[pull] main from systemd:main

README

@@ -216,11 +216,10 @@ REQUIREMENTS:
         libmount >= 2.30 (from util-linux)
                 (util-linux *must* be built without --enable-libmount-support-mtab)
         libseccomp >= 2.3.1 (optional)
-        libblkid >= 2.24 (from util-linux) (optional)
+        libblkid >= 2.37 (from util-linux) (optional)
         libkmod >= 15 (optional)
         PAM >= 1.1.2 (optional)
-        libcryptsetup >= 2.0.1 (optional),
-                      >= 2.3.0 is required for signed Verity images support
+        libcryptsetup >= 2.4.0 (optional),
         libaudit (optional)
         libacl (optional)
         libbpf >= 0.1.0 (optional),
@@ -243,11 +242,11 @@ REQUIREMENTS:
         libcurl >= 7.32.0 (optional)
         libidn2 or libidn (optional)
         gnutls >= 3.1.4 (optional)
-        openssl >= 1.1.0 (optional, required to support DNS-over-TLS)
+        openssl >= 3.0.0 (optional, required to support DNS-over-TLS)
         p11-kit >= 0.23.3 (optional)
         libfido2 (optional)
         tpm2-tss (optional)
-        elfutils >= 158 (optional)
+        elfutils >= 177 (optional)
         polkit (optional)
         tzdata >= 2014f (optional)
         pkg-config

docs/PASSWORD_AGENTS.md

@@ -40,7 +40,9 @@ It is easy to write additional agents. The basic algorithm to follow looks like
 * You'll find the PID of the client asking the question in the `PID=` field in the `[Ask]` section
   (Before asking your question use `kill(PID, 0)` and ignore the file if this returns `ESRCH`;
   there's no need to show the data of this field but if you want to you may)
-* `Echo=` specifies whether the input should be obscured. If this field is missing or is `Echo=0`, the input should not be shown.
+* `Echo=` specifies whether the input should be obscured. If this field is missing or is `Echo=0`, the input should not be shown as-is.
+* `Silent=` specifies whether the input should have any indication. If this field is `Silent=1`, nothing should be printed for any input.
+* `AcceptCached=` specifies whether a cached password is acceptable or not. If this field is missing or is `AcceptCached=0`, the password should not be provided from a cache.
 * The socket to send the response to is configured via `Socket=` in the `[Ask]` section. It is a `AF_UNIX`/`SOCK_DGRAM` socket in the file system.
 * Ignore files where the time specified in the `NotAfter=` field in the `[Ask]` section is in the past.
   The time is specified in usecs, and refers to the `CLOCK_MONOTONIC` clock. If `NotAfter=` is `0`, no such check should take place.
@@ -100,4 +102,4 @@ now available, with the same protocol as the system-wide
 counterpart. Unprivileged, per-directory agents should watch this directory in
 parallel to the system-wide one. Unprivileged queriers (i.e. clients to these
 agents) should pick the per-user directory to place their password request
-files in.
+files in. If the directory does not exist, agents may create it.

man/org.freedesktop.systemd1.xml

@@ -12664,8 +12664,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <varname>LogsDirectoryQuotaUsage</varname>,
       <varname>LogsDirectoryAccounting</varname>, and
       <function>KillSubgroup()</function> were added in version 258.</para>
-      <para><varname>OOMKills</varname>, and
-      <varname>UserNamespacePath</varname>, and
+      <para><varname>UserNamespacePath</varname>,
+      <varname>OOMKills</varname>, and
       <varname>ManagedOOMKills</varname> were added in 259.</para>
       <para><varname>BindNetworkInterface</varname> was added in version 260.</para>
     </refsect2>

man/systemd-vmspawn.xml

@@ -69,6 +69,18 @@
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--system</option></term>
+        <term><option>--user</option></term>
+
+        <listitem><para>Specify whether to interact with the user manager or the system manager and whether
+        to register with the user machined instance or the system machined instance. If
+        unspecified, the system manager and machined instance will be used when running as root, otherwise
+        the user manager and machined instance will be used.</para>
+
+        <xi:include href="version-info.xml" xpointer="v260"/></listitem>
+      </varlistentry>
+
     </variablelist>
 
     <refsect2>

man/systemd.network.xml

@@ -2325,13 +2325,20 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><varname>MultiPathRoute=<replaceable>address</replaceable>[@<replaceable>name</replaceable>] [<replaceable>weight</replaceable>]</varname></term>
+        <term><varname>MultiPathRoute=</varname></term>
         <listitem>
           <para>Configures multipath route. Multipath routing is the technique of using multiple
-          alternative paths through a network. Takes gateway address. Optionally, takes a network
-          interface name or index separated with <literal>@</literal>, and a weight in 1..256 for this
-          multipath route separated with whitespace. This setting can be specified multiple times. If
-          an empty string is assigned, then the all previous assignments are cleared.</para>
+          alternative paths through a network. Takes a gateway address and/or a network interface
+          name or index (prefixed with <literal>@</literal>). At least one of these must be specified.
+          Optionally, a weight in 1..256 can be specified, separated with whitespace. This setting
+          can be specified multiple times. If an empty string is assigned, then all previous
+          assignments are cleared.</para>
+
+          <para>Examples:</para>
+          <programlisting>MultiPathRoute=10.0.0.1@eth0 20
+MultiPathRoute=192.168.1.1 50
+MultiPathRoute=@wg0 15
+MultiPathRoute=2001:db8::1@eth0</programlisting>
 
           <xi:include href="version-info.xml" xpointer="v245"/>
         </listitem>

meson.build

@@ -1229,10 +1229,9 @@ conf.set10('HAVE_AUDIT', libaudit.found())
 libaudit_cflags = libaudit.partial_dependency(includes: true, compile_args: true)
 
 libblkid = dependency('blkid',
+                      version : '>=2.37.0',
                       required : get_option('blkid'))
 conf.set10('HAVE_BLKID', libblkid.found())
-conf.set10('HAVE_BLKID_PROBE_SET_HINT',
-           libblkid.found() and cc.has_function('blkid_probe_set_hint', dependencies : libblkid))
 libblkid_cflags = libblkid.partial_dependency(includes: true, compile_args: true)
 
 libkmod = dependency('libkmod',
@@ -1277,19 +1276,16 @@ if libcryptsetup_plugins.enabled()
 endif
 
 libcryptsetup = dependency('libcryptsetup',
-                           version : libcryptsetup_plugins.enabled() ? '>= 2.4.0' : '>= 2.0.1',
+                           version : '>= 2.4.0',
                            required : libcryptsetup)
 libcryptsetup_cflags = libcryptsetup.partial_dependency(includes: true, compile_args: true)
 
 have = libcryptsetup.found()
 conf.set10('HAVE_LIBCRYPTSETUP', have)
+conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS',
+           libcryptsetup_plugins.allowed() and have)
 
 foreach ident : [
-                'crypt_activate_by_token_pin',   # 2.4
-                'crypt_logf',                    # 2.4
-                'crypt_reencrypt_run',           # 2.4
-                'crypt_token_external_path',     # 2.4
-                'crypt_token_max',               # 2.4
                 'crypt_set_keyring_to_link',     # 2.7
                 'crypt_token_set_external_path', # 2.7
         ]
@@ -1301,12 +1297,6 @@ foreach ident : [
         conf.set10('HAVE_' + ident.to_upper(), have_ident)
 endforeach
 
-conf.set10('HAVE_LIBCRYPTSETUP_PLUGINS',
-           libcryptsetup_plugins.allowed() and
-           conf.get('HAVE_CRYPT_ACTIVATE_BY_TOKEN_PIN') == 1 and
-           conf.get('HAVE_CRYPT_LOGF') == 1 and
-           conf.get('HAVE_CRYPT_TOKEN_EXTERNAL_PATH') == 1)
-
 libcurl = dependency('libcurl',
                      version : '>= 7.32.0',
                      required : get_option('libcurl'))
@@ -1355,7 +1345,7 @@ libgnutls = dependency('gnutls',
 conf.set10('HAVE_GNUTLS', libgnutls.found())
 
 libopenssl = dependency('openssl',
-                        version : '>= 1.1.0',
+                        version : '>= 3.0.0',
                         required : get_option('openssl'))
 conf.set10('HAVE_OPENSSL', libopenssl.found())
 
@@ -1381,17 +1371,14 @@ conf.set10('HAVE_TSS2_ESYS3', tpm2.found() and tpm2.version().version_compare('>
 conf.set('TPM2_NVPCR_BASE', get_option('tpm2-nvpcr-base'))
 
 libdw = dependency('libdw',
+                   version : '>=0.177',
                    required : get_option('elfutils'))
 libdw_cflags = libdw.partial_dependency(includes: true, compile_args: true)
 libelf = dependency('libelf',
                     required : get_option('elfutils'))
 libelf_cflags = libelf.partial_dependency(includes: true, compile_args: true)
 conf.set10('HAVE_ELFUTILS', libdw.found() and libelf.found())
 
-# New in elfutils 0.177
-conf.set10('HAVE_DWELF_ELF_E_MACHINE_STRING',
-           libdw.found() and cc.has_function('dwelf_elf_e_machine_string', dependencies : libdw))
-
 # New in elfutils 0.192
 conf.set10('HAVE_DWFL_SET_SYSROOT',
            libdw.found() and cc.has_function('dwfl_set_sysroot', dependencies : libdw))

shell-completion/bash/systemd-vmspawn

@@ -29,7 +29,7 @@ _systemd_vmspawn() {
     local i verb comps
 
     local -A OPTS=(
-        [STANDALONE]='-h --help --version -q --quiet --no-pager -n --network-tap --network-user-mode'
+        [STANDALONE]='-h --help --version -q --quiet --no-pager -n --network-tap --network-user-mode --user --system'
         [PATH]='-D --directory -i --image --linux --initrd --extra-drive --forward-journal'
         [BOOL]='--kvm --vsock --tpm --secure-boot --discard-disk --register --pass-ssh-key'
         [FIRMWARE]='--firmware'

src/basic/unit-def.h

@@ -317,43 +317,27 @@ DECLARE_STRING_TABLE_LOOKUP(unit_type, UnitType);
 void unit_types_list(void);
 
 DECLARE_STRING_TABLE_LOOKUP(unit_load_state, UnitLoadState);
-
 DECLARE_STRING_TABLE_LOOKUP(unit_active_state, UnitActiveState);
 
 DECLARE_STRING_TABLE_LOOKUP(freezer_state, FreezerState);
 FreezerState freezer_state_finish(FreezerState state) _const_;
 FreezerState freezer_state_objective(FreezerState state) _const_;
 
 DECLARE_STRING_TABLE_LOOKUP(unit_marker, UnitMarker);
-
 DECLARE_STRING_TABLE_LOOKUP(automount_state, AutomountState);
-
 DECLARE_STRING_TABLE_LOOKUP(device_state, DeviceState);
-
 DECLARE_STRING_TABLE_LOOKUP(mount_state, MountState);
-
 DECLARE_STRING_TABLE_LOOKUP(path_state, PathState);
-
 DECLARE_STRING_TABLE_LOOKUP(scope_state, ScopeState);
-
 DECLARE_STRING_TABLE_LOOKUP(service_state, ServiceState);
-
 DECLARE_STRING_TABLE_LOOKUP(slice_state, SliceState);
-
 DECLARE_STRING_TABLE_LOOKUP(socket_state, SocketState);
-
 DECLARE_STRING_TABLE_LOOKUP(swap_state, SwapState);
-
 DECLARE_STRING_TABLE_LOOKUP(target_state, TargetState);
-
 DECLARE_STRING_TABLE_LOOKUP(timer_state, TimerState);
-
 DECLARE_STRING_TABLE_LOOKUP(unit_dependency, UnitDependency);
-
 DECLARE_STRING_TABLE_LOOKUP(notify_access, NotifyAccess);
-
 DECLARE_STRING_TABLE_LOOKUP(job_mode, JobMode);
-
 DECLARE_STRING_TABLE_LOOKUP(exec_directory_type, ExecDirectoryType);
 
 Glyph unit_active_state_to_glyph(UnitActiveState state);

src/cryptsetup/cryptsetup.c

@@ -331,11 +331,8 @@ static int parse_one_option(const char *option) {
                 arg_no_write_workqueue = true;
         else if (streq(option, "luks"))
                 arg_type = ANY_LUKS;
-/* since cryptsetup 2.3.0 (Feb 2020) */
-#ifdef CRYPT_BITLK
         else if (streq(option, "bitlk"))
                 arg_type = CRYPT_BITLK;
-#endif
         else if (streq(option, "tcrypt"))
                 arg_type = CRYPT_TCRYPT;
         else if (STR_IN_SET(option, "tcrypt-hidden", "tcrypthidden")) {
@@ -2492,11 +2489,9 @@ static uint32_t determine_flags(void) {
         if (arg_no_write_workqueue)
                 flags |= CRYPT_ACTIVATE_NO_WRITE_WORKQUEUE;
 
-#ifdef CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF
         /* Try to decrease the risk of OOM event if memory hard key derivation function is in use */
         /* https://gitlab.com/cryptsetup/cryptsetup/issues/446/ */
         flags |= CRYPT_ACTIVATE_SERIALIZE_MEMORY_HARD_PBKDF;
-#endif
 
         return flags;
 }
@@ -2672,14 +2667,11 @@ static int verb_attach(int argc, char *argv[], void *userdata) {
                 }
         }
 
-/* since cryptsetup 2.3.0 (Feb 2020) */
-#ifdef CRYPT_BITLK
         if (streq_ptr(arg_type, CRYPT_BITLK)) {
                 r = crypt_load(cd, CRYPT_BITLK, NULL);
                 if (r < 0)
                         return log_error_errno(r, "Failed to load Bitlocker superblock on device %s: %m", crypt_get_device_name(cd));
         }
-#endif
 
         bool use_cached_passphrase = true, try_discover_key = !key_file;
         const char *discovered_key_fn = strjoina(volume, ".key");

src/network/networkd-route-nexthop.c

@@ -94,10 +94,12 @@ static void route_nexthop_hash_func_full(const RouteNextHop *nh, struct siphash
         /* See nh_comp() in net/ipv4/fib_semantics.c of the kernel. */
 
         siphash24_compress_typesafe(nh->family, state);
-        if (!IN_SET(nh->family, AF_INET, AF_INET6))
-                return;
 
-        in_addr_hash_func(&nh->gw, nh->family, state);
+        /* For device-only nexthops parsed from config, family is AF_UNSPEC until verification.
+         * We still need to hash weight/ifindex/ifname to distinguish different device-only entries. */
+        if (IN_SET(nh->family, AF_INET, AF_INET6))
+                in_addr_hash_func(&nh->gw, nh->family, state);
+
         if (with_weight)
                 siphash24_compress_typesafe(nh->weight, state);
         siphash24_compress_typesafe(nh->ifindex, state);
@@ -115,12 +117,13 @@ static int route_nexthop_compare_func_full(const RouteNextHop *a, const RouteNex
         if (r != 0)
                 return r;
 
-        if (!IN_SET(a->family, AF_INET, AF_INET6))
-                return 0;
-
-        r = memcmp(&a->gw, &b->gw, FAMILY_ADDRESS_SIZE(a->family));
-        if (r != 0)
-                return r;
+        /* For device-only nexthops parsed from config, family is AF_UNSPEC until verification.
+         * We still need to compare weight/ifindex/ifname to distinguish different device-only entries. */
+        if (IN_SET(a->family, AF_INET, AF_INET6)) {
+                r = memcmp(&a->gw, &b->gw, FAMILY_ADDRESS_SIZE(a->family));
+                if (r != 0)
+                        return r;
+        }
 
         if (with_weight) {
                 r = CMP(a->weight, b->weight);
@@ -553,30 +556,34 @@ static int append_nexthop_one(const Route *route, const RouteNextHop *nh, struct
 
         (*rta)->rta_len += sizeof(struct rtnexthop);
 
-        if (nh->family == route->family) {
-                r = rtattr_append_attribute(rta, RTA_GATEWAY, &nh->gw, FAMILY_ADDRESS_SIZE(nh->family));
-                if (r < 0)
-                        goto clear;
+        /* For device-only nexthops, skip RTA_GATEWAY entirely. The kernel will use the
+         * interface specified in rtnh_ifindex without requiring a gateway address. */
+        if (in_addr_is_set(nh->family, &nh->gw)) {
+                if (nh->family == route->family) {
+                        r = rtattr_append_attribute(rta, RTA_GATEWAY, &nh->gw, FAMILY_ADDRESS_SIZE(nh->family));
+                        if (r < 0)
+                                goto clear;
 
-                rtnh = (struct rtnexthop *)((uint8_t *) *rta + offset);
-                rtnh->rtnh_len += RTA_SPACE(FAMILY_ADDRESS_SIZE(nh->family));
+                        rtnh = (struct rtnexthop *)((uint8_t *) *rta + offset);
+                        rtnh->rtnh_len += RTA_SPACE(FAMILY_ADDRESS_SIZE(nh->family));
 
-        } else if (nh->family == AF_INET6) {
-                assert(route->family == AF_INET);
+                } else if (nh->family == AF_INET6) {
+                        assert(route->family == AF_INET);
 
-                r = rtattr_append_attribute(rta, RTA_VIA,
-                                            &(RouteVia) {
-                                                    .family = nh->family,
-                                                    .address = nh->gw,
-                                            }, sizeof(RouteVia));
-                if (r < 0)
-                        goto clear;
+                        r = rtattr_append_attribute(rta, RTA_VIA,
+                                                    &(RouteVia) {
+                                                            .family = nh->family,
+                                                            .address = nh->gw,
+                                                    }, sizeof(RouteVia));
+                        if (r < 0)
+                                goto clear;
 
-                rtnh = (struct rtnexthop *)((uint8_t *) *rta + offset);
-                rtnh->rtnh_len += RTA_SPACE(sizeof(RouteVia));
+                        rtnh = (struct rtnexthop *)((uint8_t *) *rta + offset);
+                        rtnh->rtnh_len += RTA_SPACE(sizeof(RouteVia));
 
-        } else if (nh->family == AF_INET)
-                assert_not_reached();
+                } else if (nh->family == AF_INET)
+                        assert_not_reached();
+        }
 
         return 0;
 
@@ -1080,11 +1087,16 @@ int config_parse_multipath_route(
                 }
         }
 
-        r = in_addr_from_string_auto(word, &nh->family, &nh->gw);
-        if (r < 0) {
-                log_syntax(unit, LOG_WARNING, filename, line, r,
-                           "Invalid multipath route gateway '%s', ignoring assignment: %m", rvalue);
-                return 0;
+        if (isempty(word)) {
+                if (!dev)
+                        return log_syntax_parse_error(unit, filename, line, SYNTHETIC_ERRNO(EINVAL), lvalue, rvalue);
+        } else {
+                r = in_addr_from_string_auto(word, &nh->family, &nh->gw);
+                if (r < 0) {
+                        log_syntax(unit, LOG_WARNING, filename, line, r,
+                                   "Invalid multipath route gateway '%s', ignoring assignment: %m", rvalue);
+                        return 0;
+                }
         }
 
         if (!isempty(p)) {