Imported Upstream version 225

.gitignore

@@ -137,6 +137,8 @@
 /tags
 /test-architecture
 /test-audit-type
+/test-af-list
+/test-arphrd-list
 /test-async
 /test-barrier
 /test-bitmap
@@ -192,6 +194,7 @@
 /test-firewall-util
 /test-hashmap
 /test-hostname
+/test-hostname-util
 /test-icmp6-rs
 /test-id128
 /test-inhibit

CODING_STYLE

@@ -314,3 +314,10 @@
   are always defined after more global ones. Thus, our local
   definitions will never "leak" into the global header files, possibly
   altering their effect due to #ifdeffery.
+
+- To implement an endless loop, use "for (;;)" rather than "while
+  (1)". The latter is a bit ugly anyway, since you probably really
+  meant "while (true)"... To avoid the discussion what the right
+  always-true expression for an infinite while() loop is our
+  recommendation is to simply write it without any such expression by
+  using "for (;;)".

Makefile-man.am

@@ -1774,13 +1774,19 @@ endif
 
 if ENABLE_RESOLVED
 MANPAGES += \
+	man/nss-resolve.8 \
 	man/resolved.conf.5 \
 	man/systemd-resolved.service.8
 MANPAGES_ALIAS += \
+	man/libnss_resolve.so.2.8 \
 	man/resolved.conf.d.5 \
 	man/systemd-resolved.8
+man/libnss_resolve.so.2.8: man/nss-resolve.8
 man/resolved.conf.d.5: man/resolved.conf.5
 man/systemd-resolved.8: man/systemd-resolved.service.8
+man/libnss_resolve.so.2.html: man/nss-resolve.html
+	$(html-alias)
+
 man/resolved.conf.d.html: man/resolved.conf.html
 	$(html-alias)
 
@@ -2217,6 +2223,7 @@ EXTRA_DIST += \
 	man/networkctl.xml \
 	man/nss-myhostname.xml \
 	man/nss-mymachines.xml \
+	man/nss-resolve.xml \
 	man/os-release.xml \
 	man/pam_systemd.xml \
 	man/resolved.conf.xml \

Makefile.am

@@ -43,7 +43,7 @@ LIBUDEV_REVISION=4
 LIBUDEV_AGE=6
 
 LIBSYSTEMD_CURRENT=10
-LIBSYSTEMD_REVISION=1
+LIBSYSTEMD_REVISION=2
 LIBSYSTEMD_AGE=10
 
 # The following four libraries only exist for compatibility reasons,
@@ -414,6 +414,7 @@ systemgenerator_PROGRAMS = \
 	systemd-system-update-generator \
 	systemd-debug-generator
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA = \
 	shell-completion/bash/busctl \
 	shell-completion/bash/journalctl \
@@ -430,7 +431,9 @@ dist_bashcompletion_DATA = \
 
 nodist_bashcompletion_DATA = \
 	shell-completion/bash/systemctl
+endif
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA = \
 	shell-completion/zsh/_busctl \
 	shell-completion/zsh/_journalctl \
@@ -447,6 +450,7 @@ dist_zshcompletion_DATA = \
 
 nodist_zshcompletion_DATA = \
 	shell-completion/zsh/_systemctl
+endif
 
 EXTRA_DIST += \
 	shell-completion/bash/systemctl.in \
@@ -1392,6 +1396,7 @@ tests += \
 	test-utf8 \
 	test-ellipsize \
 	test-util \
+	test-hostname-util \
 	test-process-util \
 	test-terminal-util \
 	test-path-lookup \
@@ -1437,6 +1442,8 @@ tests += \
 	test-cap-list \
 	test-sigbus \
 	test-verbs \
+	test-af-list \
+	test-arphrd-list \
 	test-dns-domain
 
 EXTRA_DIST += \
@@ -1670,6 +1677,12 @@ test_util_SOURCES = \
 test_util_LDADD = \
 	libshared.la
 
+test_hostname_util_SOURCES = \
+	src/test/test-hostname-util.c
+
+test_hostname_util_LDADD = \
+	libshared.la
+
 test_process_util_SOURCES = \
 	src/test/test-process-util.c
 
@@ -2047,6 +2060,18 @@ test_bus_policy_LDADD = \
 	libbus-proxy-core.la \
 	libshared.la
 
+test_af_list_SOURCES = \
+	src/test/test-af-list.c
+
+test_af_list_LDADD = \
+	libbasic.la
+
+test_arphrd_list_SOURCES = \
+	src/test/test-arphrd-list.c
+
+test_arphrd_list_LDADD = \
+	libbasic.la
+
 # ------------------------------------------------------------------------------
 ## .PHONY so it always rebuilds it
 .PHONY: coverage lcov-run lcov-report coverage-sync
@@ -2214,8 +2239,10 @@ SYSINIT_TARGET_WANTS += \
 	systemd-tmpfiles-setup-dev.service \
 	systemd-tmpfiles-setup.service
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_systemd-tmpfiles
+endif
 
 TIMERS_TARGET_WANTS += \
 	systemd-tmpfiles-clean.timer
@@ -2446,12 +2473,16 @@ bootctl_LDADD = \
 bin_PROGRAMS += \
 	bootctl
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA += \
 	shell-completion/bash/bootctl
+endif
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_bootctl
 endif
+endif
 
 # ------------------------------------------------------------------------------
 if HAVE_GNUEFI
@@ -4233,11 +4264,15 @@ test_coredump_vacuum_SOURCES = \
 test_coredump_vacuum_LDADD = \
 	libshared.la
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA += \
 	shell-completion/bash/coredumpctl
+endif
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_coredumpctl
+endif
 
 nodist_sysctl_DATA = \
 	sysctl.d/50-coredump.conf
@@ -4485,12 +4520,15 @@ hostnamectl_LDADD = \
 bin_PROGRAMS += \
 	hostnamectl
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA += \
 	shell-completion/bash/hostnamectl
+endif
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_hostnamectl
-
+endif
 endif
 
 polkitpolicy_in_files += \
@@ -4556,12 +4594,15 @@ localectl_LDADD = \
 bin_PROGRAMS += \
 	localectl
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA += \
 	shell-completion/bash/localectl
+endif
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_localectl
-
+endif
 endif
 
 .PHONY: update-kbd-model-map
@@ -4613,12 +4654,16 @@ timedatectl_LDADD = \
 bin_PROGRAMS += \
 	timedatectl
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA += \
 	shell-completion/bash/timedatectl
+endif
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_timedatectl
 endif
+endif
 
 polkitpolicy_in_files += \
 	src/timedate/org.freedesktop.timedate1.policy.in
@@ -4724,8 +4769,10 @@ machinectl_LDADD = \
 rootbin_PROGRAMS += \
 	machinectl
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA += \
 	shell-completion/bash/machinectl
+endif
 
 test_machine_tables_SOURCES = \
 	src/machine/test-machine-tables.c
@@ -4754,9 +4801,11 @@ dist_dbuspolicy_DATA += \
 polkitpolicy_files += \
 	src/machine/org.freedesktop.machine1.policy
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_machinectl \
 	shell-completion/zsh/_sd_machines
+endif
 
 SYSTEM_UNIT_ALIASES += \
 	systemd-machined.service dbus-org.freedesktop.machine1.service
@@ -5316,12 +5365,16 @@ loginctl_LDADD = \
 rootbin_PROGRAMS += \
 	loginctl
 
+if ENABLE_BASH_COMPLETION
 dist_bashcompletion_DATA += \
 	shell-completion/bash/loginctl
+endif
 
+if ENABLE_ZSH_COMPLETION
 dist_zshcompletion_DATA += \
 	shell-completion/zsh/_loginctl \
 	shell-completion/zsh/_systemd-inhibit
+endif
 
 systemd_inhibit_SOURCES = \
 	src/login/inhibit.c
@@ -6003,10 +6056,11 @@ dist: dist-check-python dist-check-compat-libs
 .PHONY: hwdb-update
 hwdb-update:
 	( cd $(top_srcdir)/hwdb && \
-	wget -N http://www.linux-usb.org/usb.ids \
+	wget -O usb.ids 'http://www.linux-usb.org/usb.ids' && \
-		http://pci-ids.ucw.cz/v2.2/pci.ids \
+	wget -O pci.ids 'http://pci-ids.ucw.cz/v2.2/pci.ids' && \
-		http://standards.ieee.org/develop/regauth/oui/oui.txt \
+	wget -O ma-large.txt 'https://services13.ieee.org/RST/standards-ra-web/rest/assignments/download/?registry=MA-L&format=txt' && \
-		http://standards.ieee.org/develop/regauth/iab/iab.txt && \
+	wget -O ma-medium.txt 'https://services13.ieee.org/RST/standards-ra-web/rest/assignments/download/?registry=MA-M&format=txt' && \
+	wget -O ma-small.txt 'https://services13.ieee.org/RST/standards-ra-web/rest/assignments/download/?registry=MA-S&format=txt' && \
 	./ids-update.pl )
 
 .PHONY: built-sources

NEWS

@@ -1,5 +1,30 @@
 systemd System and Service Manager
 
+CHANGES WITH 225:
+
+        * machinectl gained a new verb 'shell' which opens a fresh shell on the
+          target machine. It is similar to 'login', but spawns the shell
+          directly. The pseudo machine '.host' now refers to the local host and
+          is used by default. Hence, 'machinectl shell' can be used as
+          replacement for 'su' which spawns the session as a fresh systemd
+          unit.
+
+        * systemd-networkd learned to cope with private-zone DHCP options and
+          allows other programs to query the values.
+
+        Contributions from: Alastair Hughes, Alex Crawford, Daniel Mack, David
+        Herrmann, Dimitri John Ledkov, Eric Kostrowski, Evgeny Vereshchagin,
+        Felipe Sateler, HATAYAMA Daisuke, Jan Pokorný, Jan Synacek, Johnny
+        Robeson, Karel Zak, Kay Sievers, Kefeng Wang, Lennart Poettering, Major
+        Hayden, Marcel Holtmann, Markus Elfring, Martin Mikkelsen, Martin Pitt,
+        Matt Turner, Maxim Mikityanskiy, Michael Biebl, Namhyung Kim, Nicolas
+        Cornu, Owen W. Taylor, Patrik Flykt, Peter Hutterer, reverendhomer,
+        Richard Maw, Ronny Chevalier, Seth Jennings, Stef Walter, Susant Sahani,
+        Thomas Blume, Thomas Hindoe Paaboel Andersen, Thomas Meyer, Tom
+        Gundersen, Vincent Batts, WaLyong Cho, Zbigniew Jędrzejewski-Szmek
+
+        -- Berlin, 2015-08-27
+
 CHANGES WITH 224:
 
         * The systemd-efi-boot-generator functionality was merged into
@@ -756,7 +781,7 @@ CHANGES WITH 218:
         * When querying unit file enablement status (for example via
           "systemctl is-enabled"), a new state "indirect" is now known
           which indicates that a unit might not be enabled itself, but
-          another unit listed in its Alias= setting might be.
+          another unit listed in its Also= setting might be.
 
         * Similar to the various existing ConditionXYZ= settings for
           units there are now matching AssertXYZ= settings. While

README

@@ -274,8 +274,3 @@ WARNINGS:
         servers if not specified otherwise at configure time. You
         really should not ship an OS or device with this default
         setting. See DISTRO_PORTING for details.
-
-ENGINEERING AND CONSULTING SERVICES:
-        ENDOCODE <https://endocode.com/> offers professional
-        engineering and consulting services for systemd. Please
-        contact Chris Kühl <chris@endocode.com> for more information.

TODO

@@ -6,7 +6,7 @@ Bugfixes:
   automount points even when the original .automount file did not exist
   anymore. Only the .mount unit was still around.
 
-* ExecStart with unicode characters fails in strv_split_quoted:
+* ExecStart with unicode characters fails in strv_split_extract:
 
           [Service]
           Environment=ONE='one' "TWO='two two' too" THREE=
@@ -26,6 +26,16 @@ External:
 
 Features:
 
+* PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn)
+
+* nspawn should send out sd_notify("WATCHDOG=1") messages
+
+* nspawn should optionally support receiving WATCHDOG=1 messages from its payload PID 1...
+
+* introduce "machinectl shell" that is like systemd-run -M foo /bin/bash -t but also adds PAMName=login
+
+* allow loging into host with "machinectl login".
+
 * consider throwing a warning if a service declares it wants to be "Before=" a .device unit.
 
 * "systemctl edit" should know a mode to create a new unit file
@@ -263,7 +273,7 @@ Features:
 
 * maybe add support for specifier expansion in user.conf, specifically DefaultEnvironment=
 
-* code cleanup: retire FOREACH_WORD_QUOTED, port to unquote_first_word() loops instead
+* code cleanup: retire FOREACH_WORD_QUOTED, port to extract_first_word() loops instead
 
 * introduce systemd-timesync-wait.service or so to sync on an NTP fix?
 
@@ -299,7 +309,7 @@ Features:
 
 * exponential backoff in timesyncd and resolved when we cannot reach a server
 
-* unquote_many_words() should probably be used by a lot of code that
+* extract_many_words() should probably be used by a lot of code that
   currently uses FOREACH_WORD and friends. For example, most conf
   parsing callbacks should use it.
 
@@ -344,7 +354,9 @@ Features:
         - avahi compat
   - DNS-SD service registration from socket units
   - edns0
-  - dname
+  - dname: Not necessary for plain DNS as synthesized cname is handed out instead if we do not
+           announce dname support. However, for DNSSEC it is necessary as the synthesized cname
+           will not be signed.
   - cname on PTR (?)
 
 * Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
@@ -460,6 +472,8 @@ Features:
   ReadOnlyDirectories=... for whitelisting files for a service.
 
 * sd-bus:
+  - EBADSLT handling
+  - change argv list matching logic
   - GetAllProperties() on a non-existing object does not result in a failure currently
   - kdbus: process fd=-1 for incoming msgs
   - port to sd-resolve for connecting to TCP dbus servers
@@ -690,10 +704,6 @@ Features:
 
 * If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().
 
-* fedup: add --unit to systemctl switch-root somehow
-* fedup: do not delete initrd on switch-root
-* fedup: generator
-
 * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed
 
 * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel

configure.ac

@@ -20,7 +20,7 @@
 AC_PREREQ([2.64])
 
 AC_INIT([systemd],
-        [224],
+        [225],
         [http://github.com/systemd/systemd/issues],
         [systemd],
         [http://www.freedesktop.org/wiki/Software/systemd])
@@ -1016,7 +1016,9 @@ AC_ARG_WITH(ntp-servers,
                 [Space-separated list of default NTP servers]),
         [NTP_SERVERS="$withval"],
         [NTP_SERVERS="time1.google.com time2.google.com time3.google.com time4.google.com"
-        AC_MSG_WARN([*** Using Google NTP servers. Please do not ship OSes or devices with these default settings. See DISTRO_PORTING for details!])])
+        AC_MSG_WARN([*** Using Google NTP servers.
+                        Do not ship OSes or devices with these default settings.
+                        See DISTRO_PORTING for details!])])
 
 AC_DEFINE_UNQUOTED(NTP_SERVERS, ["$NTP_SERVERS"], [Default NTP Servers])
 AC_SUBST(NTP_SERVERS)
@@ -1340,11 +1342,13 @@ AC_ARG_WITH([bashcompletiondir],
         ] , [
                 with_bashcompletiondir=${datadir}/bash-completion/completions
         ])])
+AM_CONDITIONAL(ENABLE_BASH_COMPLETION, [test "$with_bashcompletiondir" != "no"])
 AX_NORMALIZE_PATH([with_bashcompletiondir])
 
 AC_ARG_WITH([zshcompletiondir],
         AS_HELP_STRING([--with-zshcompletiondir=DIR], [Zsh completions directory]),
         [], [with_zshcompletiondir=${datadir}/zsh/site-functions])
+AM_CONDITIONAL(ENABLE_ZSH_COMPLETION, [test "$with_zshcompletiondir" != "no"])
 AX_NORMALIZE_PATH([with_zshcompletiondir])
 
 AC_ARG_WITH([rootprefix],

hwdb/.gitignore

@@ -1,4 +1,5 @@
 /pci.ids
 /usb.ids
-/oui.txt
+/ma-large.txt
-/iab.txt
+/ma-medium.txt
+/ma-small.txt

hwdb/20-bluetooth-vendor-product.hwdb

@@ -1772,3 +1772,129 @@ bluetooth:v024B*
 
 bluetooth:v024C*
  ID_VENDOR_FROM_DATABASE=Blue Clover Devices
+
+bluetooth:v024D*
+ ID_VENDOR_FROM_DATABASE=M-Way Solutions GmbH
+
+bluetooth:v024E*
+ ID_VENDOR_FROM_DATABASE=Microtronics Engineering GmbH
+
+bluetooth:v024F*
+ ID_VENDOR_FROM_DATABASE=Schneider Schreibgerte GmbH
+
+bluetooth:v0250*
+ ID_VENDOR_FROM_DATABASE=Sapphire Circuits LLC
+
+bluetooth:v0251*
+ ID_VENDOR_FROM_DATABASE=Lumo Bodytech Inc.
+
+bluetooth:v0252*
+ ID_VENDOR_FROM_DATABASE=UKC Technosolution
+
+bluetooth:v0253*
+ ID_VENDOR_FROM_DATABASE=Xicato Inc.
+
+bluetooth:v0254*
+ ID_VENDOR_FROM_DATABASE=Playbrush
+
+bluetooth:v0255*
+ ID_VENDOR_FROM_DATABASE=Dai Nippon Printing Co., Ltd.
+
+bluetooth:v0256*
+ ID_VENDOR_FROM_DATABASE=G24 Power Limited
+
+bluetooth:v0257*
+ ID_VENDOR_FROM_DATABASE=AdBabble Local Commerce Inc.
+
+bluetooth:v0258*
+ ID_VENDOR_FROM_DATABASE=Devialet SA
+
+bluetooth:v0259*
+ ID_VENDOR_FROM_DATABASE=ALTYOR
+
+bluetooth:v025A*
+ ID_VENDOR_FROM_DATABASE=University of Applied Sciences Valais/Haute Ecole Valaisanne
+
+bluetooth:v025B*
+ ID_VENDOR_FROM_DATABASE=Five Interactive, LLC dba Zendo
+
+bluetooth:v025C*
+ ID_VENDOR_FROM_DATABASE=NetEase (Hangzhou) Network co.Ltd.
+
+bluetooth:v025D*
+ ID_VENDOR_FROM_DATABASE=Lexmark International Inc.
+
+bluetooth:v025E*
+ ID_VENDOR_FROM_DATABASE=Fluke Corporation
+
+bluetooth:v025F*
+ ID_VENDOR_FROM_DATABASE=Yardarm Technologies
+
+bluetooth:v0260*
+ ID_VENDOR_FROM_DATABASE=SensaRx
+
+bluetooth:v0261*
+ ID_VENDOR_FROM_DATABASE=SECVRE GmbH
+
+bluetooth:v0262*
+ ID_VENDOR_FROM_DATABASE=Glacial Ridge Technologies
+
+bluetooth:v0263*
+ ID_VENDOR_FROM_DATABASE=Identiv, Inc.
+
+bluetooth:v0264*
+ ID_VENDOR_FROM_DATABASE=DDS, Inc.
+
+bluetooth:v0265*
+ ID_VENDOR_FROM_DATABASE=SMK Corporation
+
+bluetooth:v0266*
+ ID_VENDOR_FROM_DATABASE=Schawbel Technologies LLC
+
+bluetooth:v0267*
+ ID_VENDOR_FROM_DATABASE=XMI Systems SA
+
+bluetooth:v0268*
+ ID_VENDOR_FROM_DATABASE=Cerevo
+
+bluetooth:v0269*
+ ID_VENDOR_FROM_DATABASE=Torrox GmbH & Co KG
+
+bluetooth:v026A*
+ ID_VENDOR_FROM_DATABASE=Gemalto
+
+bluetooth:v026B*
+ ID_VENDOR_FROM_DATABASE=DEKA Research & Development Corp.
+
+bluetooth:v026C*
+ ID_VENDOR_FROM_DATABASE=Domster Tadeusz Szydlowski
+
+bluetooth:v026D*
+ ID_VENDOR_FROM_DATABASE=Technogym SPA
+
+bluetooth:v026E*
+ ID_VENDOR_FROM_DATABASE=FLEURBAEY BVBA
+
+bluetooth:v026F*
+ ID_VENDOR_FROM_DATABASE=Aptcode Solutions
+
+bluetooth:v0270*
+ ID_VENDOR_FROM_DATABASE=LSI ADL Technology
+
+bluetooth:v0271*
+ ID_VENDOR_FROM_DATABASE=Animas Corp
+
+bluetooth:v0272*
+ ID_VENDOR_FROM_DATABASE=Alps Electric Co., Ltd.
+
+bluetooth:v0273*
+ ID_VENDOR_FROM_DATABASE=OCEASOFT
+
+bluetooth:v0274*
+ ID_VENDOR_FROM_DATABASE=Motsai Research
+
+bluetooth:v0275*
+ ID_VENDOR_FROM_DATABASE=Geotab
+
+bluetooth:v0276*
+ ID_VENDOR_FROM_DATABASE=E.G.O. Elektro-Gertebau GmbH

hwdb/20-usb-vendor-model.hwdb

@@ -50804,6 +50804,33 @@ usb:v2237*
 usb:v2237p4161*
  ID_MODEL_FROM_DATABASE=eReader White
 
+usb:v225D*
+ ID_VENDOR_FROM_DATABASE=Morpho
+
+usb:v225Dp0001*
+ ID_MODEL_FROM_DATABASE=FINGER VP Multimodal Biometric Sensor
+
+usb:v225Dp0008*
+ ID_MODEL_FROM_DATABASE=CBM-E3 Fingerprint Sensor
+
+usb:v225Dp0009*
+ ID_MODEL_FROM_DATABASE=CBM Fingerprint Sensor [CBM-V3]
+
+usb:v225Dp000A*
+ ID_MODEL_FROM_DATABASE=MSO1300-E3 Fingerprint Sensor
+
+usb:v225Dp000B*
+ ID_MODEL_FROM_DATABASE=MSO1300 Fingerprint Sensor [MSO1300-V3]
+
+usb:v225Dp000C*
+ ID_MODEL_FROM_DATABASE=MSO1350-E3 Fingerprint Sensor & SmartCard Reader
+
+usb:v225Dp000D*
+ ID_MODEL_FROM_DATABASE=MSO1350 Fingerprint Sensor & SmartCard Reader [MSO1350-V3]
+
+usb:v225Dp000E*
+ ID_MODEL_FROM_DATABASE=MorphoAccess SIGMA Biometric Access Control Terminal
+
 usb:v228D*
  ID_VENDOR_FROM_DATABASE=8D Technologies inc.
 

hwdb/60-evdev.hwdb

@@ -20,10 +20,11 @@
 # where /dev/input/eventXX is the device in question. If in
 # doubt, simply use /dev/input/event* to reload all input rules.
 #
-# If your changes are generally applicable, open a bug report on
+# If your changes are generally applicable, preferably send them as a pull
-#   http://bugs.freedesktop.org/enter_bug.cgi?product=systemd
+# request to
-# and include your new rules, a description of the device, and the
+#   https://github.com/systemd/systemd
-# output of
+# or create a bug report on https://github.com/systemd/systemd/issues and
+# include your new rules, a description of the device, and the output of
 #   udevadm info /dev/input/eventXX
 # (or /dev/input/event*).
 #
@@ -77,12 +78,12 @@ evdev:input:b0003v05ACp0254*
 
 # MacbookPro10,1 (unibody, June 2012)
 evdev:input:b0003v05ACp0259*
-evdev:input:b0003v05ACp025a*
+evdev:input:b0003v05ACp025A*
-evdev:input:b0003v05ACp025b*
+evdev:input:b0003v05ACp025B*
 # MacbookPro10,2 (unibody, October 2012)
 evdev:input:b0003v05ACp0259*
-evdev:input:b0003v05ACp025a*
+evdev:input:b0003v05ACp025A*
-evdev:input:b0003v05ACp025b*
+evdev:input:b0003v05ACp025B*
  EVDEV_ABS_00=::94
  EVDEV_ABS_01=::92
  EVDEV_ABS_35=::94
@@ -117,3 +118,12 @@ evdev:name:Atmel maXTouch Touch*:dmi:bvn*:bvr*:bd*:svnGOOGLE:pnSamus*
 evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pn*ThinkPad*X230*
  EVDEV_ABS_01=::100
  EVDEV_ABS_36=::100
+
+#########################################
+# Dell
+#########################################
+
+# Dell Vostro 1510
+evdev:name:AlpsPS/2 ALPS GlidePoint*:dmi:bvn*:bvr*:bd*:svnDellInc.:pnVostro1510*
+ EVDEV_ABS_00=::14
+ EVDEV_ABS_01=::18

hwdb/60-keyboard.hwdb

@@ -51,10 +51,11 @@
 # where /dev/input/eventXX is the keyboard in question. If in
 # doubt, simply use /dev/input/event* to reload all input rules.
 #
-# If your changes are generally applicable, open a bug report on
+# If your changes are generally applicable, preferably send them as a pull
-#   http://bugs.freedesktop.org/enter_bug.cgi?product=systemd
+# request to
-# and include your new rules, a description of the device, and the
+#   https://github.com/systemd/systemd
-# output of
+# or create a bug report on https://github.com/systemd/systemd/issues and
+# include your new rules, a description of the device, and the output of
 #   udevadm info /dev/input/eventXX
 # (or /dev/input/event*).
 

hwdb/70-mouse.hwdb

@@ -38,9 +38,9 @@
 #
 # If your changes are generally applicable, preferably send them as a pull
 # request to
-#   https://github.com/systemd/
+#   https://github.com/systemd/systemd
-# or create a bug report on the issue tracker located there and include your
+# or create a bug report on https://github.com/systemd/systemd/issues and
-# new rules, a description of the device, and the output of
+# include your new rules, a description of the device, and the output of
 #   udevadm info /dev/input/eventXX
 # (or /dev/input/event*).
 #
@@ -135,6 +135,22 @@ mouse:usb:v046dpc063:name:DELL DELL USB Laser Mouse:
 mouse:usb:v0461p4d16:name:USB Optical Mouse:
  MOUSE_DPI=500@125
 
+##########################################
+# HandShoe Mouse
+##########################################
+
+# HandShoe Mouse
+mouse:usb:v192fp0916:name:USB Optical Mouse:
+ MOUSE_DPI=1000@128
+
+##########################################
+# HoverStop
+##########################################
+
+# Hoverstop active ergonomic mouse
+mouse:usb:v088dp1234:name:HoverStop NL Hoverstop active ergonomic mouse:
+ MOUSE_DPI=400@129
+
 ##########################################
 # HP
 ##########################################
@@ -146,6 +162,7 @@ mouse:usb:v0458p0133:name:Mouse Laser Mouse:
 
 # HP X1000
 mouse:usb:v093ap2510:name:PixArt USB Optical Mouse:
+mouse:usb:v093ap2510:name:PIXART USB OPTICAL MOUSE:
  MOUSE_DPI=1000@125
 
 ##########################################
@@ -160,6 +177,10 @@ mouse:usb:v17efp6019:name:Lenovo Optical USB Mouse:
 mouse:usb:v17efp6044:name:ThinkPad USB Laser Mouse:
  MOUSE_DPI=1200@125
 
+# Lenovo Precision USB Mouse
+mouse:usb:v17efp6050:name:Lenovo Precision USB Mouse:
+ MOUSE_DPI=1200@127
+
 ##########################################
 # Logitech
 ##########################################
@@ -171,6 +192,8 @@ mouse:usb:v17efp6044:name:ThinkPad USB Laser Mouse:
 
 # Logitech M-BJ58 Optical Mouse
 mouse:usb:v046dpc00e:name:Logitech USB-PS/2 Optical Mouse:
+# Logitech Mini Optical Mouse
+mouse:usb:v046dpc016:name:Logitech Optical USB Mouse:
 # Logitech MX310 Optical Mouse
 mouse:usb:v046dpc01b:name:Logitech USB-PS/2 Optical Mouse:
 # Logitech USB-PS/2 M-BT58
@@ -219,6 +242,8 @@ mouse:usb:v046dpc52b:name:Logitech Unifying Device. Wireless PID:4008:
 # Logitech M705 (marathon mouse)
 mouse:usb:v046dp101b:name:Logitech M705:
 mouse:usb:v046dpc52b:name:Logitech Unifying Device. Wireless PID:101b:
+# Logitech Performance MX
+mouse:usb:v046dp101a:name:Logitech Performance MX:
  MOUSE_DPI=800@166
 
 # Logitech MX Revolution
@@ -282,15 +307,28 @@ mouse:usb:v046dp4027:name:Logitech T620:
 mouse:usb:v046dpc52b:name:Logitech Unifying Device. Wireless PID:4027:
  MOUSE_DPI=1200@250
 
+# Logitech LX8 Cordless Laser Mouse
+mouse:usb:v046dpc51b:name:Logitech USB Receiver:
+ MOUSE_DPI=1300@125
+ MOUSE_WHEEL_CLICK_ANGLE=15
+
 # Logitech ZoneTouch Mouse T400
 mouse:usb:v046dp4026:name:Logitech T400:
 mouse:usb:v046dpc52b:name:Logitech Unifying Device. Wireless PID:4026:
  MOUSE_DPI=1300@166
 
+# Logitech G500 Mouse
+mouse:usb:v046dpc068:name:Logitech G500:
+ MOUSE_DPI=*1600@500 2600@500 3600@500
+
 # Logitech Ultrathin Touch Mouse
 mouse:bluetooth:v046dpb00d:name:Ultrathin Touch Mouse:
  MOUSE_DPI=1000@1000
 
+# ImPS/2 Logitech Wheel Mouse
+mouse:ps2:*:name:ImPS/2 Logitech Wheel Mouse:
+ MOUSE_DPI=400@100
+
 # ImExPS/2 Logitech Wheel Mouse
 mouse:ps2:*:name:ImExPS/2 Logitech Wheel Mouse:
  MOUSE_DPI=400@250
@@ -305,6 +343,10 @@ mouse:usb:v045ep0040:name:Microsoft Microsoft 3-Button Mouse with IntelliEye(TM)
 # Note: unsure that these work, it's likely that all devices on these
 # receivers show up with the same vid/pid/name
 
+# Microsoft Wireless Mouse 5000
+mouse:usb:v045ep0745:name:Microsoft Microsoft® 2.4GHz Transceiver v6.0:
+ MOUSE_DPI=800@142
+
 # Microsoft Sculpt Ergonomic Mouse
 mouse:usb:v045ep07a5:name:Microsoft Microsoft® 2.4GHz Transceiver v9.0:
  MOUSE_DPI=1000@142

hwdb/70-pointingstick.hwdb

@@ -32,10 +32,11 @@
 # where /dev/input/eventXX is the pointingstick in question. If in
 # doubt, simply use /dev/input/event* to reload all input rules.
 #
-# If your changes are generally applicable, open a bug report on
+# If your changes are generally applicable, preferably send them as a pull
-#   http://bugs.freedesktop.org/enter_bug.cgi?product=systemd
+# request to
-# and include your new rules, a description of the device, and the
+#   https://github.com/systemd/systemd
-# output of
+# or create a bug report on https://github.com/systemd/systemd/issues and
+# include your new rules, a description of the device, and the output of
 #   udevadm info /dev/input/eventXX
 # (or /dev/input/event*).
 #

hwdb/ids-update.pl

@@ -276,25 +276,30 @@ sub sdio_classes {
         close(OUT);
 }
 
+# MAC Address Block Large/Medium/Small
+# Large  MA-L 24/24 bit (OUI)
+# Medium MA-M 28/20 bit (OUI prefix owned by IEEE)
+# Small  MA-S 36/12 bit (OUI prefix owned by IEEE)
 sub oui {
-        my $iab_prefix;
+        my $prefix;
-        my %iab_prefixes = ();
+        my %ieee_prefixes = ();
 
         open(OUT, ">", "20-OUI.hwdb");
         print(OUT "# This file is part of systemd.\n" .
                   "#\n" .
                   "# Data imported from:\n" .
-                  "#   http://standards.ieee.org/develop/regauth/oui/oui.txt\n" .
+                  "#   https://services13.ieee.org/RST/standards-ra-web/rest/assignments/download/?registry=MA-L&format=txt\n" .
-                  "#   http://standards.ieee.org/develop/regauth/iab/iab.txt\n");
+                  "#   https://services13.ieee.org/RST/standards-ra-web/rest/assignments/download/?registry=MA-M&format=txt\n" .
+                  "#   https://services13.ieee.org/RST/standards-ra-web/rest/assignments/download/?registry=MA-S&format=txt\n");
 
-        open(IN, "<", "iab.txt");
+        open(IN, "<", "ma-small.txt");
         while (my $line = <IN>) {
                 $line =~ s/^ +//;
                 $line =~ s/\s+$//;
                 $line =~ m/^([0-9A-F]{2})-([0-9A-F]{2})-([0-9A-F]{2})\s*\(hex\)\s*.+$/;
                 if (defined $1) {
-                        $iab_prefix = $1 . $2 . $3;
+                        $prefix = $1 . $2 . $3;
-                        $iab_prefixes{ $iab_prefix } = 1;
+                        $ieee_prefixes{ $prefix } = 1;
                         next;
                 }
 
@@ -304,13 +309,35 @@ sub oui {
                         my $text = $2;
 
                         print(OUT "\n");
-                        print(OUT "OUI:" . $iab_prefix . $vendor . "*\n");
+                        print(OUT "OUI:" . $prefix . $vendor . "*\n");
                         print(OUT " ID_OUI_FROM_DATABASE=" . $text . "\n");
                 }
         }
         close(IN);
 
-        open(IN, "<", "oui.txt");
+        open(IN, "<", "ma-medium.txt");
+        while (my $line = <IN>) {
+                $line =~ s/^ +//;
+                $line =~ s/\s+$//;
+                $line =~ m/^([0-9A-F]{2})-([0-9A-F]{2})-([0-9A-F]{2})\s*\(hex\)\s*.+$/;
+                if (defined $1) {
+                        $prefix = $1 . $2 . $3;
+                        $ieee_prefixes{ $prefix } = 1;
+                        next;
+                }
+
+                $line =~ m/^([0-9A-F])00000-\g1FFFFF\s*\(base 16\)\s*(.+)$/;
+                if (defined $1) {
+                        my $vendor = uc $1;
+                        my $text = $2;
+
+                        print(OUT "\n");
+                        print(OUT "OUI:" . $prefix . $vendor . "*\n");
+                        print(OUT " ID_OUI_FROM_DATABASE=" . $text . "\n");
+                }
+        }
+
+        open(IN, "<", "ma-large.txt");
         while (my $line = <IN>) {
                 $line =~ s/^ +//;
                 $line =~ s/\s+$//;
@@ -319,8 +346,12 @@ sub oui {
                         my $vendor = uc $1;
                         my $text = $2;
 
-                        # skip the IAB prefixes
+                        if ($text =~ m/^IEEE REGISTRATION AUTHORITY/) {
-                        if (! exists $iab_prefixes{ $vendor }) {
+                                next;
+                        }
+
+                        # skip the IEEE owned prefixes
+                        if (! exists $ieee_prefixes{ $vendor }) {
                                 print(OUT "\n");
                                 print(OUT "OUI:" . $vendor . "*\n");
                                 print(OUT " ID_OUI_FROM_DATABASE=" . $text . "\n");
@@ -328,6 +359,7 @@ sub oui {
                 }
         }
         close(IN);
+
         close(OUT);
 }
 

man/coredumpctl.xml

@@ -86,8 +86,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>-F</option></term>
+        <term><option>-F</option> <replaceable>FIELD</replaceable></term>
-        <term><option>--field=</option></term>
+        <term><option>--field=</option><replaceable>FIELD</replaceable></term>
 
         <listitem><para>Print all possible data values the specified
         field takes in matching coredump entries of the
@@ -95,13 +95,21 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>-o</option></term>
+        <term><option>-o</option> <replaceable>FILE</replaceable></term>
-        <term><option>--output=FILE</option></term>
+        <term><option>--output=</option><replaceable>FILE</replaceable></term>
 
         <listitem><para>Write the core to <option>FILE</option>.
         </para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>-D</option> <replaceable>DIR</replaceable></term>
+        <term><option>--directory=</option><replaceable>DIR</replaceable></term>
+
+        <listitem><para>Use the journal files in the specified <option>DIR</option>.
+        </para></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="help" />
       <xi:include href="standard-options.xml" xpointer="version" />
       <xi:include href="standard-options.xml" xpointer="no-pager" />
@@ -132,7 +140,7 @@
         <listitem><para>Extract the last coredump matching specified
         characteristics. The coredump will be written on standard
         output, unless an output file is specified with
-        <option>-o/--output</option>. </para></listitem>
+        <option>--output=</option>. </para></listitem>
       </varlistentry>
 
       <varlistentry>

man/machinectl.xml

@@ -1,4 +1,4 @@
-<?xml version='1.0'?> <!--*-nxml-*-->
+<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 
@@ -65,6 +65,43 @@
     <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
     virtual machine and container registration manager
     <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+    <para><command>machinectl</command> may be used to execute
+    operations on machines and images. Machines in this sense are
+    considered running instances of:</para>
+
+    <itemizedlist>
+      <listitem><para>Virtual Machines (VMs) that virtualize hardware
+      to run full operating system (OS) instances (including their kernels)
+      in a virtualized environment on top of the host OS.</para></listitem>
+
+      <listitem><para>Containers that share the hardware and
+      OS kernel with the host OS, in order to run
+      OS userspace instances on top the host OS.</para></listitem>
+
+      <listitem><para>The host system itself</para></listitem>
+    </itemizedlist>
+
+    <para>Machines are identified by names that follow the same rules
+    as UNIX and DNS host names, for details see below. Machines are
+    instantiated from disk or file system images, that frequently but not
+    necessarily carry the same name as machines running from
+    them. Images in this sense are considered:</para>
+
+    <itemizedlist>
+      <listitem><para>Directory trees containing an OS, including its
+      top-level directories <filename>/usr</filename>,
+      <filename>/etc</filename>, and so on.</para></listitem>
+
+      <listitem><para>btrfs subvolumes containing OS trees, similar to
+      normal directory trees.</para></listitem>
+
+      <listitem><para>Binary "raw" disk images containing MBR or GPT
+      partition tables and Linux file system partitions.</para></listitem>
+
+      <listitem><para>The file system tree of the host OS itself.</para></listitem>
+    </itemizedlist>
+
   </refsect1>
 
   <refsect1>
@@ -137,6 +174,30 @@
         <constant>SIGTERM</constant>.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+         <term><option>--uid=</option></term>
+
+         <listitem><para>When used with the <command>shell</command>
+         command, chooses the user ID to open the interactive shell
+         session as. If this switch is not specified, defaults to
+         <literal>root</literal>. Note that this switch is not
+         supported for the <command>login</command> command (see
+         below).</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+         <term><option>--setenv=</option></term>
+
+         <listitem><para>When used with the <command>shell</command>
+         command, sets an environment variable to pass to the executed
+         shell. Takes a pair of environment variable name and value,
+         separated by <literal>=</literal> as argument. This switch
+         may be used multiple times to set multiple environment
+         variables. Note that this switch is not supported for the
+         <command>login</command> command (see
+         below).</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--mkdir</option></term>
 
@@ -145,7 +206,6 @@
         mount.</para></listitem>
       </varlistentry>
 
-
       <varlistentry>
         <term><option>--read-only</option></term>
 
@@ -247,9 +307,11 @@
         <term><command>list</command></term>
 
         <listitem><para>List currently running (online) virtual
-        machines and containers. To enumerate container images that
+        machines and containers. To enumerate machine images that can
-        can be started, use <command>list-images</command> (see
+        be started, use <command>list-images</command> (see
-        below).</para></listitem>
+        below). Note that this command hides the special
+        <literal>.host</literal> machine by default. Use the
+        <option>--all</option> switch to show it.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -267,7 +329,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><command>show</command> <replaceable>NAME</replaceable>...</term>
+        <term><command>show</command> [<replaceable>NAME</replaceable>...]</term>
 
         <listitem><para>Show properties of one or more registered
         virtual machines or containers or the manager itself. If no
@@ -316,21 +378,67 @@
       </varlistentry>
 
       <varlistentry>
-        <term><command>login</command> <replaceable>NAME</replaceable></term>
+        <term><command>login</command> [<replaceable>NAME</replaceable>]</term>
 
-        <listitem><para>Open an interactive terminal login session to
+        <listitem><para>Open an interactive terminal login session in
-        a container. This will create a TTY connection to a specific
+        a container or on the local host. If an argument is supplied
-        container and asks for the execution of a getty on it. Note
+        it refers to the container machine to connect to. If none is
-        that this is only supported for containers running
+        specified, or the container name is specified as the empty
+        string, or the special machine name <literal>.host</literal>
+        (see below) is specified, the connection is made to the local
+        host instead. This will create a TTY connection to a specific
+        container or the local host and asks for the execution of a
+        getty on it. Note that this is only supported for containers
+        running
         <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
         as init system.</para>
 
         <para>This command will open a full login prompt on the
-        container, which then asks for username and password. Use
+        container or the local host, which then asks for username and
+        password. Use <command>shell</command> (see below) or
         <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
-        with the <option>--machine=</option> switch to invoke a single
+        with the <option>--machine=</option> switch to directly invoke
-        command, either interactively or in the background within a
+        a single command, either interactively or in the
-        local container.</para></listitem>
+        background.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><command>shell</command> [[<replaceable>NAME</replaceable>@]<replaceable>NAME</replaceable> [<replaceable>PATH</replaceable> [<replaceable>ARGUMENTS</replaceable>...]]] </term>
+
+        <listitem><para>Open an interactive shell session in a
+        container or on the local host. The first argument refers to
+        the container machine to connect to. If none is specified, or
+        the machine name is specified as the empty string, or the
+        special machine name <literal>.host</literal> (see below) is
+        specified, the connection is made to the local host
+        instead. This works similar to <command>login</command> but
+        immediately invokes a user process. This command runs the
+        specified executable with the specified arguments, or
+        <filename>/bin/sh</filename> if none is specified. By default
+        opens a <literal>root</literal> shell, but by using
+        <option>--uid=</option>, or by prefixing the machine name with
+        a username and an <literal>@</literal> character, a different
+        user may be selected. Use <option>--setenv=</option> to set
+        environment variables for the executed process.</para>
+
+        <para>When using the <command>shell</command> command without
+        arguments (thus invoking the executed shell or command on the
+        local host) it is similar in many ways to a <citerefentry
+        project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        session, but unlike <command>su</command> completely isolates
+        the new session from the originating session, so that it
+        shares no process or session properties, and is in a clean and
+        well-defined state. It will be tracked in a new utmp, login,
+        audit, security and keyring session, and will not inherit any
+        environment variables or resource limits, among other
+        properties.</para>
+
+        <para>Note that the
+        <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        may be used in place of the <command>shell</command> command,
+        and allows more detailed, low-level configuration of the
+        invoked unit. However, it is frequently more privileged than
+        the <command>shell</command> command.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -453,7 +561,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><command>image-status</command> <replaceable>NAME</replaceable>...</term>
+        <term><command>image-status</command> [<replaceable>NAME</replaceable>...]</term>
 
         <listitem><para>Show terse status information about one or
         more container or VM images. This function is intended to
@@ -463,7 +571,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><command>show-image</command> <replaceable>NAME</replaceable>...</term>
+        <term><command>show-image</command> [<replaceable>NAME</replaceable>...]</term>
 
         <listitem><para>Show properties of one or more registered
         virtual machine or container images, or the manager itself. If
@@ -765,6 +873,41 @@
 
   </refsect1>
 
+  <refsect1>
+    <title>Machine and Image Names</title>
+
+    <para>The <command>machinectl</command> tool operates on machines
+    and images, whose names must be chosen following strict
+    rules. Machine names must be suitable for use as host names
+    following a conservative subset of DNS and UNIX/Linux
+    semantics. Specifically, they must consist of one or more
+    non-empty label strings, separated by dots. No leading or trailing
+    dots are allowed. No sequences of multiple dots are allowed. The
+    label strings may only consists of alphanumeric characters as well
+    as the dash and underscore. The maximum length of a machine name
+    is 64 characters.</para>
+
+    <para>A special machine with the name <literal>.host</literal>
+    refers to the running host system itself. This is useful for execution
+    operations or inspecting the host system as well. Not that
+    <command>machinectl list</command> will not show this special
+    machine unless the <option>--all</option> switch is specified.</para>
+
+    <para>Requirements on image names are less strict, however must be
+    valid UTF-8, must be suitable as file names (hence not be the
+    single or double dot, and not include a slash), and may not
+    contain control characters. Since many operations search for an
+    image by the name of a requested machine it is recommended to name
+    images in the same strict fashion as machines.</para>
+
+    <para>A special image with the name <literal>.host</literal>
+    refers to the image of the running host system. It is hence
+    conceptually maps to the special <literal>.host</literal> machine
+    name described above. Note that <command>machinectl
+    list-images</command> won't show this special image either, unless
+    <option>--all</option> is specified.</para>
+  </refsect1>
+
   <refsect1>
     <title>Files and Directories</title>
 
@@ -872,6 +1015,17 @@
       current directory.</para>
     </example>
 
+    <example>
+      <title>Create a new shell session</title>
+
+      <programlisting># machinectl shell --uid=lennart</programlisting>
+
+      <para>This creates a new shell session on the local host, for
+      the user ID <literal>lennart</literal>, in a <citerefentry
+      project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>-like
+      fashion.</para>
+    </example>
+
   </refsect1>
 
   <refsect1>

man/nss-myhostname.xml

@@ -111,17 +111,17 @@
     <para>Here's an example <filename>/etc/nsswitch.conf</filename>
     file, that enables <command>myhostname</command> correctly:</para>
 
-<programlisting>passwd:   compat
+<programlisting>passwd:         compat
-group:    compat
+group:          compat
-shadow:   compat
+shadow:         compat
 
-hosts:    files dns mymachines <command>myhostname</command>
+hosts:          files resolve mymachines <command>myhostname</command>
 networks:       files
 
 protocols:      db files
 services:       db files
-ethers:   db files
+ethers:         db files
-rpc:      db files
+rpc:            db files
 
 netgroup:       nis</programlisting>
 
@@ -143,6 +143,7 @@ netgroup:       nis</programlisting>
     <title>See Also</title>
     <para>
       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
       <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>

man/nss-mymachines.xml

@@ -91,7 +91,7 @@
 group:          compat <command>mymachines</command>
 shadow:         compat
 
-hosts:          files dns <command>mymachines</command> myhostname
+hosts:          files resolve <command>mymachines</command> myhostname
 networks:       files
 
 protocols:      db files
@@ -108,6 +108,7 @@ netgroup:       nis</programlisting>
     <para>
       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
       <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
       <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>

man/nss-resolve.xml

@@ -0,0 +1,118 @@
+<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+  This file is part of systemd.
+
+  Copyright 2011 Lennart Poettering
+  Copyright 2013 Tom Gundersen
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<refentry id="nss-resolve" conditional='ENABLE_RESOLVED'>
+
+  <refentryinfo>
+    <title>nss-resolve</title>
+    <productname>systemd</productname>
+
+    <authorgroup>
+      <author>
+        <contrib>Developer</contrib>
+        <firstname>Lennart</firstname>
+        <surname>Poettering</surname>
+        <email>lennart@poettering.net</email>
+      </author>
+    </authorgroup>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nss-resolve</refentrytitle>
+    <manvolnum>8</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nss-resolve</refname>
+    <refname>libnss_resolve.so.2</refname>
+    <refpurpose>Provide hostname resolution via <filename>systemd-resolved.service</filename></refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <para><filename>libnss_resolve.so.2</filename></para>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><command>nss-resolve</command> is a plugin module for the
+    GNU Name Service Switch (NSS) functionality of the GNU C Library
+    (<command>glibc</command>) enabling it to resolve host names via
+    the
+    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    local network name resolution service.</para>
+
+    <para>To activate the NSS module, <literal>resolve</literal>
+    has to be added to the line starting with
+    <literal>hosts:</literal> in
+    <filename>/etc/nsswitch.conf</filename>.</para>
+
+    <para>It is recommended to place <literal>resolve</literal> early
+    in the <filename>nsswitch.conf</filename> line (but after the
+    <literal>files</literal> entry), replacing the
+    <literal>dns</literal> entry if it exists, to ensure DNS queries
+    are always routed via
+    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <para>Here's an example <filename>/etc/nsswitch.conf</filename>
+    file, that enables <command>resolve</command> correctly:</para>
+
+<programlisting>passwd:         compat
+group:          compat
+shadow:         compat
+
+hosts:          files <command>resolve</command> mymachines myhostname
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis</programlisting>
+
+    <para>Note that <command>nss-resolve</command> will chain-load
+    <command>nss-dns</command> if
+    <filename>systemd-resolved.service</filename> is not running,
+    ensuring that basic DNS resolution continues to work if the
+    service is down.</para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para>
+      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>

man/systemctl.xml

@@ -319,14 +319,11 @@
         <term><option>--quiet</option></term>
 
         <listitem>
-          <para>Suppress output to standard output in
+          <para>Suppress printing of the results of various commands
-          <command>snapshot</command>,
+          and also the hints about truncated log lines. This does not
-          <command>is-active</command>,
+          suppress output of commands for which the printed output is
-          <command>is-failed</command>,
+          the only result (like <command>show</command>). Errors are
-          <command>is-enabled</command>,
+          always printed.</para>
-          <command>is-system-running</command>,
-          <command>enable</command> and
-        <command>disable</command>.</para>
         </listitem>
       </varlistentry>
 
@@ -476,6 +473,18 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--message=</option></term>
+
+        <listitem>
+          <para>When used with <command>halt</command>,
+          <command>poweroff</command>, <command>reboot</command> or
+          <command>kexec</command>, set a short message explaining the reason
+          for the operation. The message will be logged together with the
+          default shutdown message.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--now</option></term>
 

man/systemd-fsck@.service.xml

@@ -61,7 +61,7 @@
     responsible for file system checks. They are instantiated for each
     device that is configured for file system checking.
     <filename>systemd-fsck-root.service</filename> is responsible for
-    file system checks on the root file system, but in only if the
+    file system checks on the root file system, but only if the
     root filesystem wasn't checked in the initramfs.
     <filename>systemd-fsck@.service</filename> is used for all other
     file systems and for the root file system in the initramfs.</para>

man/systemd-nspawn.xml

@@ -156,12 +156,15 @@
 
         <para>If neither <option>--directory=</option>, nor
         <option>--image=</option> is specified the directory is
-        determined as <filename>/var/lib/machines/</filename> suffixed
+        determined by searching for a directory named the same as the
-        by the machine name as specified with
+        machine name specified with <option>--machine=</option>. See
-        <option>--machine=</option>. If neither
+        <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
-        <option>--directory=</option>, <option>--image=</option>, nor
+        section "Files and Directories" for the precise search path.</para>
-        <option>--machine=</option> are specified, the current
+
-        directory will be used. May not be specified together with
+        <para>If neither <option>--directory=</option>,
+        <option>--image=</option>, nor <option>--machine=</option>
+        are specified, the current directory will
+        be used. May not be specified together with
         <option>--image=</option>.</para></listitem>
       </varlistentry>
 
@@ -578,7 +581,9 @@
         same path in the container --, or a colon-separated pair of
         paths -- in which case the first specified path is the source
         in the host, and the second path is the destination in the
-        container. This option may be specified multiple times for
+        container. Backslash escapes are interpreted so
+        <literal>\:</literal> may be used to embed colons in either path.
+        This option may be specified multiple times for
         creating multiple independent bind mount points. The
         <option>--bind-ro=</option> option creates read-only bind
         mounts.</para></listitem>
@@ -597,7 +602,10 @@
         otherwise specified). This option is particularly useful for
         mounting directories such as <filename>/var</filename> as
         tmpfs, to allow state-less systems, in particular when
-        combined with <option>--read-only</option>.</para></listitem>
+        combined with <option>--read-only</option>.
+        Backslash escapes are interpreted in the path so
+        <literal>\:</literal> may be used to embed colons in the path.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -609,6 +617,10 @@
         list of colon-separated paths to the directory trees to
         combine and the destination mount point.</para>
 
+        <para>Backslash escapes are interpreted in the paths, so
+        <literal>\:</literal> may be used to embed colons in the paths.
+        </para>
+
         <para>If three or more paths are specified, then the last
         specified path is the destination mount point in the
         container, all paths specified before refer to directory trees

man/systemd-resolved.service.xml

@@ -1,4 +1,4 @@
-<?xml version='1.0'?> <!--*-nxml-*-->
+<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 
@@ -71,6 +71,61 @@
     <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
     for more details.</para>
 
+    <para><command>systemd-resolved</command> synthesizes DNS RRs for the following cases:</para>
+
+    <itemizedlist>
+      <listitem><para>The local, configured hostname is resolved to
+      all locally configured IP addresses ordered by their scope, or
+      — if none are configured — the IPv4 address 127.0.0.2 (which
+      is on the local loopback) and the IPv6 address ::1 (which is the
+      local host).</para></listitem>
+
+      <listitem><para>The hostname <literal>localhost</literal> is
+      resolved to the IP addresses 127.0.0.1 and
+      ::1.</para></listitem>
+
+      <listitem><para>The hostname <literal>gateway</literal> is
+      resolved to all current default routing gateway addresses,
+      ordered by their metric. This assigns a stable hostname to the
+      current gateway, useful for referencing it independently of the
+      current network configuration state.</para></listitem>
+    </itemizedlist>
+
+    <para>Lookup requests are routed to the available DNS servers
+    and LLMNR interfaces according to the following rules:</para>
+
+    <itemizedlist>
+      <listitem><para>Lookups for the special hostname
+      <literal>localhost</literal> are never routed to the
+      network.</para></listitem>
+
+      <listitem><para>Single-label names are routed to all local
+      interfaces capable of IP multicasting, using the LLMNR
+      protocol. Lookups for IPv4 addresses are only sent via LLMNR on
+      IPv4, and lookups for IPv6 addresses are only sent via LLMNR on
+      IPv6. Lookups for the locally configured host name and the
+      <literal>gateway</literal> host name are never routed to
+      LLMNR.</para></listitem>
+
+      <listitem><para>Multi-label names are routed to all local
+      interfaces that have a DNS sever configured, plus the globally
+      configured DNS server if there is one. Address lookups from the
+      link-local addres range are never routed to
+      DNS.</para></listitem>
+    </itemizedlist>
+
+    <para>If lookups are routed to multiple interfaces, the first
+    successful response is returned (thus effectively merging the
+    lookup zones on all matching interfaces). If the lookup failed on
+    all interfaces the last failing response is returned.</para>
+
+    <para>Routing of lookups may be influenced by configuring
+    per-interface domain names, see
+    <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    for details. Lookups for a hostname ending in one of the
+    per-interface domains are exclusively routed to the matching
+    interfaces.</para>
+
     <para>Note that
     <filename>/run/systemd/resolve/resolv.conf</filename> should not
     be used directly, but only through a symlink from

man/systemd-run.xml

@@ -69,38 +69,41 @@
     <title>Description</title>
 
     <para><command>systemd-run</command> may be used to create and
-    start a transient <filename>.service</filename> or a transient
+    start a transient <filename>.service</filename> or
-    <filename>.timer</filename> or a <filename>.scope</filename> unit
+    <filename>.scope</filename> unit and run the specified
-    and run the specified <replaceable>COMMAND</replaceable> in
+    <replaceable>COMMAND</replaceable> in it. It may also be used to
-    it.</para>
+    create and start transient <filename>.timer</filename>
+    units.</para>
 
     <para>If a command is run as transient service unit, it will be
     started and managed by the service manager like any other service,
-    and thus show up in the output of <command>systemctl
+    and thus shows up in the output of <command>systemctl
     list-units</command> like any other unit. It will run in a clean
-    and detached execution environment. <command>systemd-run</command>
+    and detached execution environment, with the service manager as
-    will start the service asynchronously in the background and
+    its parent process. In this mode <command>systemd-run</command>
-    immediately return.</para>
+    will start the service asynchronously in the background and return
-
+    after the command has begun execution.</para>
-    <para>If a command is run with timer options, transient timer unit
-    also be created with transient service unit. But the transient
-    timer unit is only started immediately. The transient service unit
-    will be started when the transient timer is elapsed. If
-    <option>--unit=</option> is specified with timer options, the
-    <replaceable>COMMAND</replaceable> can be omitted. In this case,
-    <command>systemd-run</command> assumes service unit is already
-    loaded and creates transient timer unit only. To successfully
-    create timer unit, already loaded service unit should be specified
-    with <option>--unit=</option>. This transient timer unit can
-    activate the existing service unit like any other timer.</para>
 
     <para>If a command is run as transient scope unit, it will be
-    started directly by <command>systemd-run</command> and thus
+    started by <command>systemd-run</command> itself as parent process
-    inherit the execution environment of the caller. It is however
+    and will thus inherit the execution environment of the
-    managed by the service manager similar to normal services, and
+    caller. However, the processes of the command are managed by the
-    will also show up in the output of <command>systemctl
+    service manager similar to normal services, and will show up in
-    list-units</command>. Execution in this case is synchronous, and
+    the output of <command>systemctl list-units</command>. Execution
-    execution will return only when the command finishes.</para>
+    in this case is synchronous, and will return only when the command
+    finishes. This mode is enabled via the <option>--scope</option>
+    switch (see below). </para>
+
+    <para>If a command is run with timer options such as
+    <option>--on-calendar=</option> (see below), a transient timer
+    unit is created alongside the service unit for the specified
+    command. Only the transient timer unit is started immediately, the
+    transient service unit will be started when the transient timer
+    elapses. If the <option>--unit=</option> is specified, the
+    <replaceable>COMMAND</replaceable> may be omitted. In this case,
+    <command>systemd-run</command> only creates a
+    <filename>.timer</filename> unit that invokes the specified unit
+    when elapsing.</para>
   </refsect1>
 
   <refsect1>

man/systemd-timesyncd.service.xml

@@ -71,6 +71,10 @@
     files, and the per-link dynamic settings received over DHCP. See
     <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
     for more details.</para>
+
+    <para><citerefentry><refentrytitle>timedatectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+    <command>set-ntp</command> command may be used to enable and
+    start, or disable and stop this service.</para>
   </refsect1>
 
   <refsect1>

man/systemd.exec.xml

@@ -1,3 +1,4 @@
+<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 
@@ -263,7 +264,8 @@
         <listitem><para>Similar to <varname>Environment=</varname> but
         reads the environment variables from a text file. The text
         file should contain new-line-separated variable assignments.
-        Empty lines and lines starting with ; or # will be ignored,
+        Empty lines, lines without an <literal>=</literal> separator,
+        or lines starting with ; or # will be ignored,
         which may be used for commenting. A line ending with a
         backslash will be concatenated with the following one,
         allowing multiline variable definitions. The parser strips
@@ -910,10 +912,16 @@
         <term><varname>UtmpIdentifier=</varname></term>
 
         <listitem><para>Takes a four character identifier string for
-        an utmp/wtmp entry for this service. This should only be set
+        an <citerefentry
-        for services such as <command>getty</command> implementations
+        project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        and wtmp entry for this service. This should only be
+        set for services such as <command>getty</command>
+        implementations (such as <citerefentry
+        project='die-net'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
         where utmp/wtmp entries must be created and cleared before and
-        after execution. If the configured string is longer than four
+        after execution, or for services that shall be executed as if
+        they were run by a <command>getty</command> process (see
+        below). If the configured string is longer than four
         characters, it is truncated and the terminal four characters
         are used. This setting interprets %I style string
         replacements. This setting is unset by default, i.e. no
@@ -921,6 +929,34 @@
         service.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+         <term><varname>UtmpMode=</varname></term>
+
+         <listitem><para>Takes one of <literal>init</literal>,
+         <literal>login</literal> or <literal>user</literal>. If
+         <varname>UtmpIdentifier=</varname> is set, controls which
+         type of <citerefentry
+         project='man-pages'><refentrytitle>utmp</refentrytitle><manvolnum>5</manvolnum></citerefentry>/wtmp
+         entries for this service are generated. This setting has no
+         effect unless <varname>UtmpIdentifier=</varname> is set
+         too. If <literal>init</literal> is set, only an
+         <constant>INIT_PROCESS</constant> entry is generated and the
+         invoked process must implement a
+         <command>getty</command>-compatible utmp/wtmp logic. If
+         <literal>login</literal> is set, first an
+         <constant>INIT_PROCESS</constant> entry, followed by an
+         <constant>LOGIN_PROCESS</constant> entry is generated. In
+         this case the invoked process must implement a <citerefentry
+         project='die-net'><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
+         utmp/wtmp logic. If <literal>user</literal> is set, first an
+         <constant>INIT_PROCESS</constant> entry, then a
+         <constant>LOGIN_PROCESS</constant> entry and finally an
+         <constant>USER_PROCESS</constant> entry is generated. In this
+         case the invoked process may be any process that is suitable
+         to be run as session leader. Defaults to
+         <literal>init</literal>.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>SELinuxContext=</varname></term>
 

man/systemd.netdev.xml

@@ -985,6 +985,20 @@ Kind=veth
 Name=veth-peer</programlisting>
     </example>
 
+    <example>
+      <title>/etc/systemd/network/bond.netdev</title>
+      <programlisting>[NetDev]
+Name=bond1
+Kind=bond
+
+[Bond]
+Mode=802.3ad
+TransmitHashPolicy=layer3+4
+MIIMonitorSec=1s
+LACPTransmitRate=fast
+</programlisting>
+    </example>
+
     <example>
       <title>/etc/systemd/network/dummy.netdev</title>
       <programlisting>[NetDev]

man/systemd.network.xml

@@ -828,6 +828,18 @@ Name=em1
 [Network]
 Tunnel=vti-tun</programlisting>
     </example>
+
+    <example>
+      <title>/etc/systemd/network/bond.network</title>
+
+      <programlisting>[Match]
+Name=bond1
+
+[Network]
+DHCP=yes
+</programlisting>
+    </example>
+
   </refsect1>
 
   <refsect1>

man/systemd.service.xml

@@ -337,6 +337,19 @@
         <literal>-</literal>) fail, the rest are not executed and the
         unit is considered failed.</para>
 
+        <para><varname>ExecStart=</varname> commands are only run after
+        all <varname>ExecStartPre=</varname> commands that were not prefixed
+        with a <literal>-</literal> exit successfully.</para>
+
+        <para><varname>ExecStartPost=</varname> commands are only run after
+        the service has started, as determined by <varname>Type=</varname>
+        (i.e. The process has been started for <varname>Type=simple</varname>
+        or <varname>Type=idle</varname>, the process exits successfully for
+        <varname>Type=oneshot</varname>, the initial process exits successfully
+        for <varname>Type=forking</varname>, <literal>READY=1</literal> is sent
+        for <varname>Type=notify</varname>, or the <varname>BusName=</varname>
+        has been taken for <varname>Type=dbus</varname>).</para>
+
         <para>Note that <varname>ExecStartPre=</varname> may not be
         used to start long-running processes. All processes forked
         off by processes invoked via <varname>ExecStartPre=</varname> will
@@ -922,7 +935,10 @@
     the arguments. Double quotes ("...") and single quotes ('...') may
     be used, in which case everything until the next matching quote
     becomes part of the same argument. C-style escapes are also
-    supported, see table below. Quotes themselves are removed after
+    supported. The table below contains the list of allowed escape
+    patterns. Only patterns which match the syntax in the table are
+    allowed; others will result in an error, and must be escaped by
+    doubling the backslash. Quotes themselves are removed after
     parsing and escape sequences substituted. In addition, a trailing
     backslash (<literal>\</literal>) may be used to merge lines.
     </para>
@@ -939,7 +955,7 @@
     <literal>&amp;</literal>, and <emphasis>other elements of shell
     syntax are not supported</emphasis>.</para>
 
-    <para>The command to execute must an absolute path name. It may
+    <para>The command to execute must be an absolute path name. It may
     contain spaces, but control characters are not allowed.</para>
 
     <para>The command line accepts <literal>%</literal> specifiers as

man/systemd.special.xml

@@ -130,9 +130,22 @@
           for this target unit to all services (except for those with
           <varname>DefaultDependencies=no</varname>).</para>
 
-          <para>Usually this should pull-in all mount points, swap
+          <para>Usually this should pull-in all local mount points plus
-          devices, sockets, timers, and path units and other basic
+          <filename>/var</filename>, <filename>/tmp</filename> and
-          initialization necessary for general purpose daemons.</para>
+          <filename>/var/tmp</filename>, swap devices, sockets, timers,
+          path units and other basic initialization necessary for general
+          purpose daemons. The mentioned mount points are special cased
+          to allow them to be remote.
+          </para>
+
+          <para>This target usually does not pull in any non-target units
+          directly, but rather does so indirectly via other early boot targets.
+          It is instead meant as a synchronization point for late boot
+          services. Refer to
+          <citerefentry><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+          for details on the targets involved.
+          </para>
+
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -503,8 +516,14 @@
       <varlistentry>
         <term><filename>sysinit.target</filename></term>
         <listitem>
-          <para>A special target unit covering early boot-up
+          <para>This target pulls in the services required for system
-          scripts.</para>
+          initialization. System services pulled in by this target should
+          declare <varname>DefaultDependencies=no</varname> and specify
+          all their dependencies manually, including access to anything
+          more than a read only root filesystem. For details on the
+          dependencies of this target, refer to
+          <citerefentry><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+          </para>
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -833,7 +852,7 @@
       <varlistentry>
         <term><filename>system.slice</filename></term>
         <listitem>
-          <para>By default, all services services started by
+          <para>By default, all system services started by
           <command>systemd</command> are found in this slice.</para>
         </listitem>
       </varlistentry>

man/systemd.xml

@@ -367,6 +367,8 @@
     group information is maintained in the kernel, and is accessible
     via the file system hierarchy (beneath
     <filename>/sys/fs/cgroup/systemd/</filename>), or in tools such as
+    <citerefentry project='man-pages'><refentrytitle>systemd-cgls</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+    or
     <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>
     (<command>ps xawf -eo pid,user,cgroup,args</command> is
     particularly useful to list all processes and the systemd units

man/timedatectl.xml

@@ -166,12 +166,27 @@
         <term><command>set-ntp [BOOL]</command></term>
 
         <listitem><para>Takes a boolean argument. Controls whether
-        network time synchronization is enabled (if available). This
+        network time synchronization is active and enabled (if
-        enables or disables the
+        available). This enables and starts, or disables and stops the
-        <filename>systemd-timesyncd.service</filename> unit. Note that
+        <filename>systemd-timesyncd.service</filename> unit. It does
-        even if this command turns time synchronization off a
+        not affect the state of any other, unrelated network time
-        different system service might still synchronize the clock
+        synchronization services that might be installed on the
-        with the network.</para></listitem>
+        system. This command is hence mostly equivalent to:
+        <command>systemctl enable --now
+        systemd-timesyncd.service</command> and <command>systemctl
+        disable --now systemd-timesyncd.service</command>, but is
+        protected by a different access policy.</para>
+
+        <para>Note that even if time synchronization is turned off
+        with this command another, unrelated system service might
+        still synchronize the clock with the network. Also note that
+        strictly speaking
+        <filename>systemd-timesyncd.service</filename> does more than
+        just network time synchronization as it ensures a monotonic
+        clock on systems without RTC even if no network is
+        available. See
+        <citerefentry><refentrytitle>systemd-timesyncd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        for details about this.</para></listitem>
       </varlistentry>
 
     </variablelist>

rules/60-persistent-storage.rules

@@ -6,7 +6,7 @@
 ACTION=="remove", GOTO="persistent_storage_end"
 
 SUBSYSTEM!="block", GOTO="persistent_storage_end"
-KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*", GOTO="persistent_storage_end"
+KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*", GOTO="persistent_storage_end"
 
 # ignore partitions that span the entire disk
 TEST=="whole_disk", GOTO="persistent_storage_end"

shell-completion/bash/machinectl

@@ -26,7 +26,8 @@ __contains_word() {
 
 __get_machines() {
         local a b
-        machinectl list --no-legend --no-pager | { while read a b; do echo " $a"; done; };
+        (machinectl list-images --no-legend --no-pager; machinectl list --no-legend --no-pager) | \
+		{ while read a b; do echo " $a"; done; } | sort -u;
 }
 
 _machinectl() {
@@ -39,8 +40,8 @@ _machinectl() {
         )
 
         local -A VERBS=(
-               [STANDALONE]='list'
+               [STANDALONE]='list list-images pull-tar pull-raw pull-dkr import-tar import-raw export-tar export-raw list-transfers cancel-transfer'
-                 [MACHINES]='status show terminate kill reboot login'
+                 [MACHINES]='status show start login enable disable poweroff reboot terminate kill copy-to copy-from image-status show-image clone rename read-only remove set-limit'
         )
 
         _init_completion || return

shell-completion/bash/systemctl.in

@@ -108,7 +108,7 @@ _systemctl () {
                                 comps=$(compgen -A signal)
                         ;;
                         --type|-t)
-                                comps='automount busname device mount path service snapshot socket swap target timer'
+                                comps=$(__systemctl $mode -t help)
                         ;;
                         --state)
                                 comps='loaded not-found stub

shell-completion/zsh/_busctl

@@ -24,7 +24,14 @@
     local -a _busctl_cmds
     _busctl_cmds=(
         "list:List bus names"
+        "status:Show bus service, process or bus owner credentials"
         "monitor:Show bus traffic"
+        "capture:Capture bus traffix as pcap"
+        "tree:Show object tree of service"
+        "introspect:Introspect object"
+        "call:Call a method"
+        "get-property:Get property value"
+        "set-property:Set property value"
     )
     if (( CURRENT == 1 )); then
         _describe -t commands 'busctl command' _busctl_cmds || compadd "$@"
@@ -54,4 +61,12 @@ _arguments \
     '--acquired[Only show acquired names]' \
     '--activatable[Only show activatable names]' \
     '--match=[Only show matching messages]:match' \
+    '--list[Do not show tree, but simple object path list]' \
+    '--quiet[Do not show method call reply]'\
+    '--verbose[Show result values in long format]' \
+    '--expect-reply=[Expect a method call reply]:boolean:(1 0)' \
+    '--auto-start=[Auto-start destination service]:boolean:(1 0)' \
+    '--allow-interactive-authorization=[Allow interactive authorization for operation]:boolean:(1 0)' \
+    '--timeout=[Maximum time to wait for method call completion]:timeout (seconds)' \
+    '--augment-creds=[Extend credential data with data read from /proc/$PID]:boolean:(1 0)' \
     '*::busctl command:_busctl_command'

src/basic/bitmap.c

@@ -145,7 +145,10 @@ bool bitmap_isclear(Bitmap *b) {
 void bitmap_clear(Bitmap *b) {
         assert(b);
 
+        free(b->bitmaps);
+        b->bitmaps = NULL;
         b->n_bitmaps = 0;
+        b->bitmaps_allocated = 0;
 }
 
 bool bitmap_iterate(Bitmap *b, Iterator *i, unsigned *n) {
@@ -184,6 +187,9 @@ bool bitmap_iterate(Bitmap *b, Iterator *i, unsigned *n) {
 }
 
 bool bitmap_equal(Bitmap *a, Bitmap *b) {
+        size_t common_n_bitmaps;
+        Bitmap *c;
+        unsigned i;
 
         if (!a ^ !b)
                 return false;
@@ -191,8 +197,14 @@ bool bitmap_equal(Bitmap *a, Bitmap *b) {
         if (!a)
                 return true;
 
-        if (a->n_bitmaps != b->n_bitmaps)
+        common_n_bitmaps = MIN(a->n_bitmaps, b->n_bitmaps);
+        if (memcmp(a->bitmaps, b->bitmaps, sizeof(uint64_t) * common_n_bitmaps) != 0)
                 return false;
 
-        return memcmp(a->bitmaps, b->bitmaps, sizeof(uint64_t) * a->n_bitmaps) == 0;
+        c = a->n_bitmaps > b->n_bitmaps ? a : b;
+        for (i = common_n_bitmaps; i < c->n_bitmaps; i++)
+                if (c->bitmaps[i] != 0)
+                        return false;
+
+        return true;
 }

src/basic/cgroup-util.c

@@ -826,14 +826,12 @@ int cg_install_release_agent(const char *controller, const char *agent) {
         } else if (!streq(sc, agent))
                 return -EEXIST;
 
-        free(fs);
+        fs = mfree(fs);
-        fs = NULL;
         r = cg_get_path(controller, NULL, "notify_on_release", &fs);
         if (r < 0)
                 return r;
 
-        free(contents);
+        contents = mfree(contents);
-        contents = NULL;
         r = read_one_line_file(fs, &contents);
         if (r < 0)
                 return r;
@@ -865,8 +863,7 @@ int cg_uninstall_release_agent(const char *controller) {
         if (r < 0)
                 return r;
 
-        free(fs);
+        fs = mfree(fs);
-        fs = NULL;
 
         r = cg_get_path(controller, NULL, "release_agent", &fs);
         if (r < 0)

src/basic/copy.c

@@ -467,8 +467,7 @@ int copy_xattr(int fdf, int fdt) {
 
                 sza *= 2;
 
-                free(bufa);
+                bufa = mfree(bufa);
-                bufa = NULL;
         }
 
         p = bufa;
@@ -491,8 +490,7 @@ int copy_xattr(int fdf, int fdt) {
                         if (m < 0) {
                                 if (errno == ERANGE) {
                                         szb *= 2;
-                                        free(bufb);
+                                        bufb = mfree(bufb);
-                                        bufb = NULL;
                                         continue;
                                 }
 

src/basic/env-util.c

@@ -550,7 +550,7 @@ char **replace_env_argv(char **argv, char **env) {
                         if (e) {
                                 int r;
 
-                                r = strv_split_quoted(&m, e, UNQUOTE_RELAX);
+                                r = strv_split_extract(&m, e, WHITESPACE, EXTRACT_RELAX|EXTRACT_QUOTES);
                                 if (r < 0) {
                                         ret[k] = NULL;
                                         strv_free(ret);

src/basic/hostname-util.c

@@ -61,14 +61,25 @@ static bool hostname_valid_char(char c) {
                 c == '.';
 }
 
-bool hostname_is_valid(const char *s) {
+/**
+ * Check if s looks like a valid host name or FQDN. This does not do
+ * full DNS validation, but only checks if the name is composed of
+ * allowed characters and the length is not above the maximum allowed
+ * by Linux (c.f. dns_name_is_valid()). Trailing dot is allowed if
+ * allow_trailing_dot is true and at least two components are present
+ * in the name. Note that due to the restricted charset and length
+ * this call is substantially more conservative than
+ * dns_domain_is_valid().
+ */
+bool hostname_is_valid(const char *s, bool allow_trailing_dot) {
+        unsigned n_dots = 0;
         const char *p;
         bool dot;
 
         if (isempty(s))
                 return false;
 
-        /* Doesn't accept empty hostnames, hostnames with trailing or
+        /* Doesn't accept empty hostnames, hostnames with
          * leading dots, and hostnames with multiple dots in a
          * sequence. Also ensures that the length stays below
          * HOST_NAME_MAX. */
@@ -79,6 +90,7 @@ bool hostname_is_valid(const char *s) {
                                 return false;
 
                         dot = true;
+                        n_dots ++;
                 } else {
                         if (!hostname_valid_char(*p))
                                 return false;
@@ -87,16 +99,18 @@ bool hostname_is_valid(const char *s) {
                 }
         }
 
-        if (dot)
+        if (dot && (n_dots < 2 || !allow_trailing_dot))
                 return false;
 
-        if (p-s > HOST_NAME_MAX)
+        if (p-s > HOST_NAME_MAX) /* Note that HOST_NAME_MAX is 64 on
+                                  * Linux, but DNS allows domain names
+                                  * up to 255 characters */
                 return false;
 
         return true;
 }
 
-char* hostname_cleanup(char *s, bool lowercase) {
+char* hostname_cleanup(char *s) {
         char *p, *d;
         bool dot;
 
@@ -110,7 +124,7 @@ char* hostname_cleanup(char *s, bool lowercase) {
                         *(d++) = '.';
                         dot = true;
                 } else if (hostname_valid_char(*p)) {
-                        *(d++) = lowercase ? tolower(*p) : *p;
+                        *(d++) = *p;
                         dot = false;
                 }
 
@@ -132,14 +146,25 @@ bool is_localhost(const char *hostname) {
         /* This tries to identify local host and domain names
          * described in RFC6761 plus the redhatism of .localdomain */
 
-        return streq(hostname, "localhost") ||
+        return strcaseeq(hostname, "localhost") ||
-               streq(hostname, "localhost.") ||
+               strcaseeq(hostname, "localhost.") ||
-               streq(hostname, "localdomain.") ||
+               strcaseeq(hostname, "localdomain.") ||
-               streq(hostname, "localdomain") ||
+               strcaseeq(hostname, "localdomain") ||
-               endswith(hostname, ".localhost") ||
+               endswith_no_case(hostname, ".localhost") ||
-               endswith(hostname, ".localhost.") ||
+               endswith_no_case(hostname, ".localhost.") ||
-               endswith(hostname, ".localdomain") ||
+               endswith_no_case(hostname, ".localdomain") ||
-               endswith(hostname, ".localdomain.");
+               endswith_no_case(hostname, ".localdomain.");
+}
+
+bool is_gateway_hostname(const char *hostname) {
+        assert(hostname);
+
+        /* This tries to identify the valid syntaxes for the our
+         * synthetic "gateway" host. */
+
+        return
+                strcaseeq(hostname, "gateway") ||
+                strcaseeq(hostname, "gateway.");
 }
 
 int sethostname_idempotent(const char *s) {
@@ -176,7 +201,7 @@ int read_hostname_config(const char *path, char **hostname) {
                 truncate_nl(l);
                 if (l[0] != '\0' && l[0] != '#') {
                         /* found line with value */
-                        name = hostname_cleanup(l, false);
+                        name = hostname_cleanup(l);
                         name = strdup(name);
                         if (!name)
                                 return -ENOMEM;

src/basic/hostname-util.h

@@ -29,10 +29,13 @@ bool hostname_is_set(void);
 
 char* gethostname_malloc(void);
 
-bool hostname_is_valid(const char *s) _pure_;
+bool hostname_is_valid(const char *s, bool allow_trailing_dot) _pure_;
-char* hostname_cleanup(char *s, bool lowercase);
+char* hostname_cleanup(char *s);
+
+#define machine_name_is_valid(s) hostname_is_valid(s, false)
 
 bool is_localhost(const char *hostname);
+bool is_gateway_hostname(const char *hostname);
 
 int sethostname_idempotent(const char *s);
 

src/basic/list.h

@@ -123,6 +123,32 @@
                 }                                                       \
         } while(false)
 
+/* Insert an item before another one (a = where, b = what) */
+#define LIST_INSERT_BEFORE(name,head,a,b)                               \
+        do {                                                            \
+                typeof(*(head)) **_head = &(head), *_a = (a), *_b = (b); \
+                assert(_b);                                             \
+                if (!_a) {                                              \
+                        if (!*_head) {                                  \
+                                _b->name##_next = NULL;                 \
+                                _b->name##_prev = NULL;                 \
+                                *_head = _b;                            \
+                        } else {                                        \
+                                typeof(*(head)) *_tail = (head);        \
+                                while (_tail->name##_next)              \
+                                        _tail = _tail->name##_next;     \
+                                _b->name##_next = NULL;                 \
+                                _b->name##_prev = _tail;                \
+                                _tail->name##_next = _b;                \
+                        }                                               \
+                } else {                                                \
+                        if ((_b->name##_prev = _a->name##_prev))        \
+                                _b->name##_prev->name##_next = _b;      \
+                        _b->name##_next = _a;                           \
+                        _a->name##_prev = _b;                           \
+                }                                                       \
+        } while(false)
+
 #define LIST_JUST_US(name,item)                                         \
         (!(item)->name##_prev && !(item)->name##_next)                  \
 

src/basic/missing.h

@@ -977,7 +977,11 @@ static inline int raw_clone(unsigned long flags, void *child_stack) {
 }
 
 static inline pid_t raw_getpid(void) {
+#if defined(__alpha__)
+        return (pid_t) syscall(__NR_getxpid);
+#else
         return (pid_t) syscall(__NR_getpid);
+#endif
 }
 
 #if !HAVE_DECL_RENAMEAT2

src/basic/smack-util.c

@@ -32,109 +32,93 @@
 #define SMACK_FLOOR_LABEL "_"
 #define SMACK_STAR_LABEL  "*"
 
-bool mac_smack_use(void) {
 #ifdef HAVE_SMACK
+bool mac_smack_use(void) {
         static int cached_use = -1;
 
         if (cached_use < 0)
                 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
 
         return cached_use;
-#else
-        return false;
-#endif
 }
 
-int mac_smack_apply(const char *path, const char *label) {
+static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
-        int r = 0;
+        [SMACK_ATTR_ACCESS]     = "security.SMACK64",
+        [SMACK_ATTR_EXEC]       = "security.SMACK64EXEC",
+        [SMACK_ATTR_MMAP]       = "security.SMACK64MMAP",
+        [SMACK_ATTR_TRANSMUTE]  = "security.SMACK64TRANSMUTE",
+        [SMACK_ATTR_IPIN]       = "security.SMACK64IPIN",
+        [SMACK_ATTR_IPOUT]      = "security.SMACK64IPOUT",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
+
+int mac_smack_read(const char *path, SmackAttr attr, char **label) {
+        assert(path);
+        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
+        assert(label);
+
+        if (!mac_smack_use())
+                return 0;
+
+        return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
+}
+
+int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
+        assert(fd >= 0);
+        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
+        assert(label);
+
+        if (!mac_smack_use())
+                return 0;
+
+        return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
+}
+
+int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
+        int r;
 
         assert(path);
+        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
 
-#ifdef HAVE_SMACK
         if (!mac_smack_use())
                 return 0;
 
         if (label)
-                r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
+                r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
         else
-                r = lremovexattr(path, "security.SMACK64");
+                r = lremovexattr(path, smack_attr_to_string(attr));
         if (r < 0)
                 return -errno;
-#endif
 
-        return r;
+        return 0;
 }
 
-int mac_smack_apply_fd(int fd, const char *label) {
+int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
-        int r = 0;
+        int r;
 
         assert(fd >= 0);
+        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
 
-#ifdef HAVE_SMACK
         if (!mac_smack_use())
                 return 0;
 
         if (label)
-                r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
+                r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
         else
-                r = fremovexattr(fd, "security.SMACK64");
+                r = fremovexattr(fd, smack_attr_to_string(attr));
         if (r < 0)
                 return -errno;
-#endif
 
-        return r;
+        return 0;
-}
-
-int mac_smack_apply_ip_out_fd(int fd, const char *label) {
-        int r = 0;
-
-        assert(fd >= 0);
-
-#ifdef HAVE_SMACK
-        if (!mac_smack_use())
-                return 0;
-
-        if (label)
-                r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
-        else
-                r = fremovexattr(fd, "security.SMACK64IPOUT");
-        if (r < 0)
-                return -errno;
-#endif
-
-        return r;
-}
-
-int mac_smack_apply_ip_in_fd(int fd, const char *label) {
-        int r = 0;
-
-        assert(fd >= 0);
-
-#ifdef HAVE_SMACK
-        if (!mac_smack_use())
-                return 0;
-
-        if (label)
-                r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
-        else
-                r = fremovexattr(fd, "security.SMACK64IPIN");
-        if (r < 0)
-                return -errno;
-#endif
-
-        return r;
 }
 
 int mac_smack_apply_pid(pid_t pid, const char *label) {
-
-#ifdef HAVE_SMACK
         const char *p;
-#endif
         int r = 0;
 
         assert(label);
 
-#ifdef HAVE_SMACK
         if (!mac_smack_use())
                 return 0;
 
@@ -142,21 +126,16 @@ int mac_smack_apply_pid(pid_t pid, const char *label) {
         r = write_string_file(p, label, 0);
         if (r < 0)
                 return r;
-#endif
 
         return r;
 }
 
 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
-
-#ifdef HAVE_SMACK
         struct stat st;
-#endif
         int r = 0;
 
         assert(path);
 
-#ifdef HAVE_SMACK
         if (!mac_smack_use())
                 return 0;
 
@@ -202,7 +181,37 @@ int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
 
                 r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
         }
-#endif
 
         return r;
 }
+
+
+#else
+bool mac_smack_use(void) {
+        return false;
+}
+
+int mac_smack_read(const char *path, SmackAttr attr, char **label) {
+        return -EOPNOTSUPP;
+}
+
+int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
+        return -EOPNOTSUPP;
+}
+
+int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
+        return 0;
+}
+
+int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
+        return 0;
+}
+
+int mac_smack_apply_pid(pid_t pid, const char *label) {
+        return 0;
+}
+
+int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
+        return 0;
+}
+#endif

src/basic/smack-util.h

@@ -25,12 +25,28 @@
 
 #include <stdbool.h>
 
+#include "macro.h"
+
+typedef enum SmackAttr {
+        SMACK_ATTR_ACCESS = 0,
+        SMACK_ATTR_EXEC = 1,
+        SMACK_ATTR_MMAP = 2,
+        SMACK_ATTR_TRANSMUTE = 3,
+        SMACK_ATTR_IPIN = 4,
+        SMACK_ATTR_IPOUT = 5,
+        _SMACK_ATTR_MAX,
+        _SMACK_ATTR_INVALID = -1,
+} SmackAttr;
+
 bool mac_smack_use(void);
 
 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
 
-int mac_smack_apply(const char *path, const char *label);
+const char* smack_attr_to_string(SmackAttr i) _const_;
-int mac_smack_apply_fd(int fd, const char *label);
+SmackAttr smack_attr_from_string(const char *s) _pure_;
+int mac_smack_read(const char *path, SmackAttr attr, char **label);
+int mac_smack_read_fd(int fd, SmackAttr attr, char **label);
+int mac_smack_apply(const char *path, SmackAttr attr, const char *label);
+int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label);
+
 int mac_smack_apply_pid(pid_t pid, const char *label);
-int mac_smack_apply_ip_in_fd(int fd, const char *label);
-int mac_smack_apply_ip_out_fd(int fd, const char *label);

src/basic/strv.c

@@ -278,7 +278,7 @@ char **strv_split_newlines(const char *s) {
         return l;
 }
 
-int strv_split_quoted(char ***t, const char *s, UnquoteFlags flags) {
+int strv_split_extract(char ***t, const char *s, const char *separators, ExtractFlags flags) {
         size_t n = 0, allocated = 0;
         _cleanup_strv_free_ char **l = NULL;
         int r;
@@ -289,11 +289,12 @@ int strv_split_quoted(char ***t, const char *s, UnquoteFlags flags) {
         for (;;) {
                 _cleanup_free_ char *word = NULL;
 
-                r = unquote_first_word(&s, &word, flags);
+                r = extract_first_word(&s, &word, separators, flags);
                 if (r < 0)
                         return r;
-                if (r == 0)
+                if (r == 0) {
                         break;
+                }
 
                 if (!GREEDY_REALLOC(l, allocated, n + 2))
                         return -ENOMEM;
@@ -693,6 +694,26 @@ char **strv_reverse(char **l) {
         return l;
 }
 
+char **strv_shell_escape(char **l, const char *bad) {
+        char **s;
+
+        /* Escapes every character in every string in l that is in bad,
+         * edits in-place, does not roll-back on error. */
+
+        STRV_FOREACH(s, l) {
+                char *v;
+
+                v = shell_escape(*s, bad);
+                if (!v)
+                        return NULL;
+
+                free(*s);
+                *s = v;
+        }
+
+        return l;
+}
+
 bool strv_fnmatch(char* const* patterns, const char *s, int flags) {
         char* const* p;
 

src/basic/strv.h

@@ -73,7 +73,7 @@ static inline bool strv_isempty(char * const *l) {
 char **strv_split(const char *s, const char *separator);
 char **strv_split_newlines(const char *s);
 
-int strv_split_quoted(char ***t, const char *s, UnquoteFlags flags);
+int strv_split_extract(char ***t, const char *s, const char *separators, ExtractFlags flags);
 
 char *strv_join(char **l, const char *separator);
 char *strv_join_quoted(char **l);
@@ -145,6 +145,7 @@ void strv_print(char **l);
         }))
 
 char **strv_reverse(char **l);
+char **strv_shell_escape(char **l, const char *bad);
 
 bool strv_fnmatch(char* const* patterns, const char *s, int flags);
 

src/basic/terminal-util.c

@@ -44,7 +44,7 @@ static volatile unsigned cached_lines = 0;
 int chvt(int vt) {
         _cleanup_close_ int fd;
 
-        fd = open_terminal("/dev/tty0", O_RDWR|O_NOCTTY|O_CLOEXEC);
+        fd = open_terminal("/dev/tty0", O_RDWR|O_NOCTTY|O_CLOEXEC|O_NONBLOCK);
         if (fd < 0)
                 return -errno;
 
@@ -230,14 +230,14 @@ int reset_terminal_fd(int fd, bool switch_to_text) {
          * interfere with that. */
 
         /* Disable exclusive mode, just in case */
-        ioctl(fd, TIOCNXCL);
+        (void) ioctl(fd, TIOCNXCL);
 
         /* Switch to text mode */
         if (switch_to_text)
-                ioctl(fd, KDSETMODE, KD_TEXT);
+                (void) ioctl(fd, KDSETMODE, KD_TEXT);
 
         /* Enable console unicode mode */
-        ioctl(fd, KDSKBMODE, K_UNICODE);
+        (void) ioctl(fd, KDSKBMODE, K_UNICODE);
 
         if (tcgetattr(fd, &termios) < 0) {
                 r = -errno;
@@ -276,7 +276,7 @@ int reset_terminal_fd(int fd, bool switch_to_text) {
 
 finish:
         /* Just in case, flush all crap out */
-        tcflush(fd, TCIOFLUSH);
+        (void) tcflush(fd, TCIOFLUSH);
 
         return r;
 }
@@ -284,7 +284,11 @@ finish:
 int reset_terminal(const char *name) {
         _cleanup_close_ int fd = -1;
 
-        fd = open_terminal(name, O_RDWR|O_NOCTTY|O_CLOEXEC);
+        /* We open the terminal with O_NONBLOCK here, to ensure we
+         * don't block on carrier if this is a terminal with carrier
+         * configured. */
+
+        fd = open_terminal(name, O_RDWR|O_NOCTTY|O_CLOEXEC|O_NONBLOCK);
         if (fd < 0)
                 return fd;
 
@@ -304,7 +308,8 @@ int open_terminal(const char *name, int mode) {
          * https://bugs.launchpad.net/ubuntu/+source/linux/+bug/554172/comments/245
          */
 
-        assert(!(mode & O_CREAT));
+        if (mode & O_CREAT)
+                return -EINVAL;
 
         for (;;) {
                 fd = open(name, mode, 0);
@@ -413,9 +418,8 @@ int acquire_terminal(
                 if (r < 0 && r == -EPERM && ignore_tiocstty_eperm)
                         r = 0;
 
-                if (r < 0 && (force || fail || r != -EPERM)) {
+                if (r < 0 && (force || fail || r != -EPERM))
                         goto fail;
-                }
 
                 if (r >= 0)
                         break;
@@ -499,7 +503,7 @@ int release_terminal(void) {
         struct sigaction sa_old;
         int r = 0;
 
-        fd = open("/dev/tty", O_RDWR|O_NOCTTY|O_NDELAY|O_CLOEXEC);
+        fd = open("/dev/tty", O_RDWR|O_NOCTTY|O_CLOEXEC|O_NONBLOCK);
         if (fd < 0)
                 return -errno;
 
@@ -527,7 +531,7 @@ int terminal_vhangup_fd(int fd) {
 int terminal_vhangup(const char *name) {
         _cleanup_close_ int fd;
 
-        fd = open_terminal(name, O_RDWR|O_NOCTTY|O_CLOEXEC);
+        fd = open_terminal(name, O_RDWR|O_NOCTTY|O_CLOEXEC|O_NONBLOCK);
         if (fd < 0)
                 return fd;
 
@@ -574,7 +578,7 @@ int vt_disallocate(const char *name) {
                 return -EINVAL;
 
         /* Try to deallocate */
-        fd = open_terminal("/dev/tty0", O_RDWR|O_NOCTTY|O_CLOEXEC);
+        fd = open_terminal("/dev/tty0", O_RDWR|O_NOCTTY|O_CLOEXEC|O_NONBLOCK);
         if (fd < 0)
                 return fd;
 
@@ -612,16 +616,16 @@ void warn_melody(void) {
 
         /* Yeah, this is synchronous. Kinda sucks. But well... */
 
-        ioctl(fd, KIOCSOUND, (int)(1193180/440));
+        (void) ioctl(fd, KIOCSOUND, (int)(1193180/440));
         usleep(125*USEC_PER_MSEC);
 
-        ioctl(fd, KIOCSOUND, (int)(1193180/220));
+        (void) ioctl(fd, KIOCSOUND, (int)(1193180/220));
         usleep(125*USEC_PER_MSEC);
 
-        ioctl(fd, KIOCSOUND, (int)(1193180/220));
+        (void) ioctl(fd, KIOCSOUND, (int)(1193180/220));
         usleep(125*USEC_PER_MSEC);
 
-        ioctl(fd, KIOCSOUND, 0);
+        (void) ioctl(fd, KIOCSOUND, 0);
 }
 
 int make_console_stdio(void) {

src/basic/time-util.c

@@ -88,6 +88,32 @@ dual_timestamp* dual_timestamp_from_monotonic(dual_timestamp *ts, usec_t u) {
         return ts;
 }
 
+dual_timestamp* dual_timestamp_from_boottime_or_monotonic(dual_timestamp *ts, usec_t u) {
+        int64_t delta;
+
+        if (u == USEC_INFINITY) {
+                ts->realtime = ts->monotonic = USEC_INFINITY;
+                return ts;
+        }
+        ts->realtime = now(CLOCK_REALTIME);
+        ts->monotonic = now(CLOCK_MONOTONIC);
+
+        delta = (int64_t) now(clock_boottime_or_monotonic()) - (int64_t) u;
+
+        if ((int64_t) ts->realtime > delta)
+                ts->realtime -= delta;
+        else
+                ts->realtime = 0;
+
+        if ((int64_t) ts->monotonic > delta)
+                ts->monotonic -= delta;
+        else
+                ts->monotonic = 0;
+
+        return ts;
+}
+
+
 usec_t timespec_load(const struct timespec *ts) {
         assert(ts);
 

src/basic/time-util.h

@@ -74,6 +74,7 @@ usec_t now(clockid_t clock);
 dual_timestamp* dual_timestamp_get(dual_timestamp *ts);
 dual_timestamp* dual_timestamp_from_realtime(dual_timestamp *ts, usec_t u);
 dual_timestamp* dual_timestamp_from_monotonic(dual_timestamp *ts, usec_t u);
+dual_timestamp* dual_timestamp_from_boottime_or_monotonic(dual_timestamp *ts, usec_t u);
 
 static inline bool dual_timestamp_is_set(dual_timestamp *ts) {
         return ((ts->realtime > 0 && ts->realtime != USEC_INFINITY) ||

src/basic/util.c

@@ -115,17 +115,23 @@ size_t page_size(void) {
         return pgsz;
 }
 
-bool streq_ptr(const char *a, const char *b) {
+int strcmp_ptr(const char *a, const char *b) {
-
-        /* Like streq(), but tries to make sense of NULL pointers */
 
+        /* Like strcmp(), but tries to make sense of NULL pointers */
         if (a && b)
-                return streq(a, b);
+                return strcmp(a, b);
 
-        if (!a && !b)
+        if (!a && b)
-                return true;
+                return -1;
 
-        return false;
+        if (a && !b)
+                return 1;
+
+        return 0;
+}
+
+bool streq_ptr(const char *a, const char *b) {
+        return strcmp_ptr(a, b) == 0;
 }
 
 char* endswith(const char *s, const char *postfix) {
@@ -3000,21 +3006,6 @@ char* strshorten(char *s, size_t l) {
         return s;
 }
 
-bool machine_name_is_valid(const char *s) {
-
-        if (!hostname_is_valid(s))
-                return false;
-
-        /* Machine names should be useful hostnames, but also be
-         * useful in unit names, hence we enforce a stricter length
-         * limitation. */
-
-        if (strlen(s) > 64)
-                return false;
-
-        return true;
-}
-
 int pipe_eof(int fd) {
         struct pollfd pollfd = {
                 .fd = fd,
@@ -4837,7 +4828,7 @@ int parse_proc_cmdline(int (*parse_item)(const char *key, const char *value)) {
                 _cleanup_free_ char *word = NULL;
                 char *value = NULL;
 
-                r = unquote_first_word(&p, &word, UNQUOTE_RELAX);
+                r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES|EXTRACT_RELAX);
                 if (r < 0)
                         return r;
                 if (r == 0)
@@ -4877,7 +4868,7 @@ int get_proc_cmdline_key(const char *key, char **value) {
                 _cleanup_free_ char *word = NULL;
                 const char *e;
 
-                r = unquote_first_word(&p, &word, UNQUOTE_RELAX);
+                r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES|EXTRACT_RELAX);
                 if (r < 0)
                         return r;
                 if (r == 0)
@@ -4922,6 +4913,9 @@ int container_get_leader(const char *machine, pid_t *pid) {
         assert(machine);
         assert(pid);
 
+        if (!machine_name_is_valid(machine))
+                return -EINVAL;
+
         p = strjoina("/run/systemd/machines/", machine);
         r = parse_env_file(p, NEWLINE, "LEADER", &s, "CLASS", &class, NULL);
         if (r == -ENOENT)
@@ -4944,8 +4938,8 @@ int container_get_leader(const char *machine, pid_t *pid) {
         return 0;
 }
 
-int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *root_fd) {
+int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *userns_fd, int *root_fd) {
-        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, netnsfd = -1;
+        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, netnsfd = -1, usernsfd = -1;
         int rfd = -1;
 
         assert(pid >= 0);
@@ -4977,6 +4971,15 @@ int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *
                         return -errno;
         }
 
+        if (userns_fd) {
+                const char *userns;
+
+                userns = procfs_file_alloca(pid, "ns/user");
+                usernsfd = open(userns, O_RDONLY|O_NOCTTY|O_CLOEXEC);
+                if (usernsfd < 0 && errno != ENOENT)
+                        return -errno;
+        }
+
         if (root_fd) {
                 const char *root;
 
@@ -4995,15 +4998,33 @@ int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *
         if (netns_fd)
                 *netns_fd = netnsfd;
 
+        if (userns_fd)
+                *userns_fd = usernsfd;
+
         if (root_fd)
                 *root_fd = rfd;
 
-        pidnsfd = mntnsfd = netnsfd = -1;
+        pidnsfd = mntnsfd = netnsfd = usernsfd = -1;
 
         return 0;
 }
 
-int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int root_fd) {
+int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd) {
+        if (userns_fd >= 0) {
+                /* Can't setns to your own userns, since then you could
+                 * escalate from non-root to root in your own namespace, so
+                 * check if namespaces equal before attempting to enter. */
+                _cleanup_free_ char *userns_fd_path = NULL;
+                int r;
+                if (asprintf(&userns_fd_path, "/proc/self/fd/%d", userns_fd) < 0)
+                        return -ENOMEM;
+
+                r = files_same(userns_fd_path, "/proc/self/ns/user");
+                if (r < 0)
+                        return r;
+                if (r)
+                        userns_fd = -1;
+        }
 
         if (pidns_fd >= 0)
                 if (setns(pidns_fd, CLONE_NEWPID) < 0)
@@ -5017,6 +5038,10 @@ int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int root_fd) {
                 if (setns(netns_fd, CLONE_NEWNET) < 0)
                         return -errno;
 
+        if (userns_fd >= 0)
+                if (setns(userns_fd, CLONE_NEWUSER) < 0)
+                        return -errno;
+
         if (root_fd >= 0) {
                 if (fchdir(root_fd) < 0)
                         return -errno;
@@ -5692,7 +5717,7 @@ int is_device_node(const char *path) {
         return !!(S_ISBLK(info.st_mode) || S_ISCHR(info.st_mode));
 }
 
-int unquote_first_word(const char **p, char **ret, UnquoteFlags flags) {
+int extract_first_word(const char **p, char **ret, const char *separators, ExtractFlags flags) {
         _cleanup_free_ char *s = NULL;
         size_t allocated = 0, sz = 0;
         int r;
@@ -5705,13 +5730,19 @@ int unquote_first_word(const char **p, char **ret, UnquoteFlags flags) {
                 SINGLE_QUOTE_ESCAPE,
                 DOUBLE_QUOTE,
                 DOUBLE_QUOTE_ESCAPE,
-                SPACE,
+                SEPARATOR,
         } state = START;
 
         assert(p);
-        assert(*p);
         assert(ret);
 
+        if (!separators)
+                separators = WHITESPACE;
+
+        /* Bail early if called after last value or with no input */
+        if (!*p)
+                goto finish_force_terminate;
+
         /* Parses the first word of a string, and returns it in
          * *ret. Removes all quotes in the process. When parsing fails
          * (because of an uneven number of quotes or similar), leaves
@@ -5723,32 +5754,46 @@ int unquote_first_word(const char **p, char **ret, UnquoteFlags flags) {
                 switch (state) {
 
                 case START:
-                        if (c == 0)
+                        if (c == 0) {
-                                goto finish;
+                                if (flags & EXTRACT_DONT_COALESCE_SEPARATORS)
-                        else if (strchr(WHITESPACE, c))
+                                        if (!GREEDY_REALLOC(s, allocated, sz+1))
+                                                return -ENOMEM;
+                                goto finish_force_terminate;
+                        } else if (strchr(separators, c)) {
+                                if (flags & EXTRACT_DONT_COALESCE_SEPARATORS) {
+                                        if (!GREEDY_REALLOC(s, allocated, sz+1))
+                                                return -ENOMEM;
+                                        (*p) ++;
+                                        goto finish_force_next;
+                                }
                                 break;
+                        }
 
                         state = VALUE;
                         /* fallthrough */
 
                 case VALUE:
                         if (c == 0)
-                                goto finish;
+                                goto finish_force_terminate;
-                        else if (c == '\'') {
+                        else if (c == '\'' && (flags & EXTRACT_QUOTES)) {
                                 if (!GREEDY_REALLOC(s, allocated, sz+1))
                                         return -ENOMEM;
 
                                 state = SINGLE_QUOTE;
                         } else if (c == '\\')
                                 state = VALUE_ESCAPE;
-                        else if (c == '\"') {
+                        else if (c == '\"' && (flags & EXTRACT_QUOTES)) {
                                 if (!GREEDY_REALLOC(s, allocated, sz+1))
                                         return -ENOMEM;
 
                                 state = DOUBLE_QUOTE;
-                        } else if (strchr(WHITESPACE, c))
+                        } else if (strchr(separators, c)) {
-                                state = SPACE;
+                                if (flags & EXTRACT_DONT_COALESCE_SEPARATORS) {
-                        else {
+                                        (*p) ++;
+                                        goto finish_force_next;
+                                }
+                                state = SEPARATOR;
+                        } else {
                                 if (!GREEDY_REALLOC(s, allocated, sz+2))
                                         return -ENOMEM;
 
@@ -5759,8 +5804,8 @@ int unquote_first_word(const char **p, char **ret, UnquoteFlags flags) {
 
                 case SINGLE_QUOTE:
                         if (c == 0) {
-                                if (flags & UNQUOTE_RELAX)
+                                if (flags & EXTRACT_RELAX)
-                                        goto finish;
+                                        goto finish_force_terminate;
                                 return -EINVAL;
                         } else if (c == '\'')
                                 state = VALUE;
@@ -5798,29 +5843,29 @@ int unquote_first_word(const char **p, char **ret, UnquoteFlags flags) {
                                 return -ENOMEM;
 
                         if (c == 0) {
-                                if ((flags & UNQUOTE_CUNESCAPE_RELAX) &&
+                                if ((flags & EXTRACT_CUNESCAPE_RELAX) &&
-                                    (state == VALUE_ESCAPE || flags & UNQUOTE_RELAX)) {
+                                    (state == VALUE_ESCAPE || flags & EXTRACT_RELAX)) {
                                         /* If we find an unquoted trailing backslash and we're in
-                                         * UNQUOTE_CUNESCAPE_RELAX mode, keep it verbatim in the
+                                         * EXTRACT_CUNESCAPE_RELAX mode, keep it verbatim in the
                                          * output.
                                          *
-                                         * Unbalanced quotes will only be allowed in UNQUOTE_RELAX
+                                         * Unbalanced quotes will only be allowed in EXTRACT_RELAX
-                                         * mode, UNQUOTE_CUNESCAP_RELAX mode does not allow them.
+                                         * mode, EXTRACT_CUNESCAPE_RELAX mode does not allow them.
                                          */
                                         s[sz++] = '\\';
-                                        goto finish;
+                                        goto finish_force_terminate;
                                 }
-                                if (flags & UNQUOTE_RELAX)
+                                if (flags & EXTRACT_RELAX)
-                                        goto finish;
+                                        goto finish_force_terminate;
                                 return -EINVAL;
                         }
 
-                        if (flags & UNQUOTE_CUNESCAPE) {
+                        if (flags & EXTRACT_CUNESCAPE) {
                                 uint32_t u;
 
                                 r = cunescape_one(*p, (size_t) -1, &c, &u);
                                 if (r < 0) {
-                                        if (flags & UNQUOTE_CUNESCAPE_RELAX) {
+                                        if (flags & EXTRACT_CUNESCAPE_RELAX) {
                                                 s[sz++] = '\\';
                                                 s[sz++] = c;
                                                 goto end_escape;
@@ -5843,24 +5888,29 @@ end_escape:
                                 VALUE;
                         break;
 
-                case SPACE:
+                case SEPARATOR:
                         if (c == 0)
+                                goto finish_force_terminate;
+                        if (flags & EXTRACT_DONT_COALESCE_SEPARATORS)
+                                goto finish_force_next;
+                        if (!strchr(separators, c))
                                 goto finish;
-                        if (!strchr(WHITESPACE, c))
-                                goto finish;
-
                         break;
                 }
 
                 (*p) ++;
         }
 
+finish_force_terminate:
+        *p = NULL;
 finish:
         if (!s) {
+                *p = NULL;
                 *ret = NULL;
                 return 0;
         }
 
+finish_force_next:
         s[sz] = 0;
         *ret = s;
         s = NULL;
@@ -5868,26 +5918,27 @@ finish:
         return 1;
 }
 
-int unquote_first_word_and_warn(
+int extract_first_word_and_warn(
                 const char **p,
                 char **ret,
-                UnquoteFlags flags,
+                const char *separators,
+                ExtractFlags flags,
                 const char *unit,
                 const char *filename,
                 unsigned line,
                 const char *rvalue) {
         /* Try to unquote it, if it fails, warn about it and try again but this
-         * time using UNQUOTE_CUNESCAPE_RELAX to keep the backslashes verbatim
+         * time using EXTRACT_CUNESCAPE_RELAX to keep the backslashes verbatim
          * in invalid escape sequences. */
         const char *save;
         int r;
 
         save = *p;
-        r = unquote_first_word(p, ret, flags);
+        r = extract_first_word(p, ret, separators, flags);
-        if (r < 0 && !(flags&UNQUOTE_CUNESCAPE_RELAX)) {
+        if (r < 0 && !(flags&EXTRACT_CUNESCAPE_RELAX)) {
-                /* Retry it with UNQUOTE_CUNESCAPE_RELAX. */
+                /* Retry it with EXTRACT_CUNESCAPE_RELAX. */
                 *p = save;
-                r = unquote_first_word(p, ret, flags|UNQUOTE_CUNESCAPE_RELAX);
+                r = extract_first_word(p, ret, separators, flags|EXTRACT_CUNESCAPE_RELAX);
                 if (r < 0)
                         log_syntax(unit, LOG_ERR, filename, line, EINVAL,
                                    "Unbalanced quoting in command line, ignoring: \"%s\"", rvalue);
@@ -5898,7 +5949,7 @@ int unquote_first_word_and_warn(
         return r;
 }
 
-int unquote_many_words(const char **p, UnquoteFlags flags, ...) {
+int extract_many_words(const char **p, const char *separators, ExtractFlags flags, ...) {
         va_list ap;
         char **l;
         int n = 0, i, c, r;
@@ -5924,7 +5975,7 @@ int unquote_many_words(const char **p, UnquoteFlags flags, ...) {
         l = newa0(char*, n);
         for (c = 0; c < n; c++) {
 
-                r = unquote_first_word(p, &l[c], flags);
+                r = extract_first_word(p, &l[c], separators, flags);
                 if (r < 0) {
                         int j;
 
@@ -6006,7 +6057,7 @@ int ptsname_malloc(int fd, char **ret) {
 }
 
 int openpt_in_namespace(pid_t pid, int flags) {
-        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
+        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, usernsfd = -1, rootfd = -1;
         _cleanup_close_pair_ int pair[2] = { -1, -1 };
         union {
                 struct cmsghdr cmsghdr;
@@ -6023,7 +6074,7 @@ int openpt_in_namespace(pid_t pid, int flags) {
 
         assert(pid > 0);
 
-        r = namespace_open(pid, &pidnsfd, &mntnsfd, NULL, &rootfd);
+        r = namespace_open(pid, &pidnsfd, &mntnsfd, NULL, &usernsfd, &rootfd);
         if (r < 0)
                 return r;
 
@@ -6039,7 +6090,7 @@ int openpt_in_namespace(pid_t pid, int flags) {
 
                 pair[0] = safe_close(pair[0]);
 
-                r = namespace_enter(pidnsfd, mntnsfd, -1, rootfd);
+                r = namespace_enter(pidnsfd, mntnsfd, -1, usernsfd, rootfd);
                 if (r < 0)
                         _exit(EXIT_FAILURE);
 
@@ -6505,6 +6556,32 @@ int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char
         return 0;
 }
 
+static char *strcpy_backslash_escaped(char *t, const char *s, const char *bad) {
+        assert(bad);
+
+        for (; *s; s++) {
+                if (*s == '\\' || strchr(bad, *s))
+                        *(t++) = '\\';
+
+                *(t++) = *s;
+        }
+
+        return t;
+}
+
+char *shell_escape(const char *s, const char *bad) {
+        char *r, *t;
+
+        r = new(char, strlen(s)*2+1);
+        if (!r)
+                return NULL;
+
+        t = strcpy_backslash_escaped(r, s, bad);
+        *t = 0;
+
+        return r;
+}
+
 char *shell_maybe_quote(const char *s) {
         const char *p;
         char *r, *t;
@@ -6531,13 +6608,7 @@ char *shell_maybe_quote(const char *s) {
         *(t++) = '"';
         t = mempcpy(t, s, p - s);
 
-        for (; *p; p++) {
+        t = strcpy_backslash_escaped(t, p, SHELL_NEED_ESCAPE);
-
-                if (strchr(SHELL_NEED_ESCAPE, *p))
-                        *(t++) = '\\';
-
-                *(t++) = *p;
-        }
 
         *(t++)= '"';
         *t = 0;
@@ -6597,3 +6668,73 @@ int reset_uid_gid(void) {
 
         return 0;
 }
+
+int getxattr_malloc(const char *path, const char *name, char **value, bool allow_symlink) {
+        char *v;
+        size_t l;
+        ssize_t n;
+
+        assert(path);
+        assert(name);
+        assert(value);
+
+        for (l = 100; ; l = (size_t) n + 1) {
+                v = new0(char, l);
+                if (!v)
+                        return -ENOMEM;
+
+                if (allow_symlink)
+                        n = lgetxattr(path, name, v, l);
+                else
+                        n = getxattr(path, name, v, l);
+
+                if (n >= 0 && (size_t) n < l) {
+                        *value = v;
+                        return n;
+                }
+
+                free(v);
+
+                if (n < 0 && errno != ERANGE)
+                        return -errno;
+
+                if (allow_symlink)
+                        n = lgetxattr(path, name, NULL, 0);
+                else
+                        n = getxattr(path, name, NULL, 0);
+                if (n < 0)
+                        return -errno;
+        }
+}
+
+int fgetxattr_malloc(int fd, const char *name, char **value) {
+        char *v;
+        size_t l;
+        ssize_t n;
+
+        assert(fd >= 0);
+        assert(name);
+        assert(value);
+
+        for (l = 100; ; l = (size_t) n + 1) {
+                v = new0(char, l);
+                if (!v)
+                        return -ENOMEM;
+
+                n = fgetxattr(fd, name, v, l);
+
+                if (n >= 0 && (size_t) n < l) {
+                        *value = v;
+                        return n;
+                }
+
+                free(v);
+
+                if (n < 0 && errno != ERANGE)
+                        return -errno;
+
+                n = fgetxattr(fd, name, NULL, 0);
+                if (n < 0)
+                        return -errno;
+        }
+}

src/basic/util.h

@@ -71,6 +71,7 @@ size_t page_size(void) _pure_;
 #define strncaseeq(a, b, n) (strncasecmp((a), (b), (n)) == 0)
 
 bool streq_ptr(const char *a, const char *b) _pure_;
+int strcmp_ptr(const char *a, const char *b) _pure_;
 
 #define new(t, n) ((t*) malloc_multiply(sizeof(t), (n)))
 
@@ -84,6 +85,11 @@ bool streq_ptr(const char *a, const char *b) _pure_;
 
 #define malloc0(n) (calloc((n), 1))
 
+static inline void *mfree(void *memory) {
+        free(memory);
+        return NULL;
+}
+
 static inline const char* yes_no(bool b) {
         return b ? "yes" : "no";
 }
@@ -388,8 +394,6 @@ bool nulstr_contains(const char*nulstr, const char *needle);
 
 bool plymouth_running(void);
 
-bool machine_name_is_valid(const char *s) _pure_;
-
 char* strshorten(char *s, size_t l);
 
 int symlink_idempotent(const char *from, const char *to);
@@ -797,8 +801,8 @@ int get_proc_cmdline_key(const char *parameter, char **value);
 
 int container_get_leader(const char *machine, pid_t *pid);
 
-int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *root_fd);
+int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *userns_fd, int *root_fd);
-int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int root_fd);
+int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd);
 
 int getpeercred(int fd, struct ucred *ucred);
 int getpeersec(int fd, char **ret);
@@ -848,15 +852,22 @@ int is_symlink(const char *path);
 int is_dir(const char *path, bool follow);
 int is_device_node(const char *path);
 
-typedef enum UnquoteFlags {
+typedef enum ExtractFlags {
-        UNQUOTE_RELAX           = 1,
+        EXTRACT_RELAX           = 1,
-        UNQUOTE_CUNESCAPE       = 2,
+        EXTRACT_CUNESCAPE       = 2,
-        UNQUOTE_CUNESCAPE_RELAX = 4,
+        EXTRACT_CUNESCAPE_RELAX = 4,
-} UnquoteFlags;
+        EXTRACT_QUOTES          = 8,
+        EXTRACT_DONT_COALESCE_SEPARATORS = 16,
+} ExtractFlags;
 
-int unquote_first_word(const char **p, char **ret, UnquoteFlags flags);
+int extract_first_word(const char **p, char **ret, const char *separators, ExtractFlags flags);
-int unquote_first_word_and_warn(const char **p, char **ret, UnquoteFlags flags, const char *unit, const char *filename, unsigned line, const char *rvalue);
+int extract_first_word_and_warn(const char **p, char **ret, const char *separators, ExtractFlags flags, const char *unit, const char *filename, unsigned line, const char *rvalue);
-int unquote_many_words(const char **p, UnquoteFlags flags, ...) _sentinel_;
+int extract_many_words(const char **p, const char *separators, ExtractFlags flags, ...) _sentinel_;
+
+static inline void free_and_replace(char **s, char *v) {
+        free(*s);
+        *s = v;
+}
 
 int free_and_strdup(char **p, const char *s);
 
@@ -906,6 +917,7 @@ void cmsg_close_all(struct msghdr *mh);
 
 int rename_noreplace(int olddirfd, const char *oldpath, int newdirfd, const char *newpath);
 
+char *shell_escape(const char *s, const char *bad);
 char *shell_maybe_quote(const char *s);
 
 int parse_mode(const char *s, mode_t *ret);
@@ -913,3 +925,6 @@ int parse_mode(const char *s, mode_t *ret);
 int mount_move_root(const char *path);
 
 int reset_uid_gid(void);
+
+int getxattr_malloc(const char *path, const char *name, char **value, bool allow_symlink);
+int fgetxattr_malloc(int fd, const char *name, char **value);

src/boot/bootctl.c

@@ -818,7 +818,7 @@ static int remove_boot_efi(const char *esp_path) {
                         if (r < 0)
                                 return log_error_errno(errno, "Failed to remove \"%s/%s\": %m", p, de->d_name);
 
-                        log_info("Removed \"%s/\%s\".", p, de->d_name);
+                        log_info("Removed \"%s/%s\".", p, de->d_name);
                 }
 
                 c++;

src/bootchart/bootchart.c

@@ -367,7 +367,7 @@ int main(int argc, char *argv[]) {
                 struct timespec n;
                 double uptime;
 
-                clock_gettime(CLOCK_BOOTTIME, &n);
+                clock_gettime(clock_boottime_or_monotonic(), &n);
                 uptime = (n.tv_sec + (n.tv_nsec / (double) NSEC_PER_SEC));
 
                 log_start = gettime_ns();

src/bus-proxyd/bus-xml-policy.c

@@ -586,10 +586,8 @@ static int file_load(Policy *p, const char *path) {
                                 case POLICY_ITEM_SEND:
                                 case POLICY_ITEM_RECV:
 
-                                        if (streq(name, "*")) {
+                                        if (streq(name, "*"))
-                                                free(name);
+                                                name = mfree(name);
-                                                name = NULL;
-                                        }
                                         break;
 
 

src/bus-proxyd/driver.c

@@ -35,6 +35,7 @@
 #include "driver.h"
 #include "proxy.h"
 #include "synthesize.h"
+#include "env-util.h"
 
 static int get_creds_by_name(sd_bus *bus, const char *name, uint64_t mask, sd_bus_creds **_creds, sd_bus_error *error) {
         _cleanup_bus_creds_unref_ sd_bus_creds *c = NULL;
@@ -694,9 +695,13 @@ int bus_proxy_process_driver(Proxy *p, sd_bus *a, sd_bus *b, sd_bus_message *m,
                         if (!s)
                                 return synthetic_reply_method_errno(m, -ENOMEM, NULL);
 
-                        r  = strv_extend(&args, s);
+                        if (!env_assignment_is_valid(s)) {
-                        if (r < 0)
+                                log_warning("UpdateActivationEnvironment() called with invalid assignment, discarding: %s", s);
-                                return synthetic_reply_method_errno(m, r, NULL);
+                        } else {
+                                r = strv_extend(&args, s);
+                                if (r < 0)
+                                        return synthetic_reply_method_errno(m, r, NULL);
+                        }
 
                         r = sd_bus_message_exit_container(m);
                         if (r < 0)

src/bus-proxyd/proxy.c

@@ -770,19 +770,21 @@ static int proxy_process_destination_to_local(Proxy *p) {
                         return r;
 
                 /* If the peer tries to send a reply and it is
-                 * rejected with EPERM by the kernel, we ignore the
+                 * rejected with EBADSLT by the kernel, we ignore the
                  * error. This catches cases where the original
                  * method-call didn't had EXPECT_REPLY set, but the
                  * proxy-peer still sends a reply. This is allowed in
                  * dbus1, but not in kdbus. We don't want to track
                  * reply-windows in the proxy, so we simply ignore
-                 * EPERM for all replies. The only downside is, that
+                 * EBADSLT for all replies. The only downside is, that
                  * callers are no longer notified if their replies are
                  * dropped. However, this is equivalent to the
                  * caller's timeout to expire, so this should be
                  * acceptable. Nobody sane sends replies without a
                  * matching method-call, so nobody should care. */
-                if (r == -EPERM && m->reply_cookie > 0)
+
+                /* FIXME: remove -EPERM when kdbus is updated */
+                if ((r == -EPERM || r == -EBADSLT) && m->reply_cookie > 0)
                         return 1;
 
                 /* Return the error to the client, if we can */
@@ -863,8 +865,8 @@ static int proxy_process_local_to_destination(Proxy *p) {
                         if (r == -EREMCHG)
                                 continue;
 
-                        /* see above why EPERM is ignored for replies */
+                        /* see above why EBADSLT is ignored for replies */
-                        if (r == -EPERM && m->reply_cookie > 0)
+                        if ((r == -EPERM || r == -EBADSLT) && m->reply_cookie > 0)
                                 return 1;
 
                         synthetic_reply_method_errnof(m, r, "Failed to forward message we got from local: %m");

src/core/dbus-cgroup.c

@@ -433,9 +433,9 @@ int bus_cgroup_set_property(
                         if (!f)
                                 return -ENOMEM;
 
-                         if (read) {
+                        if (read) {
                                 fputs("BlockIOReadBandwidth=\n", f);
-                                 LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths)
+                                LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths)
                                         if (a->read)
                                                 fprintf(f, "BlockIOReadBandwidth=%s %" PRIu64 "\n", a->path, a->bandwidth);
                         } else {

src/core/dbus-execute.c

@@ -46,6 +46,8 @@ BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_exec_output, exec_output, ExecOutp
 
 static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_input, exec_input, ExecInput);
 
+static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode);
+
 static BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_protect_home, protect_home, ProtectHome);
 static BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_protect_system, protect_system, ProtectSystem);
 
@@ -653,6 +655,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("ProtectSystem", "s", bus_property_get_protect_system, offsetof(ExecContext, protect_system), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SameProcessGroup", "b", bus_property_get_bool, offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("UtmpMode", "s", property_get_exec_utmp_mode, offsetof(ExecContext, utmp_mode), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SELinuxContext", "(bs)", property_get_selinux_context, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("AppArmorProfile", "(bs)", property_get_apparmor_profile, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SmackProcessLabel", "(bs)", property_get_smack_process_label, 0, SD_BUS_VTABLE_PROPERTY_CONST),
@@ -932,6 +935,107 @@ int bus_exec_context_set_transient_property(
 
                 return 1;
 
+        } else if (streq(name, "IgnoreSIGPIPE")) {
+                int b;
+
+                r = sd_bus_message_read(message, "b", &b);
+                if (r < 0)
+                        return r;
+
+                if (mode != UNIT_CHECK) {
+                        c->ignore_sigpipe = b;
+
+                        unit_write_drop_in_private_format(u, mode, name, "IgnoreSIGPIPE=%s\n", yes_no(b));
+                }
+
+                return 1;
+
+        } else if (streq(name, "TTYVHangup")) {
+                int b;
+
+                r = sd_bus_message_read(message, "b", &b);
+                if (r < 0)
+                        return r;
+
+                if (mode != UNIT_CHECK) {
+                        c->tty_vhangup = b;
+
+                        unit_write_drop_in_private_format(u, mode, name, "TTYVHangup=%s\n", yes_no(b));
+                }
+
+                return 1;
+
+        } else if (streq(name, "TTYReset")) {
+                int b;
+
+                r = sd_bus_message_read(message, "b", &b);
+                if (r < 0)
+                        return r;
+
+                if (mode != UNIT_CHECK) {
+                        c->tty_reset = b;
+
+                        unit_write_drop_in_private_format(u, mode, name, "TTYReset=%s\n", yes_no(b));
+                }
+
+                return 1;
+
+        } else if (streq(name, "UtmpIdentifier")) {
+                const char *id;
+
+                r = sd_bus_message_read(message, "s", &id);
+                if (r < 0)
+                        return r;
+
+                if (mode != UNIT_CHECK) {
+                        if (isempty(id))
+                                c->utmp_id = mfree(c->utmp_id);
+                        else if (free_and_strdup(&c->utmp_id, id) < 0)
+                                return -ENOMEM;
+
+                        unit_write_drop_in_private_format(u, mode, name, "UtmpIdentifier=%s\n", strempty(id));
+                }
+
+                return 1;
+
+        } else if (streq(name, "UtmpMode")) {
+                const char *s;
+                ExecUtmpMode m;
+
+                r = sd_bus_message_read(message, "s", &s);
+                if (r < 0)
+                        return r;
+
+                m = exec_utmp_mode_from_string(s);
+                if (m < 0)
+                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid utmp mode");
+
+                if (mode != UNIT_CHECK) {
+                        c->utmp_mode = m;
+
+                        unit_write_drop_in_private_format(u, mode, name, "UtmpMode=%s\n", exec_utmp_mode_to_string(m));
+                }
+
+                return 1;
+
+        } else if (streq(name, "PAMName")) {
+                const char *n;
+
+                r = sd_bus_message_read(message, "s", &n);
+                if (r < 0)
+                        return r;
+
+                if (mode != UNIT_CHECK) {
+                        if (isempty(n))
+                                c->pam_name = mfree(c->pam_name);
+                        else if (free_and_strdup(&c->pam_name, n) < 0)
+                                return -ENOMEM;
+
+                        unit_write_drop_in_private_format(u, mode, name, "PAMName=%s\n", strempty(n));
+                }
+
+                return 1;
+
         } else if (streq(name, "Environment")) {
 
                 _cleanup_strv_free_ char **l = NULL;

src/core/dbus-manager.c

@@ -1650,10 +1650,6 @@ static int method_enable_unit_files_generic(
         if (r < 0)
                 return r;
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
-        if (r < 0)
-                return r;
-
         r = bus_verify_manage_unit_files_async(m, message, error);
         if (r < 0)
                 return r;
@@ -1723,10 +1719,6 @@ static int method_preset_unit_files_with_mode(sd_bus_message *message, void *use
                         return -EINVAL;
         }
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
-        if (r < 0)
-                return r;
-
         r = bus_verify_manage_unit_files_async(m, message, error);
         if (r < 0)
                 return r;
@@ -1766,10 +1758,6 @@ static int method_disable_unit_files_generic(
         if (r < 0)
                 return r;
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
-        if (r < 0)
-                return r;
-
         scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
 
         r = bus_verify_manage_unit_files_async(m, message, error);
@@ -1902,10 +1890,6 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd
         if (dep < 0)
                 return -EINVAL;
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
-        if (r < 0)
-                return r;
-
         scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
 
         r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes);

src/core/dbus-timer.c

@@ -252,8 +252,7 @@ static int bus_timer_set_transient_property(
 
                         v = new0(TimerValue, 1);
                         if (!v) {
-                                if (c)
+                                calendar_spec_free(c);
-                                        calendar_spec_free(c);
                                 return -ENOMEM;
                         }
 

src/core/dbus-unit.c

@@ -697,10 +697,40 @@ static int property_get_cpu_usage(
         return sd_bus_message_append(reply, "t", ns);
 }
 
+static int property_get_cgroup(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        Unit *u = userdata;
+        const char *t;
+
+        assert(bus);
+        assert(reply);
+        assert(u);
+
+        /* Three cases: a) u->cgroup_path is NULL, in which case the
+         * unit has no control group, which we report as the empty
+         * string. b) u->cgroup_path is the empty string, which
+         * indicates the root cgroup, which we report as "/". c) all
+         * other cases we report as-is. */
+
+        if (u->cgroup_path)
+                t = isempty(u->cgroup_path) ? "/" : u->cgroup_path;
+        else
+                t = "";
+
+        return sd_bus_message_append(reply, "s", t);
+}
+
 const sd_bus_vtable bus_unit_cgroup_vtable[] = {
         SD_BUS_VTABLE_START(0),
         SD_BUS_PROPERTY("Slice", "s", property_get_slice, 0, 0),
-        SD_BUS_PROPERTY("ControlGroup", "s", NULL, offsetof(Unit, cgroup_path), 0),
+        SD_BUS_PROPERTY("ControlGroup", "s", property_get_cgroup, 0, 0),
         SD_BUS_PROPERTY("MemoryCurrent", "t", property_get_current_memory, 0, 0),
         SD_BUS_PROPERTY("CPUUsageNSec", "t", property_get_cpu_usage, 0, 0),
         SD_BUS_VTABLE_END

src/core/dbus.c

@@ -140,28 +140,6 @@ static int signal_disconnected(sd_bus_message *message, void *userdata, sd_bus_e
         return 0;
 }
 
-static int signal_name_owner_changed(sd_bus_message *message, void *userdata, sd_bus_error *error) {
-        const char *name, *old_owner, *new_owner;
-        Manager *m = userdata;
-        int r;
-
-        assert(message);
-        assert(m);
-
-        r = sd_bus_message_read(message, "sss", &name, &old_owner, &new_owner);
-        if (r < 0) {
-                bus_log_parse_error(r);
-                return 0;
-        }
-
-        manager_dispatch_bus_name_owner_changed(
-                        m, name,
-                        isempty(old_owner) ? NULL : old_owner,
-                        isempty(new_owner) ? NULL : new_owner);
-
-        return 0;
-}
-
 static int signal_activation_request(sd_bus_message *message, void *userdata, sd_bus_error *ret_error) {
         _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
         _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
@@ -762,13 +740,21 @@ static int bus_list_names(Manager *m, sd_bus *bus) {
         /* This is a bit hacky, we say the owner of the name is the
          * name itself, because we don't want the extra traffic to
          * figure out the real owner. */
-        STRV_FOREACH(i, names)
+        STRV_FOREACH(i, names) {
-                manager_dispatch_bus_name_owner_changed(m, *i, NULL, *i);
+                Unit *u;
+
+                u = hashmap_get(m->watch_bus, *i);
+                if (u)
+                        UNIT_VTABLE(u)->bus_name_owner_change(u, *i, NULL, *i);
+        }
 
         return 0;
 }
 
 static int bus_setup_api(Manager *m, sd_bus *bus) {
+        Iterator i;
+        char *name;
+        Unit *u;
         int r;
 
         assert(m);
@@ -786,17 +772,11 @@ static int bus_setup_api(Manager *m, sd_bus *bus) {
         if (r < 0)
                 return r;
 
-        r = sd_bus_add_match(
+        HASHMAP_FOREACH_KEY(u, name, m->watch_bus, i) {
-                        bus,
+                r = unit_install_bus_match(bus, u, name);
-                        NULL,
+                if (r < 0)
-                        "type='signal',"
+                        log_error_errno(r, "Failed to subscribe to NameOwnerChanged signal: %m");
-                        "sender='org.freedesktop.DBus',"
+        }
-                        "path='/org/freedesktop/DBus',"
-                        "interface='org.freedesktop.DBus',"
-                        "member='NameOwnerChanged'",
-                        signal_name_owner_changed, m);
-        if (r < 0)
-                log_warning_errno(r, "Failed to subscribe to NameOwnerChanged signal: %m");
 
         r = sd_bus_add_match(
                         bus,

src/core/execute.c

@@ -31,6 +31,7 @@
 #include <grp.h>
 #include <poll.h>
 #include <glob.h>
+#include <utmpx.h>
 #include <sys/personality.h>
 
 #ifdef HAVE_PAM
@@ -1504,7 +1505,11 @@ static int exec_child(
                 }
 
         if (context->utmp_id)
-                utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path);
+                utmp_put_init_process(context->utmp_id, getpid(), getsid(0), context->tty_path,
+                                      context->utmp_mode == EXEC_UTMP_INIT  ? INIT_PROCESS :
+                                      context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS :
+                                      USER_PROCESS,
+                                      username ? "root" : context->user);
 
         if (context->user && is_terminal_input(context->std_input)) {
                 r = chown_terminal(STDIN_FILENO, uid);
@@ -1554,7 +1559,13 @@ static int exec_child(
                                 return -ENOMEM;
                         }
 
-                        r = mkdir_safe_label(p, context->runtime_directory_mode, uid, gid);
+                        r = mkdir_p_label(p, context->runtime_directory_mode);
+                        if (r < 0) {
+                                *exit_status = EXIT_RUNTIME_DIRECTORY;
+                                return r;
+                        }
+
+                        r = chmod_and_chown(p, context->runtime_directory_mode, uid, gid);
                         if (r < 0) {
                                 *exit_status = EXIT_RUNTIME_DIRECTORY;
                                 return r;
@@ -1719,7 +1730,15 @@ static int exec_child(
                 }
 #ifdef SMACK_DEFAULT_PROCESS_LABEL
                 else {
-                        r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL);
+                        _cleanup_free_ char *exec_label = NULL;
+
+                        r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+                        if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+
+                        r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
                         if (r < 0) {
                                 *exit_status = EXIT_SMACK_PROCESS_LABEL;
                                 return r;
@@ -2203,7 +2222,7 @@ int exec_context_load_environment(Unit *unit, const ExecContext *c, char ***l) {
 
 static bool tty_may_match_dev_console(const char *tty) {
         _cleanup_free_ char *active = NULL;
-       char *console;
+        char *console;
 
         if (startswith(tty, "/dev/"))
                 tty += 5;
@@ -2954,3 +2973,11 @@ static const char* const exec_output_table[_EXEC_OUTPUT_MAX] = {
 };
 
 DEFINE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
+
+static const char* const exec_utmp_mode_table[_EXEC_UTMP_MODE_MAX] = {
+        [EXEC_UTMP_INIT] = "init",
+        [EXEC_UTMP_LOGIN] = "login",
+        [EXEC_UTMP_USER] = "user",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);

src/core/execute.h

@@ -38,6 +38,14 @@ typedef struct ExecParameters ExecParameters;
 #include "namespace.h"
 #include "bus-endpoint.h"
 
+typedef enum ExecUtmpMode {
+        EXEC_UTMP_INIT,
+        EXEC_UTMP_LOGIN,
+        EXEC_UTMP_USER,
+        _EXEC_UTMP_MODE_MAX,
+        _EXEC_UTMP_MODE_INVALID = -1
+} ExecUtmpMode;
+
 typedef enum ExecInput {
         EXEC_INPUT_NULL,
         EXEC_INPUT_TTY,
@@ -131,6 +139,7 @@ struct ExecContext {
         char *pam_name;
 
         char *utmp_id;
+        ExecUtmpMode utmp_mode;
 
         bool selinux_context_ignore;
         char *selinux_context;
@@ -265,3 +274,6 @@ ExecOutput exec_output_from_string(const char *s) _pure_;
 
 const char* exec_input_to_string(ExecInput i) _const_;
 ExecInput exec_input_from_string(const char *s) _pure_;
+
+const char* exec_utmp_mode_to_string(ExecUtmpMode i) _const_;
+ExecUtmpMode exec_utmp_mode_from_string(const char *s) _pure_;

src/core/kmod-setup.c

@@ -112,7 +112,7 @@ int kmod_setup(void) {
 
                 r = kmod_module_probe_insert_module(mod, KMOD_PROBE_APPLY_BLACKLIST, NULL, NULL, NULL, NULL);
                 if (r == 0)
-                        log_info("Inserted module '%s'", kmod_module_get_name(mod));
+                        log_debug("Inserted module '%s'", kmod_module_get_name(mod));
                 else if (r == KMOD_PROBE_APPLY_BLACKLIST)
                         log_info("Module '%s' is blacklisted", kmod_module_get_name(mod));
                 else {

src/core/load-fragment-gperf.gperf.m4

@@ -91,6 +91,7 @@ m4_ifdef(`HAVE_PAM',
 `$1.PAMName,                     config_parse_warn_compat,           DISABLED_CONFIGURATION,        0')
 $1.IgnoreSIGPIPE,                config_parse_bool,                  0,                             offsetof($1, exec_context.ignore_sigpipe)
 $1.UtmpIdentifier,               config_parse_unit_string_printf,    0,                             offsetof($1, exec_context.utmp_id)
+$1.UtmpMode,                     config_parse_exec_utmp_mode,        0,                             offsetof($1, exec_context.utmp_mode)
 m4_ifdef(`HAVE_SELINUX',
 `$1.SELinuxContext,              config_parse_exec_selinux_context,  0,                             offsetof($1, exec_context)',
 `$1.SELinuxContext,              config_parse_warn_compat,           DISABLED_CONFIGURATION,        0')

src/core/load-fragment.c

@@ -552,7 +552,7 @@ int config_parse_exec(
 
                 semicolon = false;
 
-                r = unquote_first_word_and_warn(&p, &firstword, UNQUOTE_CUNESCAPE, unit, filename, line, rvalue);
+                r = extract_first_word_and_warn(&p, &firstword, WHITESPACE, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue);
                 if (r <= 0)
                         return 0;
 
@@ -614,7 +614,7 @@ int config_parse_exec(
 
                 path_kill_slashes(path);
 
-                for (;;) {
+                while (!isempty(p)) {
                         _cleanup_free_ char *word = NULL;
 
                         /* Check explicitly for an unquoted semicolon as
@@ -627,7 +627,7 @@ int config_parse_exec(
                         }
 
                         /* Check for \; explicitly, to not confuse it with \\;
-                         * or "\;" or "\\;" etc.  unquote_first_word would
+                         * or "\;" or "\\;" etc.  extract_first_word would
                          * return the same for all of those.  */
                         if (p[0] == '\\' && p[1] == ';' && (!p[2] || strchr(WHITESPACE, p[2]))) {
                                 p += 2;
@@ -642,7 +642,7 @@ int config_parse_exec(
                                 continue;
                         }
 
-                        r = unquote_first_word_and_warn(&p, &word, UNQUOTE_CUNESCAPE, unit, filename, line, rvalue);
+                        r = extract_first_word_and_warn(&p, &word, WHITESPACE, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue);
                         if (r == 0)
                                 break;
                         else if (r < 0)
@@ -1142,6 +1142,8 @@ int config_parse_sysv_priority(const char *unit,
 }
 #endif
 
+DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode, "Failed to parse utmp mode");
+
 DEFINE_CONFIG_PARSE_ENUM(config_parse_kill_mode, kill_mode, KillMode, "Failed to parse kill mode");
 
 int config_parse_kill_signal(const char *unit,
@@ -1986,7 +1988,7 @@ int config_parse_environ(const char *unit,
                 return log_oom();
 
         FOREACH_WORD_QUOTED(word, l, k, state) {
-                _cleanup_free_ char *n;
+                _cleanup_free_ char *n = NULL;
                 char **x;
 
                 r = cunescape_length(word, l, 0, &n);
@@ -3508,9 +3510,7 @@ static int load_from_path(Unit *u, const char *path) {
 
                 r = open_follow(&filename, &f, symlink_names, &id);
                 if (r < 0) {
-                        free(filename);
+                        filename = mfree(filename);
-                        filename = NULL;
-
                         if (r != -ENOENT)
                                 return r;
                 }
@@ -3534,9 +3534,7 @@ static int load_from_path(Unit *u, const char *path) {
                                 r = open_follow(&filename, &f, symlink_names, &id);
 
                         if (r < 0) {
-                                free(filename);
+                                filename = mfree(filename);
-                                filename = NULL;
-
                                 if (r != -ENOENT)
                                         return r;
 

src/core/load-fragment.h

@@ -104,6 +104,7 @@ int config_parse_cpu_quota(const char *unit, const char *filename, unsigned line
 int config_parse_protect_home(const char* unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
 int config_parse_protect_system(const char* unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
 int config_parse_bus_name(const char* unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
+int config_parse_exec_utmp_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
 
 /* gperf prototypes */
 const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);

src/core/machine-id-setup.c

@@ -325,7 +325,7 @@ int machine_id_commit(const char *root) {
         fd = safe_close(fd);
 
         /* Store current mount namespace */
-        r = namespace_open(0, NULL, &initial_mntns_fd, NULL, NULL);
+        r = namespace_open(0, NULL, &initial_mntns_fd, NULL, NULL, NULL);
         if (r < 0)
                 return log_error_errno(r, "Can't fetch current mount namespace: %m");
 
@@ -351,7 +351,7 @@ int machine_id_commit(const char *root) {
         fd = safe_close(fd);
 
         /* Return to initial namespace and proceed a lazy tmpfs unmount */
-        r = namespace_enter(-1, initial_mntns_fd, -1, -1);
+        r = namespace_enter(-1, initial_mntns_fd, -1, -1, -1);
         if (r < 0)
                 return log_warning_errno(r, "Failed to switch back to initial mount namespace: %m.\nWe'll keep transient %s file until next reboot.", etc_machine_id);
 

src/core/main.c

@@ -1785,7 +1785,7 @@ int main(int argc, char *argv[]) {
                 case MANAGER_REEXECUTE:
 
                         if (prepare_reexecute(m, &arg_serialization, &fds, false) < 0) {
-                                error_message = "Failed to prepare for reexection";
+                                error_message = "Failed to prepare for reexecution";
                                 goto finish;
                         }
 
@@ -1801,7 +1801,7 @@ int main(int argc, char *argv[]) {
 
                         if (!switch_root_init)
                                 if (prepare_reexecute(m, &arg_serialization, &fds, true) < 0) {
-                                        error_message = "Failed to prepare for reexection";
+                                        error_message = "Failed to prepare for reexecution";
                                         goto finish;
                                 }
 
@@ -1844,13 +1844,11 @@ finish:
                 arg_default_rlimit[j] = NULL;
         }
 
-        free(arg_default_unit);
+        arg_default_unit = mfree(arg_default_unit);
-        arg_default_unit = NULL;
 
         free_join_controllers();
 
-        strv_free(arg_default_environment);
+        arg_default_environment = strv_free(arg_default_environment);
-        arg_default_environment = NULL;
 
         set_free(arg_syscall_archs);
         arg_syscall_archs = NULL;

src/core/manager.c

@@ -2187,24 +2187,6 @@ void manager_send_unit_plymouth(Manager *m, Unit *u) {
                         log_error_errno(errno, "Failed to write Plymouth message: %m");
 }
 
-void manager_dispatch_bus_name_owner_changed(
-                Manager *m,
-                const char *name,
-                const char* old_owner,
-                const char *new_owner) {
-
-        Unit *u;
-
-        assert(m);
-        assert(name);
-
-        u = hashmap_get(m->watch_bus, name);
-        if (!u)
-                return;
-
-        UNIT_VTABLE(u)->bus_name_owner_change(u, name, old_owner, new_owner);
-}
-
 int manager_open_serialization(Manager *m, FILE **_f) {
         const char *path;
         int fd = -1;

src/core/manager.h

@@ -329,8 +329,6 @@ int manager_set_default_rlimits(Manager *m, struct rlimit **default_rlimit);
 
 int manager_loop(Manager *m);
 
-void manager_dispatch_bus_name_owner_changed(Manager *m, const char *name, const char* old_owner, const char *new_owner);
-
 int manager_open_serialization(Manager *m, FILE **_f);
 
 int manager_serialize(Manager *m, FILE *f, FDSet *fds, bool switching_root);

src/core/selinux-access.c

@@ -38,6 +38,7 @@
 #include "selinux-util.h"
 #include "audit-fd.h"
 #include "strv.h"
+#include "path-util.h"
 
 static bool initialized = false;
 
@@ -288,27 +289,3 @@ finish:
         return 0;
 #endif
 }
-
-int mac_selinux_unit_access_check_strv(
-                char **units,
-                sd_bus_message *message,
-                Manager *m,
-                const char *permission,
-                sd_bus_error *error) {
-
-#ifdef HAVE_SELINUX
-        char **i;
-        Unit *u;
-        int r;
-
-        STRV_FOREACH(i, units) {
-                r = manager_load_unit(m, *i, NULL, error, &u);
-                if (r < 0)
-                        return r;
-                r = mac_selinux_unit_access_check(u, message, permission, error);
-                if (r < 0)
-                        return r;
-        }
-#endif
-        return 0;
-}

src/core/selinux-access.h

@@ -29,8 +29,6 @@ void mac_selinux_access_free(void);
 
 int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
 
-int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error);
-
 #ifdef HAVE_SELINUX
 
 #define mac_selinux_access_check(message, permission, error) \

src/core/snapshot.c

@@ -217,8 +217,7 @@ int snapshot_create(Manager *m, const char *name, bool cleanup, sd_bus_error *e,
                                 break;
                         }
 
-                        free(n);
+                        n = mfree(n);
-                        n = NULL;
                 }
         }
 

src/core/socket.c

@@ -923,13 +923,13 @@ static void socket_apply_socket_options(Socket *s, int fd) {
                         log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
 
         if (s->smack_ip_in) {
-                r = mac_smack_apply_ip_in_fd(fd, s->smack_ip_in);
+                r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
                 if (r < 0)
                         log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
         }
 
         if (s->smack_ip_out) {
-                r = mac_smack_apply_ip_out_fd(fd, s->smack_ip_out);
+                r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
                 if (r < 0)
                         log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
         }
@@ -946,7 +946,7 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
                         log_unit_warning_errno(UNIT(s), errno, "F_SETPIPE_SZ: %m");
 
         if (s->smack) {
-                r = mac_smack_apply_fd(fd, s->smack);
+                r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
                 if (r < 0)
                         log_unit_error_errno(UNIT(s), r, "mac_smack_apply_fd: %m");
         }

src/core/timer.c

@@ -57,10 +57,7 @@ void timer_free_values(Timer *t) {
 
         while ((v = t->values)) {
                 LIST_REMOVE(value, t->values, v);
-
+                calendar_spec_free(v->calendar_spec);
-                if (v->calendar_spec)
-                        calendar_spec_free(v->calendar_spec);
-
                 free(v);
         }
 }

src/core/unit.c

@@ -48,6 +48,7 @@
 #include "dropin.h"
 #include "formats-util.h"
 #include "process-util.h"
+#include "bus-util.h"
 
 const UnitVTable * const unit_vtable[_UNIT_TYPE_MAX] = {
         [UNIT_SERVICE] = &service_vtable,
@@ -481,6 +482,8 @@ void unit_free(Unit *u) {
 
         unit_done(u);
 
+        sd_bus_slot_unref(u->match_bus_slot);
+
         unit_free_requires_mounts_for(u);
 
         SET_FOREACH(t, u->names, i)
@@ -2500,14 +2503,74 @@ int unit_load_related_unit(Unit *u, const char *type, Unit **_found) {
         return r;
 }
 
+static int signal_name_owner_changed(sd_bus_message *message, void *userdata, sd_bus_error *error) {
+        const char *name, *old_owner, *new_owner;
+        Unit *u = userdata;
+        int r;
+
+        assert(message);
+        assert(u);
+
+        r = sd_bus_message_read(message, "sss", &name, &old_owner, &new_owner);
+        if (r < 0) {
+                bus_log_parse_error(r);
+                return 0;
+        }
+
+        if (UNIT_VTABLE(u)->bus_name_owner_change)
+                UNIT_VTABLE(u)->bus_name_owner_change(u, name, old_owner, new_owner);
+
+        return 0;
+}
+
+int unit_install_bus_match(sd_bus *bus, Unit *u, const char *name) {
+        _cleanup_free_ char *match = NULL;
+        Manager *m = u->manager;
+
+        assert(m);
+
+        if (u->match_bus_slot)
+                return -EBUSY;
+
+        match = strjoin("type='signal',"
+                        "sender='org.freedesktop.DBus',"
+                        "path='/org/freedesktop/DBus',"
+                        "interface='org.freedesktop.DBus',"
+                        "member='NameOwnerChanged',"
+                        "arg0='",
+                        name,
+                        "'",
+                        NULL);
+        if (!match)
+                return -ENOMEM;
+
+        return sd_bus_add_match(bus, &u->match_bus_slot, match, signal_name_owner_changed, u);
+}
+
 int unit_watch_bus_name(Unit *u, const char *name) {
+        int r;
+
         assert(u);
         assert(name);
 
         /* Watch a specific name on the bus. We only support one unit
          * watching each name for now. */
 
-        return hashmap_put(u->manager->watch_bus, name, u);
+        if (u->manager->api_bus) {
+                /* If the bus is already available, install the match directly.
+                 * Otherwise, just put the name in the list. bus_setup_api() will take care later. */
+                r = unit_install_bus_match(u->manager->api_bus, u, name);
+                if (r < 0)
+                        return log_warning_errno(r, "Failed to subscribe to NameOwnerChanged signal: %m");
+        }
+
+        r = hashmap_put(u->manager->watch_bus, name, u);
+        if (r < 0) {
+                u->match_bus_slot = sd_bus_slot_unref(u->match_bus_slot);
+                return log_warning_errno(r, "Failed to put bus name to hashmap: %m");
+        }
+
+        return 0;
 }
 
 void unit_unwatch_bus_name(Unit *u, const char *name) {
@@ -2515,6 +2578,7 @@ void unit_unwatch_bus_name(Unit *u, const char *name) {
         assert(name);
 
         hashmap_remove_value(u->manager->watch_bus, name, u);
+        u->match_bus_slot = sd_bus_slot_unref(u->match_bus_slot);
 }
 
 bool unit_can_serialize(Unit *u) {

src/core/unit.h

@@ -115,6 +115,9 @@ struct Unit {
         /* JOB_NOP jobs are special and can be installed without disturbing the real job. */
         Job *nop_job;
 
+        /* The slot used for watching NameOwnerChanged signals */
+        sd_bus_slot *match_bus_slot;
+
         /* Job timeout and action to take */
         usec_t job_timeout;
         FailureAction job_timeout_action;
@@ -522,6 +525,7 @@ void unit_unwatch_all_pids(Unit *u);
 
 void unit_tidy_watch_pids(Unit *u, pid_t except1, pid_t except2);
 
+int unit_install_bus_match(sd_bus *bus, Unit *u, const char *name);
 int unit_watch_bus_name(Unit *u, const char *name);
 void unit_unwatch_bus_name(Unit *u, const char *name);
 

src/cryptsetup/cryptsetup.c

@@ -333,8 +333,7 @@ static int get_password(const char *vol, const char *src, usec_t until, bool acc
                 /* If the description string is simply the
                  * volume name, then let's not show this
                  * twice */
-                free(description);
+                description = mfree(description);
-                description = NULL;
         }
 
         if (mount_point && description)

src/firstboot/firstboot.c

@@ -386,12 +386,13 @@ static int prompt_hostname(void) {
                         break;
                 }
 
-                if (!hostname_is_valid(h)) {
+                if (!hostname_is_valid(h, true)) {
                         log_error("Specified hostname invalid.");
                         continue;
                 }
 
-                arg_hostname = h;
+                /* Get rid of the trailing dot that we allow, but don't want to see */
+                arg_hostname = hostname_cleanup(h);
                 h = NULL;
                 break;
         }
@@ -715,10 +716,8 @@ static int parse_argv(int argc, char *argv[]) {
 
                         path_kill_slashes(arg_root);
 
-                        if (path_equal(arg_root, "/")) {
+                        if (path_equal(arg_root, "/"))
-                                free(arg_root);
+                                arg_root = mfree(arg_root);
-                                arg_root = NULL;
-                        }
 
                         break;
 
@@ -765,8 +764,7 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_ROOT_PASSWORD_FILE:
-                        free(arg_root_password);
+                        arg_root_password = mfree(arg_root_password);
-                        arg_root_password  = NULL;
 
                         r = read_one_line_file(optarg, &arg_root_password);
                         if (r < 0)
@@ -775,11 +773,12 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_HOSTNAME:
-                        if (!hostname_is_valid(optarg)) {
+                        if (!hostname_is_valid(optarg, true)) {
                                 log_error("Host name %s is not valid.", optarg);
                                 return -EINVAL;
                         }
 
+                        hostname_cleanup(optarg);
                         r = free_and_strdup(&arg_hostname, optarg);
                         if (r < 0)
                                 return log_oom();

src/gpt-auto-generator/gpt-auto-generator.c

@@ -240,82 +240,6 @@ static int add_mount(
         return 0;
 }
 
-static int add_automount(
-                const char *id,
-                const char *what,
-                const char *where,
-                const char *fstype,
-                bool rw,
-                const char *options,
-                const char *description,
-                usec_t timeout) {
-
-        _cleanup_free_ char *unit = NULL, *lnk = NULL, *crypto_what = NULL;
-        _cleanup_free_ char *opt, *p = NULL;
-        _cleanup_fclose_ FILE *f = NULL;
-        int r;
-
-        assert(id);
-        assert(where);
-        assert(description);
-
-        if (options)
-                opt = strjoin(options, ",noauto", NULL);
-        else
-                opt = strdup("noauto");
-        if (!opt)
-                return log_oom();
-
-        r = add_mount(id,
-                      what,
-                      where,
-                      fstype,
-                      rw,
-                      opt,
-                      description,
-                      NULL);
-        if (r < 0)
-                return r;
-
-        r = unit_name_from_path(where, ".automount", &unit);
-        if (r < 0)
-                return log_error_errno(r, "Failed to generate unit name: %m");
-
-        p = strjoin(arg_dest, "/", unit, NULL);
-        if (!p)
-                return log_oom();
-
-        f = fopen(p, "wxe");
-        if (!f)
-                return log_error_errno(errno, "Failed to create unit file %s: %m", unit);
-
-        fprintf(f,
-                "# Automatically generated by systemd-gpt-auto-generator\n\n"
-                "[Unit]\n"
-                "Description=%s\n"
-                "Documentation=man:systemd-gpt-auto-generator(8)\n"
-                "[Automount]\n"
-                "Where=%s\n"
-                "TimeoutIdleSec=%lld\n",
-                description,
-                where,
-                (unsigned long long)timeout / USEC_PER_SEC);
-
-        r = fflush_and_check(f);
-        if (r < 0)
-                return log_error_errno(r, "Failed to write unit file %s: %m", p);
-
-        lnk = strjoin(arg_dest, "/" SPECIAL_LOCAL_FS_TARGET ".wants/", unit, NULL);
-        if (!lnk)
-                return log_oom();
-        mkdir_parents_label(lnk, 0755);
-
-        if (symlink(p, lnk) < 0)
-                return log_error_errno(errno, "Failed to create symlink %s: %m", lnk);
-
-        return 0;
-}
-
 static bool path_is_busy(const char *where) {
         int r;
 
@@ -441,8 +365,84 @@ static int add_swap(const char *path) {
         return 0;
 }
 
-static int add_boot(const char *what) {
 #ifdef ENABLE_EFI
+static int add_automount(
+                const char *id,
+                const char *what,
+                const char *where,
+                const char *fstype,
+                bool rw,
+                const char *options,
+                const char *description,
+                usec_t timeout) {
+
+        _cleanup_free_ char *unit = NULL, *lnk = NULL;
+        _cleanup_free_ char *opt, *p = NULL;
+        _cleanup_fclose_ FILE *f = NULL;
+        int r;
+
+        assert(id);
+        assert(where);
+        assert(description);
+
+        if (options)
+                opt = strjoin(options, ",noauto", NULL);
+        else
+                opt = strdup("noauto");
+        if (!opt)
+                return log_oom();
+
+        r = add_mount(id,
+                      what,
+                      where,
+                      fstype,
+                      rw,
+                      opt,
+                      description,
+                      NULL);
+        if (r < 0)
+                return r;
+
+        r = unit_name_from_path(where, ".automount", &unit);
+        if (r < 0)
+                return log_error_errno(r, "Failed to generate unit name: %m");
+
+        p = strjoin(arg_dest, "/", unit, NULL);
+        if (!p)
+                return log_oom();
+
+        f = fopen(p, "wxe");
+        if (!f)
+                return log_error_errno(errno, "Failed to create unit file %s: %m", unit);
+
+        fprintf(f,
+                "# Automatically generated by systemd-gpt-auto-generator\n\n"
+                "[Unit]\n"
+                "Description=%s\n"
+                "Documentation=man:systemd-gpt-auto-generator(8)\n"
+                "[Automount]\n"
+                "Where=%s\n"
+                "TimeoutIdleSec=%lld\n",
+                description,
+                where,
+                (unsigned long long)timeout / USEC_PER_SEC);
+
+        r = fflush_and_check(f);
+        if (r < 0)
+                return log_error_errno(r, "Failed to write unit file %s: %m", p);
+
+        lnk = strjoin(arg_dest, "/" SPECIAL_LOCAL_FS_TARGET ".wants/", unit, NULL);
+        if (!lnk)
+                return log_oom();
+        mkdir_parents_label(lnk, 0755);
+
+        if (symlink(p, lnk) < 0)
+                return log_error_errno(errno, "Failed to create symlink %s: %m", lnk);
+
+        return 0;
+}
+
+static int add_boot(const char *what) {
         _cleanup_blkid_free_probe_ blkid_probe b = NULL;
         const char *fstype = NULL, *uuid = NULL;
         sd_id128_t id, type_id;
@@ -532,10 +532,12 @@ static int add_boot(const char *what) {
                        120 * USEC_PER_SEC);
 
         return r;
-#else
-        return 0;
-#endif
 }
+#else
+static int add_boot(const char *what) {
+        return 0;
+}
+#endif
 
 static int enumerate_partitions(dev_t devnum) {
 
@@ -616,9 +618,12 @@ static int enumerate_partitions(dev_t devnum) {
 
         errno = 0;
         r = blkid_do_safeprobe(b);
-        if (r == -2 || r == 1) /* no result or uncertain */
+        if (r == 1)
+                return 0; /* no results */
+        else if (r == -2) {
+                log_warning("%s: probe gave ambiguous results, ignoring", node);
                 return 0;
-        else if (r != 0)
+        } else if (r != 0)
                 return log_error_errno(errno ?: EIO, "%s: failed to probe: %m", node);
 
         errno = 0;
@@ -666,7 +671,6 @@ static int enumerate_partitions(dev_t devnum) {
                 blkid_partition pp;
                 dev_t qn;
                 int nr;
-                unsigned long long flags;
 
                 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
                 if (!q)
@@ -690,13 +694,6 @@ static int enumerate_partitions(dev_t devnum) {
                 if (!pp)
                         continue;
 
-                flags = blkid_partition_get_flags(pp);
-
-                /* Ignore partitions that are not marked for automatic
-                 * mounting on discovery */
-                if (flags & GPT_FLAG_NO_AUTO)
-                        continue;
-
                 nr = blkid_partition_get_partno(pp);
                 if (nr < 0)
                         continue;
@@ -709,6 +706,11 @@ static int enumerate_partitions(dev_t devnum) {
                         continue;
 
                 if (sd_id128_equal(type_id, GPT_SWAP)) {
+                        unsigned long long flags;
+
+                        flags = blkid_partition_get_flags(pp);
+                        if (flags & GPT_FLAG_NO_AUTO)
+                                continue;
 
                         if (flags & GPT_FLAG_READ_ONLY) {
                                 log_debug("%s marked as read-only swap partition, which is bogus. Ignoring.", subnode);
@@ -732,6 +734,11 @@ static int enumerate_partitions(dev_t devnum) {
                                 return log_oom();
 
                 } else if (sd_id128_equal(type_id, GPT_HOME)) {
+                        unsigned long long flags;
+
+                        flags = blkid_partition_get_flags(pp);
+                        if (flags & GPT_FLAG_NO_AUTO)
+                                continue;
 
                         /* We only care for the first /home partition */
                         if (home && nr >= home_nr)
@@ -745,6 +752,11 @@ static int enumerate_partitions(dev_t devnum) {
                                 return log_oom();
 
                 } else if (sd_id128_equal(type_id, GPT_SRV)) {
+                        unsigned long long flags;
+
+                        flags = blkid_partition_get_flags(pp);
+                        if (flags & GPT_FLAG_NO_AUTO)
+                                continue;
 
                         /* We only care for the first /srv partition */
                         if (srv && nr >= srv_nr)

src/hostname/hostnamectl.c

@@ -252,7 +252,7 @@ static int set_simple_string(sd_bus *bus, const char *method, const char *value)
 
 static int set_hostname(sd_bus *bus, char **args, unsigned n) {
         _cleanup_free_ char *h = NULL;
-        const char *hostname = args[1];
+        char *hostname = args[1];
         int r;
 
         assert(args);
@@ -270,17 +270,16 @@ static int set_hostname(sd_bus *bus, char **args, unsigned n) {
                  * just set the passed hostname as static/dynamic
                  * hostname. */
 
-                h = strdup(hostname);
+                if (arg_static && hostname_is_valid(hostname, true)) {
-                if (!h)
-                        return log_oom();
-
-                hostname_cleanup(h, true);
-
-                if (arg_static && streq(h, hostname))
                         p = "";
-                else {
+                        /* maybe get rid of trailing dot */
-                        p = hostname;
+                        hostname = hostname_cleanup(hostname);
-                        hostname = h;
+                } else {
+                        p = h = strdup(hostname);
+                        if (!p)
+                                return log_oom();
+
+                        hostname_cleanup(hostname);
                 }
 
                 r = set_simple_string(bus, "SetPrettyHostname", p);

src/hostname/hostnamed.c

@@ -424,7 +424,7 @@ static int method_set_hostname(sd_bus_message *m, void *userdata, sd_bus_error *
         if (isempty(name))
                 name = "localhost";
 
-        if (!hostname_is_valid(name))
+        if (!hostname_is_valid(name, false))
                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid hostname '%s'", name);
 
         if (streq_ptr(name, c->data[PROP_HOSTNAME]))
@@ -501,7 +501,7 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
         } else {
                 char *h;
 
-                if (!hostname_is_valid(name))
+                if (!hostname_is_valid(name, false))
                         return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid static hostname '%s'", name);
 
                 h = strdup(name);

src/import/export.c

@@ -24,6 +24,7 @@
 #include "sd-event.h"
 #include "event-util.h"
 #include "signal-util.h"
+#include "hostname-util.h"
 #include "verbs.h"
 #include "build.h"
 #include "machine-image.h"

src/import/import-common.c

@@ -210,7 +210,7 @@ int import_fork_tar_c(const char *path, pid_t *ret) {
                 if (r < 0)
                         log_error_errno(r, "Failed to drop capabilities, ignoring: %m");
 
-                execlp("tar", "tar", "--sparse", "-C", path, "-c", ".", NULL);
+                execlp("tar", "tar", "-C", path, "-c", ".", NULL);
                 log_error_errno(errno, "Failed to execute tar: %m");
                 _exit(EXIT_FAILURE);
         }

src/import/import-raw.c

@@ -26,6 +26,7 @@
 #include "util.h"
 #include "path-util.h"
 #include "btrfs-util.h"
+#include "hostname-util.h"
 #include "copy.h"
 #include "mkdir.h"
 #include "rm-rf.h"

src/import/import-tar.c

@@ -26,6 +26,7 @@
 #include "util.h"
 #include "path-util.h"
 #include "btrfs-util.h"
+#include "hostname-util.h"
 #include "copy.h"
 #include "mkdir.h"
 #include "rm-rf.h"

src/import/import.c

@@ -26,6 +26,7 @@
 #include "verbs.h"
 #include "build.h"
 #include "signal-util.h"
+#include "hostname-util.h"
 #include "machine-image.h"
 #include "import-util.h"
 #include "import-tar.h"

src/import/importd.c

@@ -35,6 +35,7 @@
 #include "import-util.h"
 #include "process-util.h"
 #include "signal-util.h"
+#include "hostname-util.h"
 
 typedef struct Transfer Transfer;
 typedef struct Manager Manager;

src/import/pull-dkr.c

@@ -592,8 +592,7 @@ static int dkr_pull_pull_layer_v2(DkrPull *i) {
 
                 i->current_ancestry++;
 
-                free(path);
+                path = mfree(path);
-                path = NULL;
         }
 
         log_info("Pulling layer %s...", layer);
@@ -652,8 +651,7 @@ static int dkr_pull_pull_layer(DkrPull *i) {
 
                 i->current_ancestry++;
 
-                free(path);
+                path = mfree(path);
-                path = NULL;
         }
 
         log_info("Pulling layer %s...", layer);
@@ -721,7 +719,7 @@ static int dkr_pull_job_on_header(PullJob *j, const char *header, size_t sz)  {
                         return log_oom();
 
                 STRV_FOREACH(k, l) {
-                        if (!hostname_is_valid(*k)) {
+                        if (!hostname_is_valid(*k, false)) {
                                 log_error("Registry hostname is not valid.");
                                 strv_free(l);
                                 return -EBADMSG;

src/import/pull-raw.c

@@ -33,6 +33,7 @@
 #include "mkdir.h"
 #include "rm-rf.h"
 #include "path-util.h"
+#include "hostname-util.h"
 #include "import-util.h"
 #include "import-common.h"
 #include "curl-util.h"

src/import/pull-tar.c

@@ -32,13 +32,14 @@
 #include "mkdir.h"
 #include "rm-rf.h"
 #include "path-util.h"
+#include "process-util.h"
+#include "hostname-util.h"
 #include "import-util.h"
 #include "import-common.h"
 #include "curl-util.h"
 #include "pull-job.h"
 #include "pull-common.h"
 #include "pull-tar.h"
-#include "process-util.h"
 
 typedef enum TarProgress {
         TAR_DOWNLOADING,
@@ -127,13 +128,7 @@ int tar_pull_new(
 
         i->grow_machine_directory = path_startswith(i->image_root, "/var/lib/machines");
 
-        if (event)
+        i->event = sd_event_ref(event);
-                i->event = sd_event_ref(event);
-        else {
-                r = sd_event_default(&i->event);
-                if (r < 0)
-                        return r;
-        }
 
         r = curl_glue_new(&i->glue, i->event);
         if (r < 0)

src/import/pull.c

@@ -26,6 +26,7 @@
 #include "verbs.h"
 #include "build.h"
 #include "signal-util.h"
+#include "hostname-util.h"
 #include "machine-image.h"
 #include "import-util.h"
 #include "pull-tar.h"

src/journal-remote/journal-gatewayd.c

@@ -103,8 +103,7 @@ static void request_meta_free(
         if (!m)
                 return;
 
-        if (m->journal)
+        sd_journal_close(m->journal);
-                sd_journal_close(m->journal);
 
         if (m->tmp)
                 fclose(m->tmp);
@@ -797,7 +796,7 @@ static int request_handler_machine(
                      "\"cutoff_to_realtime\" : \"%"PRIu64"\" }\n",
                      SD_ID128_FORMAT_VAL(mid),
                      SD_ID128_FORMAT_VAL(bid),
-                     hostname_cleanup(hostname, false),
+                     hostname_cleanup(hostname),
                      os_name ? os_name : "Linux",
                      v ? v : "bare",
                      usage,