Expose a new `withKmod` option to be able to enable and disable kmod
integration, including the `systemd-modules-load` tool for automatic
modules loading during the system boot sequence.
Expose a new `withPam` option to allow enabling and disabling
integration with PAM stack, including the `systemd-user-sessions` daemon
and the associated `.service` file, as well as `pam_systemd.so` PAM
module for integration with `systemd-logind` and user session
registration with the systemd cgroup hierarchy.
Expose a new `withAudit` flag (defaults to `true` for backwards compatibility) to be able to conditionally enable and disable an integration with the `libaudit` library, which is used to integrate with Linux Audit Framework for logging various security-relevant events.
Expose a new `withAcl` flag (defaults to true for backwards compatibility) to be able to conditionally enable and disable an integration with `libacl` library, which is used by variety of systemd tools and daemon, e.g. `journald` will check ACLs in addition to regular permissions when accessing journal files and `systemd-nspawn` will update ACL entries when used with the `--private-users-chown` flag.
Expose a new `withLibidn2` flag (defauts to true for backwards compatibility) to be able to conditionally enable and disable integration with `libidn2`, which is used by the `systemd-network` and `systemd-resolved` to support internationalized domain names.
Changelog:
```
6c327d74aa hwdb: update to 11875a98e4f1c31e247d99e00c7774ea3653bafd
0b81fcd16d chase-symlinks: Always open a dirfd to the root directory
aa20a210a0 chase-symlinks: chase_symlinks_at() AT_FDCWD fixes
bb3e44323b escape: add missing non-NULL parameter assertions
c4e7cf2bd7 test-escape: Add tests for escaping bogus UTF-8 sequences
e906fd2421 escape: Ensure that output is always valid UTF-8
1a22006574 virt: correctly detect QEMU emulated pSeries guests
5ee19fdfa0 psi-util: fix error handling
9ffa0d439f journald: remove triplicate logging about failure to write log lines
4f7f93cc6a journald: downgrade various log messages from LOG_WARNING to LOG_INFO
a2dc51cd8c journald: make sure shall_try_append_again() logs about all return codes passed in, not just some
144ac494ec systemctl: print better message if default target is masked
791754f683 Revert "dissect-image: don't probe swap partitions needlessly"
d0e7841dce rules: remove redundant duplicate comparisons
dc98d58dd8 man: add two missing commands to synopsys
e093acd062 core/dbus-socket: check the socket path is absolute
a719c2ec2f sd-event: fix error handling
58c821af60 sd-event: always initialize sd_event.perturb
2bfb07b22f systemctl: show "Until:" field only for service and scope units
d9abd8babe tmpfiles.d: drop misleading comment
0f4dbe6367 Enable TPM by default with SetCredentialEncrypted
8d8240bdf6 stub: Fix unaligned read
44c2ff5b1e efi: drop executable-stack bit from .elf file
f2460b78b9 logind-session: make stopping of idle session visible to admins
1947b9939c sleep: check if we're on AC power before checking battery capacity
452cad62c8 install: fail early if specifier expansion failed
eae11e3f06 homectl: add missing break
9024afb994 core/manager: falling back to execute generators without sandboxing
aac692160e man/tmpfiles.d: adjust the table in synopsis, improve spelling
d2739b8c14 test: disable pipefail when testing interactive firstboot
755431b233 ukify: Set fast_load option when parsing PE files
343e90462f core: permit sending augmented enable/disable methods
ba1cb4156b process-util: show requested process name in the log
5140da8937 systemctl: edit: fix double free of instanced name
c4cdbb978f journalctl: fix output when --lines is used with --grep
6dafcad55c loop-util: fix error condition and return value
ec6c1fbf7d Correct journal misspell
6b6df9a845 cryptsetup: check the existence of salt by salt_size > 0
cd5de2811a boot: Fix assertion failure
01b90e1588 pid1: generate compat warning for SystemCallArchitectures= if seccomp is off
a3177cbe54 core/mount: fix default target for /sysusr/usr and its child
3168bda640 mkosi: configure multiarch libdir in debian/ubuntu builds
51b7acfcef tpm2: fix build failure without openssl
a88e35bf95 resolved: Fall back to TCP if UDP is blocked
```
systemd v253 changelog/NEWS:
https://github.com/systemd/systemd/blob/v253/NEWS
NixOS changes:
0007-hostnamed-localed-timedated-disable-methods-that-cha.patch was
dropped, because systemd gained support to handle read-only /etc.
*-add-rootprefix-to-lookup-dir-paths.patch required some updates too,
as src/basic/def.h moved to src/basic/constants.h.
systemd/systemd#25771 switched p11kit to become
dlopen()'ed, so we need to patch that path.
added a note to the 23.05 release notes to recommend `nixos-rebuild boot`
Co-authored-by: Florian Klink <flokli@flokli.de>
with structuredAttrs lists will be bash arrays which cannot be exported
which will be a issue with some patches and some wrappers like cc-wrapper
this makes it clearer that NIX_CFLAGS_COMPILE must be a string as lists
in env cause a eval failure
libBPF does not compile for mips64 targets using clang (rathern than
gcc) because clang lacks the necessary _MIPS_SZPTR compiler builtin.
Let's allow the rest of systemd to compile.
- The glibc people noticed this problem [way back in
2011](https://sourceware.org/pipermail/libc-ports/2011-June/001959.html)
and consider it to be a clang/llvm bug. I am inclined to agree.
- [clang has the `_MIPS_SZPTR`
builtin](3af9cb5375/clang/lib/Basic/Targets/Mips.cpp (L185))
and seems to have had it since before they switched to git.
This may in fact be a nixpkgs bug -- that we're not invoking clang
in a way that tells the frontend to make the mips builtins
available, even if the backend is emitting mips binaries. Or at
least we aren't tricking systemd's build machinery into doing that.
GHC's js backend depends on systemd via emscripten via closure compiler
via jdk via cups. Before it fails to evaluate, though, since
llvmPackages looks into `targetPackages.stdenv.cc` to determine which
C++ library to use (something that should be rectified in the future).
[Unfortunately], for `pkgsCross.ghcjs`, `stdenv.cc` throws which blows
up evaluating `pkgsCross.buildPackages.llvmPackages.clang`.
This is in principle unnecessary. We want to build
`pkgsCross.ghcjs.buildPackages.haskell.compiler.native-bignum.ghcHEAD`
which depends on `pkgsCross.ghcjs.buildPackages.systemd` which needs
clang and friends only in `nativeBuildInputs`, so
`pkgsCross.ghcjs.buildPackages.buildPackages.llvmPackages.clang`.
Unfortunately, due to the nature of splicing, we first evaluate the
“adjacent” derivation before we can access the spliced derivation we are
actually interested in. If the former
fails (`pkgsCross.ghcjs.buildPackages.llvmPackages.clang`), we can't do
the latter.
The solution is to just not rely on splicing in this case and take
`buildPackages.llvmPackages.clang` directly (relative to
`buildPackages.systemd` in this case!) which avoids the whole problem.
[Unfortunately]: c739c420db (diff-3209527bd27cbc775f579b1e295b0264c850859c7245d526965cec456b8c70a4R61)
Fixes sd-boot on (some?) Intel Macbooks, as reported in
https://github.com/NixOS/nixpkgs/pull/201558#issuecomment-1348823127.
Full log:
```
13de548fca network: manage addresses in the way the kernel does
fcc174cbdd import: wire up SYSTEMD_IMPORT_BTRFS_{SUBVOL,QUOTA} to importd
6cb0724a06 machine-pool: simplify return values from setup_machine_directory()
1c9e7fc8f2 boot: Only do full driver initialization in VMs
79b97ec652 boot: improve support for qemu (helpers only)
87add68b39 boot: Make sure all partitions drivers are connected
989f0c52e1 boot: Use EFI_BOOT_MANAGER_POLICY_PROTOCOL to connect console devices
b89be71bf4 network: unset Link.ndisc_configured only when a new address or route is requested
fc4f804b07 network: fix indentation
fc60072926 dissect: rework DISSECT_IMAGE_ADD_PARTITION_DEVICES + DISSECT_IMAGE_OPEN_PARTITION_DEVICES
1267b35273 fuzz: shorten filename of testcase
7fc478f751 resolve: optimize conversion of TXT fields to json
772e89452e hexdecoct: fix NULL pointer dereferences in hexmem()
002fc46688 hexdecoct: add missing NULL check
be1088b7a0 test: add tests for base64_append()
acb0414a1f hexdecoct: several cleanups for base64_append()
9410eb20eb cryptsetup: retry TPM2 unseal operation if it fails with TPM2_RC_PCR_CHANGED
1c8abb343a man: mention that DefaultRouteOnDevice= create the IPv4 default route
6c869ad3bd selinux: accept the fact that getxyzcon() can return success and NULL
0fdeb7c640 oomd: print dry run output at INFO level
4119d25e62 journald: prevent segfault on empty attr/current
6fdf196f99 core: use correct scope of looking up units
6d7b0dacc6 test-network: add test for bond mac address config
6405eba4b6 network: Fix set bond device MAC address failed
dbc59253ec test-fs-util: Add relative path chase_symlinks() tests
6e99f9c8fb chase-symlink: when converting directory O_PATH fd to real fd, don't bother with /proc/
bc6fc812fd test: add basic tests for octescape()
2ea5de7881 escape: fix wrong octescape of bad character
8999727a82 network: drop REMOVING flag when a netlink message is sent to kernel
a064abff76 dissect: show color in log output
278a97708b log: Switch logging to runtime when FS becomes read-only
44984e15bb resolve: format zero-length RDATA according to rfc3597
d59009dc1d manager: do not append '\n' when writing sysctl settings
2a66b4c894 test: check if we can use SHA1 MD for signing before using it
d0b80bf81e dissect-image: log expected UUID for /var
b0b97848e8 bootspec: fix null-dereference-read
0ba8e9ecff virt: Support detection of LMHS SRE guests
787b2c32f3 terminal-util: Set OPOST when setting ONLCR
c7bf13b2d9 units: change Requires=systemd-networkd.service → BindsTo= one more time
e3d9376692 core/device: verify device syspath on switching root
9523f85b2e core/device: also serialize/deserialize device syspath
10b3ce781b core/device: update comment
2505010178 sd-netlink: fix segfault
4b885f3591 test: Add tests for systemd-cgtop args parsing
b97c1c427c cgtop: Do not rewrite -P or -k options
6cbf72a8d9 logind: Properly unescape names of lingering users
01a39e96b5 units: Use BindsTo=systemd-networkd in systemd-networkd-wait-online.service
b0c39ffc54 resolved: remove inappropriate assert()
e0521346ec stub: Detect empty LoadOptions when run from EFI shell
7ca40a8b08 stub: Fix cmdline handling
b39f2ab98f boot: Use xstr8_to_16 for path conversion
6387a74d2c boot: Use xstr8_to_16
ff7469af96 boot: Add xstrn8_to_16
475c130003 core: update audit messages
c74bc2cd49 dissect: fix fsck
ce55eb4ebd process-util: add new FORK_CLOEXEC_OFF flag for disabling O_CLOEXEC on remaining fds
36c3c4172d fd-util: add new fd_cloexec_many() helper
57b4329b38 fd-util: make fd_in_set() (and thus close_all_fds()) handle invalidated fds in the array
12c41564cd tmpfiles: log at info level when some allowed failures occur
77f524dda0 find-esp: include device sysname in the log message
8d23210a2e find-esp: downgrade and ignore error on retrieving PART_ENTRY_SCHEME when searching
eea92b179d sd-bus: Use goto finish instead of return in bus_add_match_full
0916514b8c strv: Make sure strv_make_nulstr() always returns a valid nulstr
2ddd7b5def bootctl: rework how we handle referenced but absent EFI boot entries
2daecc7179 bootctl: downgrade log message when firmware reports non-existent or invalid boot entry
9a7186e92a bootctl: make boot entry id logged in hex
62f58d94f8 dissect-image: do not try to close invalid fd
c1dd021d16 boot: Silence driver reconnect errors
a09a41c2f7 meson: install test-kernel-install only when -Dkernel-install=true
9b6f12262f udev: make sure auto-root logic also works in UKIs booted from XBOOTLDR
d5e3625a61 repart: respect --discard=no also for block devices
79f161ac65 portable: add a few more useful debug log messages
bcd42b3c88 oomd: fix unreachable test case in test-oomd-util
2bdf5b0382 oomd: always allow root-owned cgroups to set ManagedOOMPreference
da01d83ab4 network: wifi: try to reconfigure when connected
595dd9b2b9 resolved: Fix OpenSSL error messages
2ecb8fc841 basic/strv: check printf arguments to strv_extendf()
81e2c87a47 manager: fix format strings for trigger metadata
d337ac02d6 resolved: when configuring 127.0.0.1 as per-interface DNS server, contact it via "lo" always
813d52dbf8 resolved: use right conditionalization when setting unicast ifindex on UDP sockets
2b52748d45 nspawn: allow sched_rr_get_interval_time64 through seccomp filter
5c34bc9bc3 boot/measure: fix oom check
f68be4fd79 fuzz: fuzz-compress: fix copy-and-paste error: buf -> buf2 (#25431)
132f0ec7de Handle MACHINE_ID=uninitialized
25fcbdae7e shared/tpm2-util: Fix "Error: Esys invalid ESAPI handle (40000001)" warning
6189505d79 boot: Correctly handle @saved default patterns
148b2d8ad3 Revert "journal: Make sd_journal_previous/next() return 0 at HEAD/TAIL"
d34ea410f4 Fix reading /etc/machine-id in kernel-install (#25388)
7b99f68f1c systemctl: do not show unit properties with --all
f791ecd0c5 ac-power: check battery existence and status
c2620a6bdb pid1: skip cleanup if root is not tmpfs/ramfs
83a772aae2 Revert "initrd: extend SYSTEMD_IN_INITRD to accept non-ramfs rootfs"
4d11c9b3cd networkd-ipv4acd.c: Use net/if.h for getting IFF_LOOPBACK definition
aff1caf3fd boot: Replace firmware security hooks directly
f9d9a68ecc boot: Rework security arch override
c6d7b4014c boot: Manually convert filepaths if needed
c8c5b79fb6 boot: Do not require a loaded image path
5894d4bd79 boot: Fix memory leak
5c0b918c02 boot: Fix error message
542dbc623e tpm2: add some extra validation of device string before using it
b3228085ba tpm2-util: force default TCTI to be "device" with parameter "/dev/tpmrm0"
31c2abd305 Create CNAME
2ec3187d6c test: compile test-utmp.c only if UTMP is enabled
````
`
```
git log --oneline v251.7..v251.8
ae8b249af4 test: fstab-generator: adjust PATH for fsck
03514a9f64 man: add note that network-generator is not a generator
8c8a423821 condition: Check that subsystem is enabled in ConditionSecurity=tpm2
9243b88b55 test: wait for loop device to be removed
f5c2be99bc test: wait for the lodev to get properly initialized
8cfe979030 test: disable LSan in the ASan env wrapper
db00a62be8 test: introduce a simple environment file for test service
fd082f335e test: lower the # of mpath devices to 16
d17a45340b test: make TEST-64 a bit more ASan friendly
a51cc9e578 test: don't wrap binaries built with ASan
e176dca593 test: drop all LD_PRELOAD-related ASan workarounds
9fba4cdf61 test: set $ASAN_RT_PATH along with $LD_PRELOAD to the ASan runtime DSO
4fbf69fd1b semaphore: remove the Semaphore repositories recursively
6258394c1e test: wrap `ls` and `stat` to make it work w/ sanitizers in specific cases
db14b371df test: create an ASan wrapper for `getent` and `su`
1027d3d633 test: always wrap useradd/userdel when running w/ ASan
65ab7b0950 Revert "Support -D_FORTIFY_SOURCE=3 by using __builtin_dynamic_object_size."
f994276068 test: make TEST-63 more reliable on slower machines
68b4f10f82 test: use PBKDF2 with capped iterations instead of Argon2
1f32ec761c hashmap: use assert_se() to make clang happy
94a25aa6d5 coredump: drop an unused variable
5f09fa4d5e network: drop an unused variable
a29ddb989b machine: drop an unused variable
9a71cd3bf6 sd-journal: drop an unused variable
ae0537f18f ci: reenable validation of GH Actions files
6e92f64ca4 ci: temporarily disable validation of GH Action files
6cd1b11d02 cryptsetup: fix build with -Db_ndebug=true
0ab5e9fe98 test: wrap binaries using systemd DSOs when running w/ ASan
6d4ae5a7cd test: make the virt detection quiet
024ee3def9 test: check for other hypervisors as well
520be40734 test-mountpoint-util: support running on a mount namespace with another mount on /proc
2cd4aed358 test-mountpoint-util: use log_info()
c7b66dbe2a test-mountpoint-util: fix NULL arg to %s
4e49c726ad test: drop redundant log message
b57ef0c672 build(deps): bump meson from 0.63.2 to 0.63.3 in /.github/workflows
8c80564405 build(deps): bump ninja from 1.10.2.3 to 1.10.2.4 in /.github/workflows
70e90da84b build(deps): bump meson from 0.63.1 to 0.63.2 in /.github/workflows
489c00dee5 build(deps): bump meson from 0.63.0 to 0.63.1 in /.github/workflows
08e85ad43d build(deps): bump meson from 0.62.2 to 0.63.0 in /.github/workflows
b0619c9c55 build(deps): bump meson from 0.62.0 to 0.62.2 in /.github/workflows
d982169592 build(deps): bump systemd/mkosi
9d4af5fea1 mkosi: libbpf0 -> libbpf1
3abf9f08f1 mkosi: Switch to Fedora 37
18f9fbab08 mkosi: update to latest commit
5403b727a7 mkosi: Use SourceFileTransfer=mount
9744c04ffd mkosi: Drop kernel-modules-extra from Fedora config
ab2f7a9b9e mkosi: install fdisk for test-loop-block
17acdca99d mkosi: Set ExtraSearchPaths=build/ by default
420e782904 mkosi: update to latest commit
43ef15c752 mkosi: add back packages removed from OpenSUSE build
9a94aa1d88 mkosi: disable isc-dhcp-server again
d1785c462f mkosi: Ensure we build all features/components in mkosi
6712396da3 meson: Downgrade efi-ld warning
66309ee674 ci: Add mold to build tests
86c25ca937 ci: build with clang-15; drop clang-12
28457b030e mkosi: Drop workarounds
abecb21561 mkosi: Update to latest commit
d9eaf39930 mkosi: Update to latest commit
619b36b22c mkosi: Don't use InstallDirectory by default
cdf3fd312a mkosi: Use mkosi.output/ as output directory by default
b8a746e89b mkosi: Add package libfdisk to Ubuntu dependencies (#24211)
0e518f3639 ci: set a timeout for each mkosi stage
5e79cf977c mkosi: Update to latest
edef8edf0b mkosi: Update to latest commit
a0402d3ab6 mkosi: Update to latest commit
081168fa19 mkosi: Build against Fedora rawhide as well
a38a0504ec mkosi: Remove usage of deprecated option names/sections
47404f1802 mkosi: Changes to allow booting with sanitizers in mkosi
db1281e12e mkosi: Update Ubuntu config to 22.04
ca8dc691fe mkosi: Install xxd in images
f12a6945c6 ci: limit which env variables we pass through `sudo`
7e24ac6d77 mkosi: update to latest main
a46ba01e79 mkosi: Update to latest release
7ef1d71895 mkosi: Pull in fix that solves action mirror issue
d3d90ae66b mkosi: Update CI to mkosi 13
9bf797be2c ci: build systemd with clang with -Dmode=release --optimization=2
9e88b3a5e1 ci: bump gcc in the "build test" workflow
dcbc64db61 ci: prefer the distro llvm version if available
ccd81889d4 ci: bump GH Actions to Ubuntu Jammy where applicable
b8fbf21526 kernel-install/90-loaderentry: do not add multiple systemd.machine_id options
fe5e692bfc tests: minor simplification in test-execute
a94fe70bbe tests: make test-execute pass on openSUSE
4a65c1674b firstboot: fix segfault when --locale-messages= is passed without --locale=
c3b22515b9 test: introduce sanity coverage for auxiliary utils
c61e4377d7 udev: add safe guard for setting by-id symlink
2f4fdaaecc udev: drop redundant call of usb_id and assignment of ID_USB_INTERFACE_NUM
491924940f udev: first set properties based on usb subsystem
293c006789 test: further extend systemctl's sanity coverage
f48e6576a2 test: add a couple of sanity tests for systemctl
3d5e379808 test: rename TEST-26-SETENV to TEST-26-SYSTEMCTL
a34afc4197 namespace: Add hidepid/subset support check
2ac138a5b6 coverage: Mark _coverage__exit as noreturn
9952c228a9 parse_hwdb: allow negative value for EVDEV_ABS_ properties
7b6fa1d3e6 test: add a couple of sanity tests for journalctl
cf21555d6d sd-device-monitor: dynamically allocate receive buffer
ee42e84968 man: use the correct 'Markers' property name for marking units
45090f3418 core: fix memleak in GetUnitFileLinks method
7eefd2fbb7 network: forcibly reconfigure all interfaces after sleep
66fa6110ba resolved: fix typo in feature level table
2f8f1d9e4a network: skip to reassign master ifindex if already set
d94f197818 resolved: fix copypasta in resolved varlink API
b61fcaca1b udev: always create device symlinks for USB disks
6fc2f387af man: Add documentation for AssertCredential= (#25178)
c339e8d71b man: document reboot --poweroff exception
91b8491e97 network: allow 0 for table number
3f94f03389 network: Table= also accepts table name
bdd84e82e5 analyze: add --image= + --root= to --help text
23d66a03de meson: Fix build with --optimization=plain
98a45608c4 manager: allow transient units to have drop-ins
228cd82d2c manager: reformat boolean expression in unit_is_pristine()
````