adamlaska · pull · Jan 2, 2026 · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025
diff --git a/README b/README
@@ -212,10 +212,10 @@ REQUIREMENTS:
         newer though. TL;DR: turn audit off, still.
 
         glibc >= 2.31
-        libxcrypt or glibc (<= 2.38 built with --enable-crypt)
+        libxcrypt >= 4.4.0 (optional)
         libmount >= 2.30 (from util-linux)
                 (util-linux *must* be built without --enable-libmount-support-mtab)
-        libseccomp >= 2.3.1 (optional)
+        libseccomp >= 2.4.0 (optional)
         libblkid >= 2.37 (from util-linux) (optional)
         libkmod >= 15 (optional)
         PAM >= 1.1.2 (optional)

diff --git a/meson.build b/meson.build
@@ -685,15 +685,6 @@ conf.set('GPERF_LEN_TYPE', gperf_len_type,
 
 #####################################################################
 
-foreach header : [
-        'crypt.h',
-]
-
-        if not cc.has_header(header)
-                error(f'Header file @header@ not found')
-        endif
-endforeach
-
 foreach header : [
         'gshadow.h',
         'nss.h',
@@ -1046,22 +1037,18 @@ else
         libatomic = []
 endif
 
-libcrypt = dependency('libcrypt', 'libxcrypt', required : false)
-if not libcrypt.found()
-        # fallback to use find_library() if libcrypt is provided by glibc, e.g. for LibreELEC.
-        libcrypt = cc.find_library('crypt')
+if get_option('libc') == 'musl'
+        libcrypt = []
+        libcrypt_cflags = []
+        have = get_option('libcrypt').allowed()
+else
+        libcrypt = dependency('libcrypt', 'libxcrypt',
+                              required : get_option('libcrypt'),
+                              version : '>=4.4.0')
+        libcrypt_cflags = libcrypt.partial_dependency(includes: true, compile_args: true)
+        have = libcrypt.found()
 endif
-
-foreach func : [
-        'crypt_ra',               # since libxcrypt-4.0.0
-        'crypt_gensalt_ra',       # since libxcrypt-4.0.0
-        'crypt_preferred_method', # since libxcrypt-4.4.0
-]
-
-        have = cc.has_function(func, prefix : '''#include <crypt.h>''', args : '-D_GNU_SOURCE',
-                               dependencies : libcrypt)
-        conf.set10('HAVE_' + func.to_upper(), have)
-endforeach
+conf.set10('HAVE_LIBCRYPT', have)
 
 bpf_framework = get_option('bpf-framework')
 bpf_compiler = get_option('bpf-compiler')
@@ -1180,7 +1167,7 @@ conf.set10('HAVE_PWQUALITY', have)
 conf.set10('HAVE_PASSWDQC', not have and libpwquality.found())
 
 libseccomp = dependency('libseccomp',
-                        version : '>= 2.3.1',
+                        version : '>= 2.4.0',
                         required : get_option('seccomp'))
 conf.set10('HAVE_SECCOMP', libseccomp.found())
 libseccomp_cflags = libseccomp.partial_dependency(includes: true, compile_args: true)
@@ -1594,10 +1581,11 @@ conf.set10('ENABLE_SYSUPDATED', have2)
 conf.set10('ENABLE_STORAGETM', get_option('storagetm'))
 
 have = get_option('homed').require(
+        conf.get('HAVE_LIBCRYPT') == 1 and
         conf.get('HAVE_OPENSSL') == 1 and
         conf.get('HAVE_LIBFDISK') == 1 and
         conf.get('HAVE_LIBCRYPTSETUP') == 1,
-        error_message : 'openssl, fdisk and libcryptsetup required').allowed()
+        error_message : 'libcrypt, openssl, fdisk, and libcryptsetup required').allowed()
 conf.set10('ENABLE_HOMED', have)
 
 have = have and conf.get('HAVE_PAM') == 1
@@ -3124,6 +3112,7 @@ foreach tuple : [
         ['gnutls'],
         ['libarchive'],
         ['libbpf'],
+        ['libcrypt'],
         ['libcryptsetup'],
         ['libcryptsetup-plugins'],
         ['libcurl'],

diff --git a/meson_options.txt b/meson_options.txt
@@ -426,6 +426,8 @@ option('pwquality', type : 'feature', deprecated : { 'true' : 'enabled', 'false'
        description : 'libpwquality support')
 option('microhttpd', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'libµhttpd support')
+option('libcrypt', type : 'feature',
+       description : 'libcrypt/libxcrypt support')
 option('libcryptsetup', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'libcryptsetup support')
 option('libcryptsetup-plugins', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
@@ -1192,18 +1192,18 @@ static int ask_password_conv(
         return PAM_SUCCESS;
 }
 
-static int pam_close_session_and_delete_credentials(pam_handle_t *handle, int flags) {
+static int pam_close_session_and_delete_credentials(pam_handle_t *pamh, int flags) {
         int r, s;
 
-        assert(handle);
+        assert(pamh);
 
-        r = sym_pam_close_session(handle, flags);
+        r = sym_pam_close_session(pamh, flags);
         if (r != PAM_SUCCESS)
-                pam_syslog_pam_error(handle, LOG_DEBUG, r, "pam_close_session() failed: @PAMERR@");
+                pam_syslog_pam_error(pamh, LOG_DEBUG, r, "pam_close_session() failed: @PAMERR@");
 
-        s = sym_pam_setcred(handle, PAM_DELETE_CRED | flags);
+        s = sym_pam_setcred(pamh, PAM_DELETE_CRED | flags);
         if (s != PAM_SUCCESS)
-                pam_syslog_pam_error(handle, LOG_DEBUG, r, "pam_setcred(PAM_DELETE_CRED) failed: @PAMERR@");
+                pam_syslog_pam_error(pamh, LOG_DEBUG, r, "pam_setcred(PAM_DELETE_CRED) failed: @PAMERR@");
 
         return r != PAM_SUCCESS ? r : s;
 }
@@ -1339,7 +1339,7 @@ static int setup_pam(
         _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
         _cleanup_strv_free_ char **e = NULL;
         _cleanup_free_ char *tty = NULL;
-        pam_handle_t *handle = NULL;
+        pam_handle_t *pamh = NULL;
         sigset_t old_ss;
         int pam_code = PAM_SUCCESS, r;
         bool close_session = false;
@@ -1369,42 +1369,42 @@ static int setup_pam(
         if (log_get_max_level() < LOG_DEBUG)
                 flags |= PAM_SILENT;
 
-        pam_code = sym_pam_start(context->pam_name, user, &conv, &handle);
+        pam_code = sym_pam_start(context->pam_name, user, &conv, &pamh);
         if (pam_code != PAM_SUCCESS) {
-                handle = NULL;
+                pamh = NULL;
                 goto fail;
         }
 
         r = exec_context_get_tty_for_pam(context, &tty);
         if (r < 0)
                 goto fail;
         if (r > 0) {
-                pam_code = sym_pam_set_item(handle, PAM_TTY, tty);
+                pam_code = sym_pam_set_item(pamh, PAM_TTY, tty);
                 if (pam_code != PAM_SUCCESS)
                         goto fail;
         }
 
         STRV_FOREACH(nv, *env) {
-                pam_code = sym_pam_putenv(handle, *nv);
+                pam_code = sym_pam_putenv(pamh, *nv);
                 if (pam_code != PAM_SUCCESS)
                         goto fail;
         }
 
-        pam_code = sym_pam_acct_mgmt(handle, flags);
+        pam_code = sym_pam_acct_mgmt(pamh, flags);
         if (pam_code != PAM_SUCCESS)
                 goto fail;
 
-        pam_code = sym_pam_setcred(handle, PAM_ESTABLISH_CRED | flags);
+        pam_code = sym_pam_setcred(pamh, PAM_ESTABLISH_CRED | flags);
         if (pam_code != PAM_SUCCESS)
-                pam_syslog_pam_error(handle, LOG_DEBUG, pam_code, "pam_setcred(PAM_ESTABLISH_CRED) failed, ignoring: @PAMERR@");
+                pam_syslog_pam_error(pamh, LOG_DEBUG, pam_code, "pam_setcred(PAM_ESTABLISH_CRED) failed, ignoring: @PAMERR@");
 
-        pam_code = sym_pam_open_session(handle, flags);
+        pam_code = sym_pam_open_session(pamh, flags);
         if (pam_code != PAM_SUCCESS)
                 goto fail;
 
         close_session = true;
 
-        e = sym_pam_getenvlist(handle);
+        e = sym_pam_getenvlist(pamh);
         if (!e) {
                 pam_code = PAM_BUF_ERR;
                 goto fail;
@@ -1479,7 +1479,7 @@ static int setup_pam(
 
                 /* If our parent died we'll end the session */
                 if (getppid() != parent_pid) {
-                        pam_code = pam_close_session_and_delete_credentials(handle, flags);
+                        pam_code = pam_close_session_and_delete_credentials(pamh, flags);
                         if (pam_code != PAM_SUCCESS)
                                 goto child_finish;
                 }
@@ -1489,15 +1489,15 @@ static int setup_pam(
         child_finish:
                 /* NB: pam_end() when called in child processes should set PAM_DATA_SILENT to let the module
                  * know about this. See pam_end(3) */
-                (void) sym_pam_end(handle, pam_code | flags | PAM_DATA_SILENT);
+                (void) sym_pam_end(pamh, pam_code | flags | PAM_DATA_SILENT);
                 _exit(ret);
         }
 
         barrier_set_role(&barrier, BARRIER_PARENT);
 
         /* If the child was forked off successfully it will do all the cleanups, so forget about the handle
          * here. */
-        handle = NULL;
+        pamh = NULL;
 
         /* Unblock SIGTERM again in the parent */
         assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0);
@@ -1515,16 +1515,16 @@ static int setup_pam(
 
 fail:
         if (pam_code != PAM_SUCCESS) {
-                pam_syslog_pam_error(handle, LOG_ERR, pam_code, "PAM failed: @PAMERR@");
+                pam_syslog_pam_error(pamh, LOG_ERR, pam_code, "PAM failed: @PAMERR@");
                 r = -EPERM;  /* PAM errors do not map to errno */
         } else
                 log_error_errno(r, "PAM failed: %m");
 
-        if (handle) {
+        if (pamh) {
                 if (close_session)
-                        pam_code = pam_close_session_and_delete_credentials(handle, flags);
+                        pam_code = pam_close_session_and_delete_credentials(pamh, flags);
 
-                (void) sym_pam_end(handle, pam_code | flags);
+                (void) sym_pam_end(pamh, pam_code | flags);
         }
 
         closelog();
@@ -1673,7 +1673,7 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p) {
         if (skip_seccomp_unavailable("SystemCallFilter="))
                 return 0;
 
-        negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
+        negative_action = c->syscall_errno == SECCOMP_ERROR_NUMBER_KILL ? SCMP_ACT_KILL_PROCESS : SCMP_ACT_ERRNO(c->syscall_errno);
 
         if (c->syscall_allow_list) {
                 default_action = negative_action;
@@ -1694,17 +1694,14 @@ static int apply_syscall_filter(const ExecContext *c, const ExecParameters *p) {
 }
 
 static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) {
-#ifdef SCMP_ACT_LOG
         uint32_t default_action, action;
-#endif
 
         assert(c);
         assert(p);
 
         if (!context_has_syscall_logs(c))
                 return 0;
 
-#ifdef SCMP_ACT_LOG
         if (skip_seccomp_unavailable("SystemCallLog="))
                 return 0;
 
@@ -1719,11 +1716,6 @@ static int apply_syscall_log(const ExecContext *c, const ExecParameters *p) {
         }
 
         return seccomp_load_syscall_filter_set_raw(default_action, c->syscall_log, action, false);
-#else
-        /* old libseccomp */
-        log_debug( "SECCOMP feature SCMP_ACT_LOG not available, skipping SystemCallLog=");
-        return 0;
-#endif
 }
 
 static int apply_syscall_archs(const ExecContext *c, const ExecParameters *p) {

diff --git a/src/firstboot/meson.build b/src/firstboot/meson.build
@@ -6,6 +6,5 @@ executables += [
                 'public' : true,
                 'conditions' : ['ENABLE_FIRSTBOOT'],
                 'sources' : files('firstboot.c'),
-                'dependencies' : libcrypt,
         },
 ]
diff --git a/src/home/meson.build b/src/home/meson.build
@@ -64,7 +64,6 @@ executables += [
                 'sources' : systemd_homed_sources,
                 'extract' : systemd_homed_extract_sources,
                 'dependencies' : [
-                        libcrypt,
                         libm,
                         libopenssl,
                         threads,
@@ -80,7 +79,6 @@ executables += [
                 ],
                 'dependencies' : [
                         libblkid_cflags,
-                        libcrypt,
                         libfdisk,
                         libopenssl,
                         libp11kit_cflags,
@@ -93,7 +91,6 @@ executables += [
                 'sources' : homectl_sources,
                 'objects' : ['systemd-homed'],
                 'dependencies' : [
-                        libcrypt,
                         libdl,
                         libopenssl,
                         libp11kit_cflags,
@@ -112,7 +109,6 @@ modules += [
                 'conditions' : ['HAVE_PAM'],
                 'sources' : pam_systemd_home_sources,
                 'dependencies' : [
-                        libcrypt,
                         libintl,
                         libpam_misc,
                         libpam,