Generating sealing key..."); if (!arg_quiet)
log_info("Generating sealing key...");
r = FSPRG_GenState0(state, mpk, seed, seed_size); r = FSPRG_GenState0(state, mpk, seed, seed_size);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to generate sealing key: %m"); return log_error_errno(r, "Failed to generate sealing key: %m");
@ -122,7 +125,7 @@ int action_setup_keys(void) {
r = chattr_secret(fd, CHATTR_WARN_UNSUPPORTED_FLAGS); r = chattr_secret(fd, CHATTR_WARN_UNSUPPORTED_FLAGS);
if (r < 0) if (r < 0)
log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) ? LOG_DEBUG : LOG_WARNING, log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) || arg_quiet ? LOG_DEBUG : LOG_WARNING,
r, "Failed to set file attributes on a temporary file for '%s', ignoring: %m", path); r, "Failed to set file attributes on a temporary file for '%s', ignoring: %m", path);
struct FSSHeader h = { struct FSSHeader h = {
@ -155,7 +158,7 @@ int action_setup_keys(void) {
if (r < 0) if (r < 0)
return r; return r;
if (!on_tty()) { if (!on_tty() || arg_quiet) {
/* If we are not on a TTY, show only the key. */ /* If we are not on a TTY, show only the key. */
puts(key); puts(key);
return 0; return 0;

View File

@ -407,10 +407,14 @@ int manager_get_user_by_pid(Manager *m, pid_t pid, User **ret) {
int manager_get_idle_hint(Manager *m, dual_timestamp *t) { int manager_get_idle_hint(Manager *m, dual_timestamp *t) {
Session *s; Session *s;
bool idle_hint; bool idle_hint;
dual_timestamp ts = DUAL_TIMESTAMP_NULL; dual_timestamp ts;
assert(m); assert(m);
/* Initialize the baseline timestamp with the time the manager got initialized to avoid reporting
* unreasonable large idle periods starting with the Unix epoch. */
ts = m->init_ts;
idle_hint = !manager_is_inhibited(m, INHIBIT_IDLE, /* block= */ true, t, false, false, 0, NULL); idle_hint = !manager_is_inhibited(m, INHIBIT_IDLE, /* block= */ true, t, false, false, 0, NULL);
HASHMAP_FOREACH(s, m->sessions) { HASHMAP_FOREACH(s, m->sessions) {

View File

@ -100,6 +100,8 @@ static int manager_new(Manager **ret) {
(void) sd_event_set_watchdog(m->event, true); (void) sd_event_set_watchdog(m->event, true);
dual_timestamp_now(&m->init_ts);
manager_reset_config(m); manager_reset_config(m);
*ret = TAKE_PTR(m); *ret = TAKE_PTR(m);

View File

@ -145,6 +145,8 @@ struct Manager {
struct stat efi_loader_entry_one_shot_stat; struct stat efi_loader_entry_one_shot_stat;
CalendarSpec *maintenance_time; CalendarSpec *maintenance_time;
dual_timestamp init_ts;
}; };
void manager_reset_config(Manager *m); void manager_reset_config(Manager *m);

View File

@ -1198,7 +1198,7 @@ static int wireguard_verify(NetDev *netdev, const char *filename) {
r = wireguard_read_key_file(w->private_key_file, w->private_key); r = wireguard_read_key_file(w->private_key_file, w->private_key);
if (r < 0) if (r < 0)
return log_netdev_error_errno(netdev, r, return log_netdev_error_errno(netdev, r,
"Failed to read private key from %s. Ignoring network device.", "Failed to read private key from '%s', ignoring network device: %m",
w->private_key_file); w->private_key_file);
if (eqzero(w->private_key)) { if (eqzero(w->private_key)) {

View File

@ -304,7 +304,7 @@ static int property_get_namespace_nsid(
* number. */ * number. */
r = netns_get_nsid(/* netnsfd= */ -EBADF, &nsid); r = netns_get_nsid(/* netnsfd= */ -EBADF, &nsid);
if (r < 0) if (r < 0 && r != -ENODATA)
log_warning_errno(r, "Failed to query network nsid, ignoring: %m"); log_warning_errno(r, "Failed to query network nsid, ignoring: %m");
return sd_bus_message_append(reply, "u", nsid); return sd_bus_message_append(reply, "u", nsid);

View File

@ -10,6 +10,7 @@
#include "resolved-dns-query.h" #include "resolved-dns-query.h"
#include "resolved-dns-synthesize.h" #include "resolved-dns-synthesize.h"
#include "resolved-etc-hosts.h" #include "resolved-etc-hosts.h"
#include "resolved-timeouts.h"
#include "string-util.h" #include "string-util.h"
#define QUERIES_MAX 2048 #define QUERIES_MAX 2048
@ -48,6 +49,8 @@ static void dns_query_candidate_stop(DnsQueryCandidate *c) {
assert(c); assert(c);
(void) event_source_disable(c->timeout_event_source);
/* Detach all the DnsTransactions attached to this query */ /* Detach all the DnsTransactions attached to this query */
while ((t = set_steal_first(c->transactions))) { while ((t = set_steal_first(c->transactions))) {
@ -62,6 +65,8 @@ static void dns_query_candidate_abandon(DnsQueryCandidate *c) {
assert(c); assert(c);
(void) event_source_disable(c->timeout_event_source);
/* Abandon all the DnsTransactions attached to this query */ /* Abandon all the DnsTransactions attached to this query */
while ((t = set_steal_first(c->transactions))) { while ((t = set_steal_first(c->transactions))) {
@ -94,6 +99,8 @@ static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
if (!c) if (!c)
return NULL; return NULL;
c->timeout_event_source = sd_event_source_disable_unref(c->timeout_event_source);
dns_query_candidate_stop(c); dns_query_candidate_stop(c);
dns_query_candidate_unlink(c); dns_query_candidate_unlink(c);
@ -312,6 +319,30 @@ fail:
return r; return r;
} }
static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c);
static int on_candidate_timeout(sd_event_source *s, usec_t usec, void *userdata) {
DnsQueryCandidate *c = userdata;
assert(s);
assert(c);
log_debug("Accepting incomplete query candidate after expedited timeout on partial success.");
dns_query_accept(c->query, c);
return 0;
}
static bool dns_query_candidate_has_partially_succeeded(DnsQueryCandidate *c) {
DnsTransaction *t;
SET_FOREACH(t, c->transactions)
if (t->state == DNS_TRANSACTION_SUCCESS)
return true;
return false;
}
void dns_query_candidate_notify(DnsQueryCandidate *c) { void dns_query_candidate_notify(DnsQueryCandidate *c) {
DnsTransactionState state; DnsTransactionState state;
int r; int r;
@ -323,11 +354,24 @@ void dns_query_candidate_notify(DnsQueryCandidate *c) {
state = dns_query_candidate_state(c); state = dns_query_candidate_state(c);
if (DNS_TRANSACTION_IS_LIVE(state)) if (DNS_TRANSACTION_IS_LIVE(state)) {
if (dns_query_candidate_has_partially_succeeded(c))
(void) event_reset_time_relative(
c->query->manager->event,
&c->timeout_event_source,
CLOCK_BOOTTIME,
CANDIDATE_EXPEDITED_TIMEOUT_USEC, /* accuracy_usec= */ 0,
on_candidate_timeout, c,
/* priority= */ 0, "candidate-timeout",
/* force_reset= */ false);
return; return;
}
if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) { if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
(void) event_source_disable(c->timeout_event_source);
r = dns_query_candidate_next_search_domain(c); r = dns_query_candidate_next_search_domain(c);
if (r < 0) if (r < 0)
goto fail; goto fail;

View File

@ -25,6 +25,7 @@ struct DnsQueryCandidate {
DnsSearchDomain *search_domain; DnsSearchDomain *search_domain;
Set *transactions; Set *transactions;
sd_event_source *timeout_event_source;
LIST_FIELDS(DnsQueryCandidate, candidates_by_query); LIST_FIELDS(DnsQueryCandidate, candidates_by_query);
LIST_FIELDS(DnsQueryCandidate, candidates_by_scope); LIST_FIELDS(DnsQueryCandidate, candidates_by_scope);

View File

@ -16,6 +16,7 @@
#include "resolved-dns-zone.h" #include "resolved-dns-zone.h"
#include "resolved-llmnr.h" #include "resolved-llmnr.h"
#include "resolved-mdns.h" #include "resolved-mdns.h"
#include "resolved-timeouts.h"
#include "socket-util.h" #include "socket-util.h"
#include "strv.h" #include "strv.h"

View File

@ -14,13 +14,10 @@
#include "resolved-dns-transaction.h" #include "resolved-dns-transaction.h"
#include "resolved-dnstls.h" #include "resolved-dnstls.h"
#include "resolved-llmnr.h" #include "resolved-llmnr.h"
#include "resolved-timeouts.h"
#include "string-table.h" #include "string-table.h"
#define TRANSACTIONS_MAX 4096 #define TRANSACTIONS_MAX 4096
#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
/* After how much time to repeat classic DNS requests */
#define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
static void dns_transaction_reset_answer(DnsTransaction *t) { static void dns_transaction_reset_answer(DnsTransaction *t) {
assert(t); assert(t);
@ -1632,13 +1629,10 @@ static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
case DNS_PROTOCOL_DNS: case DNS_PROTOCOL_DNS:
/* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
* resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
* needlessly. */
if (t->stream) if (t->stream)
return TRANSACTION_TCP_TIMEOUT_USEC; return TRANSACTION_TCP_TIMEOUT_USEC;
return DNS_TIMEOUT_USEC; return TRANSACTION_UDP_TIMEOUT_USEC;
case DNS_PROTOCOL_MDNS: case DNS_PROTOCOL_MDNS:
if (t->probing) if (t->probing)

View File

@ -203,24 +203,3 @@ DnsTransactionState dns_transaction_state_from_string(const char *s) _pure_;
const char* dns_transaction_source_to_string(DnsTransactionSource p) _const_; const char* dns_transaction_source_to_string(DnsTransactionSource p) _const_;
DnsTransactionSource dns_transaction_source_from_string(const char *s) _pure_; DnsTransactionSource dns_transaction_source_from_string(const char *s) _pure_;
/* LLMNR Jitter interval, see RFC 4795 Section 7 */
#define LLMNR_JITTER_INTERVAL_USEC (100 * USEC_PER_MSEC)
/* mDNS probing interval, see RFC 6762 Section 8.1 */
#define MDNS_PROBING_INTERVAL_USEC (250 * USEC_PER_MSEC)
/* Maximum attempts to send DNS requests, across all DNS servers */
#define DNS_TRANSACTION_ATTEMPTS_MAX 24
/* Maximum attempts to send LLMNR requests, see RFC 4795 Section 2.7 */
#define LLMNR_TRANSACTION_ATTEMPTS_MAX 3
/* Maximum attempts to send MDNS requests, see RFC 6762 Section 8.1 */
#define MDNS_TRANSACTION_ATTEMPTS_MAX 3
#define TRANSACTION_ATTEMPTS_MAX(p) ((p) == DNS_PROTOCOL_LLMNR ? \
LLMNR_TRANSACTION_ATTEMPTS_MAX : \
(p) == DNS_PROTOCOL_MDNS ? \
MDNS_TRANSACTION_ATTEMPTS_MAX : \
DNS_TRANSACTION_ATTEMPTS_MAX)

View File

@ -0,0 +1,39 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#include "time-util.h"
#include "resolved-def.h"
/* LLMNR Jitter interval, see RFC 4795 Section 7 */
#define LLMNR_JITTER_INTERVAL_USEC (100 * USEC_PER_MSEC)
/* mDNS probing interval, see RFC 6762 Section 8.1 */
#define MDNS_PROBING_INTERVAL_USEC (250 * USEC_PER_MSEC)
/* Maximum attempts to send DNS requests, across all DNS servers */
#define DNS_TRANSACTION_ATTEMPTS_MAX 24
/* Maximum attempts to send LLMNR requests, see RFC 4795 Section 2.7 */
#define LLMNR_TRANSACTION_ATTEMPTS_MAX 3
/* Maximum attempts to send MDNS requests, see RFC 6762 Section 8.1 */
#define MDNS_TRANSACTION_ATTEMPTS_MAX 3
#define TRANSACTION_ATTEMPTS_MAX(p) (\
(p) == DNS_PROTOCOL_LLMNR ? \
LLMNR_TRANSACTION_ATTEMPTS_MAX : \
(p) == DNS_PROTOCOL_MDNS ? \
MDNS_TRANSACTION_ATTEMPTS_MAX : \
DNS_TRANSACTION_ATTEMPTS_MAX)
/* After how much time to repeat classic DNS requests */
#define TRANSACTION_UDP_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
/* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
* resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
* needlessly. */
#define TRANSACTION_TCP_TIMEOUT_USEC (10 * USEC_PER_SEC)
/* Should be longer than transaction timeout for a single UDP transaction, so we get at least
* one transaction retry before timeouting the whole candidate */
#define CANDIDATE_EXPEDITED_TIMEOUT_USEC (TRANSACTION_UDP_TIMEOUT_USEC + 1 * USEC_PER_SEC)

View File

@ -18,12 +18,8 @@ int ask_password_agent_open(void) {
if (agent_pid > 0) if (agent_pid > 0)
return 0; return 0;
/* We check STDIN here, not STDOUT, since this is about input, not output */ /* Check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
if (!isatty_safe(STDIN_FILENO)) * interactively on a terminal, hence fail. */
return 0;
/* Also check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
* interactively on a terminal, hence fail */
r = get_ctty_devnr(0, NULL); r = get_ctty_devnr(0, NULL);
if (r == -ENXIO) if (r == -ENXIO)
return 0; return 0;

View File

@ -544,7 +544,6 @@ int fexecve_or_execve(int executable_fd, const char *executable, char *const arg
} }
int _fork_agent(const char *name, const int except[], size_t n_except, pid_t *ret_pid, const char *path, ...) { int _fork_agent(const char *name, const int except[], size_t n_except, pid_t *ret_pid, const char *path, ...) {
bool stdout_is_tty, stderr_is_tty;
size_t n, i; size_t n, i;
va_list ap; va_list ap;
char **l; char **l;
@ -567,17 +566,18 @@ int _fork_agent(const char *name, const int except[], size_t n_except, pid_t *re
/* In the child: */ /* In the child: */
stdout_is_tty = isatty_safe(STDOUT_FILENO); bool stdin_is_tty = isatty_safe(STDIN_FILENO),
stderr_is_tty = isatty_safe(STDERR_FILENO); stdout_is_tty = isatty_safe(STDOUT_FILENO),
stderr_is_tty = isatty_safe(STDERR_FILENO);
if (!stdout_is_tty || !stderr_is_tty) { if (!stdin_is_tty || !stdout_is_tty || !stderr_is_tty) {
int fd; int fd;
/* Detach from stdout/stderr and reopen /dev/tty for them. This is important to ensure that /* Detach from stdin/stdout/stderr and reopen /dev/tty for them. This is important to ensure
* when systemctl is started via popen() or a similar call that expects to read EOF we * that when systemctl is started via popen() or a similar call that expects to read EOF we
* actually do generate EOF and not delay this indefinitely by keeping an unused copy of * actually do generate EOF and not delay this indefinitely by keeping an unused copy of
* stdin around. */ * stdin around. */
fd = open("/dev/tty", O_WRONLY); fd = open("/dev/tty", stdin_is_tty ? O_WRONLY : (stdout_is_tty && stderr_is_tty) ? O_RDONLY : O_RDWR);
if (fd < 0) { if (fd < 0) {
if (errno != ENXIO) { if (errno != ENXIO) {
log_error_errno(errno, "Failed to open /dev/tty: %m"); log_error_errno(errno, "Failed to open /dev/tty: %m");
@ -588,13 +588,18 @@ int _fork_agent(const char *name, const int except[], size_t n_except, pid_t *re
* connected to a TTY. That's a weird setup, but let's handle it gracefully: let's * connected to a TTY. That's a weird setup, but let's handle it gracefully: let's
* skip the forking of the agents, given the TTY setup is not in order. */ * skip the forking of the agents, given the TTY setup is not in order. */
} else { } else {
if (!stdin_is_tty && dup2(fd, STDIN_FILENO) < 0) {
log_error_errno(errno, "Failed to dup2 /dev/tty to STDIN: %m");
_exit(EXIT_FAILURE);
}
if (!stdout_is_tty && dup2(fd, STDOUT_FILENO) < 0) { if (!stdout_is_tty && dup2(fd, STDOUT_FILENO) < 0) {
log_error_errno(errno, "Failed to dup2 /dev/tty: %m"); log_error_errno(errno, "Failed to dup2 /dev/tty to STDOUT: %m");
_exit(EXIT_FAILURE); _exit(EXIT_FAILURE);
} }
if (!stderr_is_tty && dup2(fd, STDERR_FILENO) < 0) { if (!stderr_is_tty && dup2(fd, STDERR_FILENO) < 0) {
log_error_errno(errno, "Failed to dup2 /dev/tty: %m"); log_error_errno(errno, "Failed to dup2 /dev/tty to STDERR: %m");
_exit(EXIT_FAILURE); _exit(EXIT_FAILURE);
} }

View File

@ -31,12 +31,8 @@ int polkit_agent_open(void) {
if (geteuid() == 0) if (geteuid() == 0)
return 0; return 0;
/* We check STDIN here, not STDOUT, since this is about input, not output */ /* Check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
if (!isatty_safe(STDIN_FILENO)) * interactively on a terminal, hence fail. */
return 0;
/* Also check if we have a controlling terminal. If not (ENXIO here), we aren't actually invoked
* interactively on a terminal, hence fail */
r = get_ctty_devnr(0, NULL); r = get_ctty_devnr(0, NULL);
if (r == -ENXIO) if (r == -ENXIO)
return 0; return 0;

View File

@ -475,7 +475,7 @@ int netns_get_nsid(int netnsfd, uint32_t *ret) {
if (r < 0) if (r < 0)
return r; return r;
if (u == UINT32_MAX) /* no NSID assigned yet */ if (u == (uint32_t) NETNSA_NSID_NOT_ASSIGNED) /* no NSID assigned yet */
return -ENODATA; return -ENODATA;
if (ret) if (ret)

View File

@ -4015,6 +4015,9 @@ int tpm2_policy_pcr(
ESYS_TR_NONE, ESYS_TR_NONE,
NULL, NULL,
pcr_selection); pcr_selection);
if (rc == TPM2_RC_PCR_CHANGED)
return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
"Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
if (rc != TSS2_RC_SUCCESS) if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc)); "Failed to add PCR policy to TPM: %s", sym_Tss2_RC_Decode(rc));
@ -5810,6 +5813,11 @@ int tpm2_unseal(Tpm2Context *c,
!!pin, !!pin,
(shard == 1 || !iovec_is_set(pubkey)) ? pcrlock_policy : NULL, (shard == 1 || !iovec_is_set(pubkey)) ? pcrlock_policy : NULL,
&policy_digest); &policy_digest);
if (r == -EUCLEAN && i > 0) {
log_debug("A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (%u tries left).", i);
retry = true;
break;
}
if (r < 0) if (r < 0)
return r; return r;

View File

@ -349,8 +349,8 @@ int verb_edit(int argc, char *argv[], void *userdata) {
STRV_FOREACH(tmp, names) { STRV_FOREACH(tmp, names) {
r = unit_is_masked(bus, *tmp); r = unit_is_masked(bus, *tmp);
if (r < 0) if (r < 0 && r != -ENOENT)
return r; return log_error_errno(r, "Failed to check if unit %s is masked: %m", *tmp);
if (r > 0) if (r > 0)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot edit %s: unit is masked.", *tmp); return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot edit %s: unit is masked.", *tmp);
} }

View File

@ -224,15 +224,11 @@ static int run(int argc, char *argv[]) {
dissected = dissected_image_unref(dissected); dissected = dissected_image_unref(dissected);
#endif #endif
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) { if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0)
log_tests_skipped("not running privileged"); return log_tests_skipped("not running privileged");
return 0;
}
if (detect_container() > 0) { if (detect_container() > 0)
log_tests_skipped("Test not supported in a container, requires udev/uevent notifications"); return log_tests_skipped("Test not supported in a container, requires udev/uevent notifications");
return 0;
}
assert_se(loop_device_make(fd, O_RDWR, 0, UINT64_MAX, 0, LO_FLAGS_PARTSCAN, LOCK_EX, &loop) >= 0); assert_se(loop_device_make(fd, O_RDWR, 0, UINT64_MAX, 0, LO_FLAGS_PARTSCAN, LOCK_EX, &loop) >= 0);

View File

@ -393,27 +393,31 @@ TEST(format_timestamp) {
static void test_format_timestamp_impl(usec_t x) { static void test_format_timestamp_impl(usec_t x) {
bool success, override; bool success, override;
const char *xx, *yy; const char *xx, *yy;
usec_t y; usec_t y, x_sec, y_sec;
xx = FORMAT_TIMESTAMP(x); xx = FORMAT_TIMESTAMP(x);
assert_se(xx); ASSERT_NOT_NULL(xx);
assert_se(parse_timestamp(xx, &y) >= 0); ASSERT_OK(parse_timestamp(xx, &y));
yy = FORMAT_TIMESTAMP(y); yy = FORMAT_TIMESTAMP(y);
assert_se(yy); ASSERT_NOT_NULL(yy);
success = (x / USEC_PER_SEC == y / USEC_PER_SEC) && streq(xx, yy); x_sec = x / USEC_PER_SEC;
y_sec = y / USEC_PER_SEC;
success = (x_sec == y_sec) && streq(xx, yy);
/* Workaround for https://github.com/systemd/systemd/issues/28472 /* Workaround for https://github.com/systemd/systemd/issues/28472
* and https://github.com/systemd/systemd/pull/35471. */ * and https://github.com/systemd/systemd/pull/35471. */
override = !success && override = !success &&
(STRPTR_IN_SET(tzname[0], "CAT", "EAT", "WET") || (STRPTR_IN_SET(tzname[0], "CAT", "EAT", "WET") ||
STRPTR_IN_SET(tzname[1], "CAT", "EAT", "WET")) && STRPTR_IN_SET(tzname[1], "CAT", "EAT", "WET")) &&
DIV_ROUND_UP(x > y ? x - y : y - x, USEC_PER_SEC) == 3600; /* 1 hour, ignore fractional second */ (x_sec > y_sec ? x_sec - y_sec : y_sec - x_sec) == 3600; /* 1 hour, ignore fractional second */
log_full(success ? LOG_DEBUG : override ? LOG_WARNING : LOG_ERR, log_full(success ? LOG_DEBUG : override ? LOG_WARNING : LOG_ERR,
"@" USEC_FMT " → %s → @" USEC_FMT " → %s%s", "@" USEC_FMT " → %s → @" USEC_FMT " → %s%s",
x, xx, y, yy, x, xx, y, yy,
override ? ", ignoring." : ""); override ? ", ignoring." : "");
if (!override) { if (!override) {
assert_se(x / USEC_PER_SEC == y / USEC_PER_SEC); if (!success)
log_warning("tzname[0]=\"%s\", tzname[1]=\"%s\"", tzname[0], tzname[1]);
ASSERT_EQ(x_sec, y_sec);
ASSERT_STREQ(xx, yy); ASSERT_STREQ(xx, yy);
} }
} }

View File

@ -3684,7 +3684,7 @@ static int parse_line(
else { else {
*invalid_config = true; *invalid_config = true;
return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EBADMSG), return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EBADMSG),
"Unknown modifiers in command '%s'.", action); "Unknown modifiers in command: %s", action);
} }
if (boot && !arg_boot) { if (boot && !arg_boot) {

View File

@ -264,7 +264,7 @@ class UkifyConfig:
sbat: Optional[list[str]] sbat: Optional[list[str]]
sections: list['Section'] sections: list['Section']
sections_by_name: dict[str, 'Section'] sections_by_name: dict[str, 'Section']
sign_kernel: bool sign_kernel: Optional[bool]
signing_engine: Optional[str] signing_engine: Optional[str]
signing_provider: Optional[str] signing_provider: Optional[str]
certificate_provider: Optional[str] certificate_provider: Optional[str]
@ -1108,7 +1108,7 @@ def make_uki(opts: UkifyConfig) -> None:
assert opts.signtool is not None assert opts.signtool is not None
signtool = SignTool.from_string(opts.signtool) signtool = SignTool.from_string(opts.signtool)
if not sign_kernel: if sign_kernel is None:
# figure out if we should sign the kernel # figure out if we should sign the kernel
sign_kernel = signtool.verify(opts) sign_kernel = signtool.verify(opts)

View File

@ -18,7 +18,7 @@ To make sure `mkosi` doesn't try to build systemd from source during the image b
process, you can add the following to `mkosi.local.conf`: process, you can add the following to `mkosi.local.conf`:
``` ```
[Content] [Build]
Environment=NO_BUILD=1 Environment=NO_BUILD=1
``` ```

View File

@ -10,8 +10,10 @@ if ! journalctl --version | grep -qF +GCRYPT; then
exit 0 exit 0
fi fi
journalctl --force --setup-keys --interval=2 |& tee /tmp/fss # without --quiet, should be effectively equivalent to the below, as we are not on tty
FSS_VKEY="$(sed -rn '/([a-f0-9]{6}\-){3}[a-f0-9]{6}\/[a-f0-9]+\-[a-f0-9]+/p' /tmp/fss)" journalctl --force --setup-keys --interval=2
FSS_VKEY=$(journalctl --force --setup-keys --interval=2 --quiet)
[[ -n "$FSS_VKEY" ]] [[ -n "$FSS_VKEY" ]]
# Generate some buzz in the journal and wait until the FSS key is changed # Generate some buzz in the journal and wait until the FSS key is changed

View File

@ -21,6 +21,7 @@ at_exit() {
# the 'revert' verb as well # the 'revert' verb as well
export UNIT_NAME="systemctl-test-$RANDOM.service" export UNIT_NAME="systemctl-test-$RANDOM.service"
export UNIT_NAME2="systemctl-test-$RANDOM.service" export UNIT_NAME2="systemctl-test-$RANDOM.service"
export UNIT_NAME_TEMPLATE="systemctl-test-${RANDOM}@.service"
cat >"/usr/lib/systemd/system/$UNIT_NAME" <<\EOF cat >"/usr/lib/systemd/system/$UNIT_NAME" <<\EOF
[Unit] [Unit]
@ -65,6 +66,16 @@ EOF
printf '%s\n' '[Unit]' 'Description=spectacular' '# this comment should remain' | \ printf '%s\n' '[Unit]' 'Description=spectacular' '# this comment should remain' | \
cmp - "/etc/systemd/system/$UNIT_NAME.d/override2.conf" cmp - "/etc/systemd/system/$UNIT_NAME.d/override2.conf"
# Edit nonexistent template unit, see issue #35632.
systemctl edit "$UNIT_NAME_TEMPLATE" --stdin --runtime --force --full <<EOF
[Unit]
Description=template unit test
# this comment should remain
EOF
printf '%s\n' '[Unit]' 'Description=template unit test' '# this comment should remain' | \
cmp - "/run/systemd/system/$UNIT_NAME_TEMPLATE"
# Test simultaneous editing of two units and creation of drop-in for a nonexistent unit # Test simultaneous editing of two units and creation of drop-in for a nonexistent unit
systemctl edit "$UNIT_NAME" "$UNIT_NAME2" --stdin --force --drop-in=override2.conf <<<'[X-Section]' systemctl edit "$UNIT_NAME" "$UNIT_NAME2" --stdin --force --drop-in=override2.conf <<<'[X-Section]'
printf '%s\n' '[X-Section]' | cmp - "/etc/systemd/system/$UNIT_NAME.d/override2.conf" printf '%s\n' '[X-Section]' | cmp - "/etc/systemd/system/$UNIT_NAME.d/override2.conf"

View File

@ -639,7 +639,7 @@ EOF
journalctl --sync journalctl --sync
assert_eq "$(journalctl -b -u systemd-logind.service --since="$ts" --grep "Session \"$id\" of user \"logind-test-user\" is idle, stopping." | wc -l)" 1 assert_eq "$(journalctl -b -u systemd-logind.service --since="$ts" --grep "Session \"$id\" of user \"logind-test-user\" is idle, stopping." | wc -l)" 1
assert_eq "$(loginctl --no-legend | grep -v manager | grep -c "logind-test-user")" 0 assert_eq "$(loginctl --no-legend | grep -v manager | grep tty | grep -c "logind-test-user")" 0
} }
testcase_ambient_caps() { testcase_ambient_caps() {

View File

@ -13,7 +13,7 @@ def main():
with open("/usr/lib/os-release") as f: with open("/usr/lib/os-release") as f:
for line in f: for line in f:
if line.startswith("ID="): if line.startswith("ID="):
if "debian" in line: if "debian" in line or "ubuntu" in line:
sys.exit(77) sys.exit(77)
logger = logging.getLogger("test-shutdown") logger = logging.getLogger("test-shutdown")

View File

@ -26,7 +26,7 @@ NoNewPrivileges=yes
OOMScoreAdjust=500 OOMScoreAdjust=500
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=disconnected
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=read-only ProtectHome=read-only
ProtectHostname=yes ProtectHostname=yes

View File

@ -37,7 +37,7 @@ MemoryLow=64M
NoNewPrivileges=yes NoNewPrivileges=yes
OOMScoreAdjust=-900 OOMScoreAdjust=-900
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=disconnected
ProtectClock=yes ProtectClock=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes

View File

@ -29,7 +29,7 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=disconnected
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes

View File

@ -31,7 +31,7 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=disconnected
ProtectProc=invisible ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes