From 0ced164c48d291492e4e4dbc33fabd7e538b309d Mon Sep 17 00:00:00 2001 From: Lars Wendler Date: Wed, 8 Nov 2023 10:18:35 +0100 Subject: [PATCH] Reintroduce split-usr and unmerged-usr support existing split-usr systems should not be required to get re-installed with merged-usr just to satisfy some systemd developers' egos. There's no need to follow every stupid trend. This reverts commit b0d3095fd6cc1791a38f57a1982116b4475244ba. --- .semaphore/semaphore-runner.sh | 2 +- README | 33 +++- catalog/meson.build | 2 +- catalog/systemd.bg.catalog.in | 2 + catalog/systemd.catalog.in | 2 + catalog/systemd.fr.catalog.in | 2 + catalog/systemd.it.catalog.in | 1 + catalog/systemd.pl.catalog.in | 2 + catalog/systemd.ru.catalog.in | 2 + docs/DISTRO_PORTING.md | 1 + hwdb.d/meson.build | 2 +- man/org.freedesktop.systemd1.xml | 11 ++ man/systemd.exec.xml | 9 +- meson.build | 143 ++++++++++++------ meson_options.txt | 16 +- mkosi.presets/base/mkosi.build | 11 +- rules.d/64-btrfs.rules.in | 2 +- rules.d/71-seat.rules.in | 4 +- rules.d/99-systemd.rules.in | 2 +- shell-completion/bash/systemctl.in | 2 +- shell-completion/zsh/_systemctl.in | 2 +- src/ask-password/meson.build | 2 +- src/basic/constants.h | 14 +- src/basic/path-lookup.c | 5 +- src/basic/path-lookup.h | 2 +- src/basic/path-util.h | 14 +- src/core/manager-serialize.c | 10 ++ src/core/manager.c | 9 +- src/core/manager.h | 2 + src/core/meson.build | 6 +- src/core/namespace.c | 19 +++ src/core/org.freedesktop.systemd1.policy.in | 2 +- src/core/systemd.pc.in | 26 ++-- src/creds/meson.build | 2 +- src/cryptsetup/cryptsetup-generator.c | 4 +- src/cryptsetup/cryptsetup-tokens/meson.build | 2 +- src/cryptsetup/meson.build | 2 +- src/delta/delta.c | 36 +++++ src/dissect/meson.build | 4 +- src/escape/meson.build | 2 +- src/firstboot/meson.build | 2 +- src/fstab-generator/meson.build | 2 +- src/hwdb/meson.build | 2 +- src/import/meson.build | 2 +- src/integritysetup/integritysetup-generator.c | 4 +- src/journal/meson.build | 2 +- src/libsystemd/libsystemd.pc.in | 2 +- src/libsystemd/sd-hwdb/hwdb-internal.h | 1 + src/libsystemd/sd-path/sd-path.c | 27 ++-- src/libudev/libudev.pc.in | 2 +- src/login/meson.build | 4 +- src/machine-id-setup/meson.build | 2 +- src/machine/meson.build | 2 +- src/network/meson.build | 2 +- src/notify/meson.build | 2 +- src/partition/meson.build | 2 +- src/portable/meson.build | 2 +- src/portable/portable.c | 10 +- src/resolve/meson.build | 6 +- src/rpm/macros.systemd.in | 6 +- src/rpm/meson.build | 4 +- src/rpm/triggers.systemd.in | 4 +- src/rpm/triggers.systemd.sh.in | 4 +- src/shared/install.c | 5 + src/shared/kbd-util.h | 8 + src/shared/meson.build | 2 +- src/shared/resolve-util.h | 2 +- src/shared/userdb-dropin.h | 3 +- src/shared/userdb.c | 2 +- src/sysext/meson.build | 6 +- src/systemctl/meson.build | 8 +- src/systemctl/systemctl-sysv-compat.c | 2 +- src/sysusers/meson.build | 2 +- src/test/test-manager.c | 12 +- src/tmpfiles/meson.build | 2 +- src/tty-ask-password-agent/meson.build | 2 +- src/udev/meson.build | 8 +- .../xdg-autostart-service.c | 2 +- sysctl.d/50-coredump.conf.in | 2 +- test/fuzz/fuzz-catalog/systemd.pl.catalog | 2 + test/test-fstab-generator.sh | 5 + test/test-functions | 10 +- units/emergency.service.in | 2 +- units/initrd-parse-etc.service.in | 2 +- units/rescue.service.in | 2 +- units/systemd-backlight@.service.in | 4 +- units/systemd-battery-check.service.in | 2 +- units/systemd-binfmt.service.in | 4 +- units/systemd-bless-boot.service.in | 2 +- .../systemd-boot-check-no-failures.service.in | 2 +- units/systemd-bsod.service.in | 2 +- units/systemd-coredump@.service.in | 2 +- units/systemd-fsck-root.service.in | 2 +- units/systemd-fsck@.service.in | 2 +- units/systemd-growfs-root.service.in | 2 +- units/systemd-growfs@.service.in | 2 +- units/systemd-hibernate-resume.service.in | 2 +- units/systemd-hibernate.service.in | 2 +- units/systemd-homed.service.in | 2 +- units/systemd-hostnamed.service.in | 2 +- units/systemd-hybrid-sleep.service.in | 2 +- units/systemd-importd.service.in | 2 +- units/systemd-initctl.service.in | 2 +- units/systemd-journal-gatewayd.service.in | 2 +- units/systemd-journal-remote.service.in | 2 +- units/systemd-journal-upload.service.in | 2 +- units/systemd-journald.service.in | 2 +- units/systemd-journald@.service.in | 2 +- units/systemd-localed.service.in | 2 +- units/systemd-logind.service.in | 2 +- units/systemd-machined.service.in | 2 +- units/systemd-modules-load.service.in | 2 +- units/systemd-network-generator.service.in | 2 +- units/systemd-networkd-wait-online.service.in | 2 +- .../systemd-networkd-wait-online@.service.in | 2 +- units/systemd-networkd.service.in | 2 +- units/systemd-oomd.service.in | 2 +- units/systemd-pcrextend@.service.in | 2 +- units/systemd-pcrfs-root.service.in | 2 +- units/systemd-pcrfs@.service.in | 2 +- units/systemd-pcrlock-file-system.service.in | 2 +- .../systemd-pcrlock-firmware-code.service.in | 2 +- ...systemd-pcrlock-firmware-config.service.in | 2 +- units/systemd-pcrlock-machine-id.service.in | 2 +- units/systemd-pcrlock-make-policy.service.in | 2 +- ...md-pcrlock-secureboot-authority.service.in | 2 +- ...stemd-pcrlock-secureboot-policy.service.in | 2 +- units/systemd-pcrmachine.service.in | 2 +- units/systemd-pcrphase-initrd.service.in | 4 +- units/systemd-pcrphase-sysinit.service.in | 4 +- units/systemd-pcrphase.service.in | 4 +- units/systemd-portabled.service.in | 2 +- units/systemd-pstore.service.in | 2 +- units/systemd-quotacheck.service.in | 2 +- units/systemd-random-seed.service.in | 4 +- units/systemd-remount-fs.service.in | 2 +- units/systemd-repart.service.in | 2 +- units/systemd-resolved.service.in | 2 +- units/systemd-rfkill.service.in | 2 +- units/systemd-storagetm.service.in | 2 +- .../systemd-suspend-then-hibernate.service.in | 2 +- units/systemd-suspend.service.in | 2 +- units/systemd-sysctl.service.in | 2 +- units/systemd-sysupdate-reboot.service.in | 2 +- units/systemd-sysupdate.service.in | 2 +- units/systemd-time-wait-sync.service.in | 2 +- units/systemd-timedated.service.in | 2 +- units/systemd-timesyncd.service.in | 2 +- units/systemd-tpm2-setup-early.service.in | 2 +- units/systemd-tpm2-setup.service.in | 2 +- units/systemd-udevd.service.in | 2 +- units/systemd-update-done.service.in | 2 +- units/systemd-update-utmp-runlevel.service.in | 2 +- units/systemd-update-utmp.service.in | 4 +- units/systemd-user-sessions.service.in | 4 +- units/systemd-userdbd.service.in | 2 +- units/systemd-vconsole-setup.service.in | 2 +- units/systemd-volatile-root.service.in | 2 +- units/user-runtime-dir@.service.in | 4 +- units/user@.service.in | 2 +- 160 files changed, 510 insertions(+), 261 deletions(-) diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh index 13456609ad..d51e541ea7 100755 --- a/.semaphore/semaphore-runner.sh +++ b/.semaphore/semaphore-runner.sh @@ -90,7 +90,7 @@ EOF # disable autopkgtests which are not for upstream sed -i '/# NOUPSTREAM/ q' debian/tests/control # enable more unit tests - sed -i '/^CONFFLAGS =/ s/=/= --werror -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true -Dman=true /' debian/rules + sed -i '/^CONFFLAGS =/ s/=/= --werror -Dtests=unsafe -Dsplit-usr=true -Dslow-tests=true -Dfuzz-tests=true -Dman=true /' debian/rules # no orig tarball echo '1.0' >debian/source/format diff --git a/README b/README index a273846a1a..c7476552b0 100644 --- a/README +++ b/README @@ -261,12 +261,11 @@ REQUIREMENTS: Note that the build prefix for systemd must be /usr/. (Moreover, packages systemd relies on — such as D-Bus — really should use the same prefix, - otherwise you are on your own.) Split-usr and unmerged-usr systems are no - longer supported, and moving everything under /usr/ is required. Systems - with a separate /usr/ partition must mount it before transitioning into it - (i.e.: from the initrd). For more information see: - https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken - https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge + otherwise you are on your own.) -Dsplit-usr=false (which is the default + and does not need to be specified) is the recommended setting. + -Dsplit-usr=true can be used to give a semblance of support for systems + with programs installed split between / and /usr. Moving everything + under /usr is strongly encouraged. Additional packages are necessary to run some tests: - nc (used by test/TEST-12-ISSUE-3171) @@ -406,6 +405,28 @@ SYSV INIT.D SCRIPTS: needs to look like, and provide an implementation at the marked places. WARNINGS and TAINT FLAGS: + systemd will warn during early boot if /usr is not already mounted at + this point (that means: either located on the same file system as / or + already mounted in the initrd). While in systemd itself very little + will break if /usr is on a separate late-mounted partition, many of its + dependencies very likely will break sooner or later in one form or + another. For example, udev rules tend to refer to binaries in /usr, + binaries that link to libraries in /usr, or binaries that refer to data + files in /usr. Since these breakages are not always directly visible, + systemd will warn about this. Such setups are not really supported by + the basic set of Linux OS components. Taint flag 'split-usr' will be + set when this condition is detected. + + For more information on this issue consult + https://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken + + systemd will warn if the filesystem is not usr-merged (i.e.: /bin, /sbin + and /lib* are not symlinks to their counterparts under /usr). Taint flag + 'unmerged-usr' will be set when this condition is detected. + + For more information on this issue consult + https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge + systemd requires that the /run mount point exists. systemd also requires that /var/run is a symlink to /run. Taint flag 'var-run-bad' will be set when this condition is detected. diff --git a/catalog/meson.build b/catalog/meson.build index 3c62749cf9..1cc977992d 100644 --- a/catalog/meson.build +++ b/catalog/meson.build @@ -35,4 +35,4 @@ foreach file : in_files endforeach meson.add_install_script(sh, '-c', - 'test -n "$DESTDIR" || @0@/journalctl --update-catalog'.format(bindir)) + 'test -n "$DESTDIR" || @0@/journalctl --update-catalog'.format(rootbindir)) diff --git a/catalog/systemd.bg.catalog.in b/catalog/systemd.bg.catalog.in index 319a5e3cad..34645dc41e 100644 --- a/catalog/systemd.bg.catalog.in +++ b/catalog/systemd.bg.catalog.in @@ -395,6 +395,8 @@ Defined-By: systemd Support: %SUPPORT_URL% Възможни са следните етикети: +⁃ „split-usr“ — „/usr“ е отделна файлова система, която не е била монтирана при + стартирането на systemd ⁃ „cgroups-missing“ — ядрото е компилирано без поддръжка на „cgroup“ или е ограничен достъпът до тази подсистема ⁃ „var-run-bad“ — „/var/run“ не е символна връзка към „/run“ diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in index 37b59adbdd..f91fb7acdf 100644 --- a/catalog/systemd.catalog.in +++ b/catalog/systemd.catalog.in @@ -558,6 +558,8 @@ Defined-By: systemd Support: %SUPPORT_URL% The following "tags" are possible: +- "split-usr" — /usr is a separate file system and was not mounted when systemd + was booted - "cgroups-missing" — the kernel was compiled without cgroup support or access to expected interface files is restricted - "var-run-bad" — /var/run is not a symlink to /run diff --git a/catalog/systemd.fr.catalog.in b/catalog/systemd.fr.catalog.in index 53856b3357..32156bf8a1 100644 --- a/catalog/systemd.fr.catalog.in +++ b/catalog/systemd.fr.catalog.in @@ -337,6 +337,8 @@ Defined-By: systemd Support: %SUPPORT_URL% Les étiquettes suivantes sont possibles : +- "split-usr" — /usr est un système de fichiers séparé et nétait pas + monté quand systemd a été démarré - "cgroups-missing" — le noyau a été compilé sans le support des groupes de contrôle (cgroups) ou l'accès aux fichiers d'interface est restreint - "var-run-bad" — /var/run n'est pas un lien symbolique vers /run diff --git a/catalog/systemd.it.catalog.in b/catalog/systemd.it.catalog.in index e66eccdff3..88e118fced 100644 --- a/catalog/systemd.it.catalog.in +++ b/catalog/systemd.it.catalog.in @@ -403,6 +403,7 @@ Defined-By: systemd Support: %SUPPORT_URL% I seguenti "tags" sono possibili: +- "split-usr" — /usr è un file system separato e non è stato montato all'avvio di systemd - "cgroups-missing" — il kernel era compilato senza supporto cgroup o l'accesso ai file attesi è ristretto. - "var-run-bad" — /var/run non è un link simbolico (symlink) a /run diff --git a/catalog/systemd.pl.catalog.in b/catalog/systemd.pl.catalog.in index b2f8ef36f2..e9540132a1 100644 --- a/catalog/systemd.pl.catalog.in +++ b/catalog/systemd.pl.catalog.in @@ -396,6 +396,8 @@ Defined-By: systemd Support: %SUPPORT_URL% Możliwe są następujące „etykiety”: +• „split-usr” — /usr jest oddzielnym systemem plików, który nie był + zamontowany w czasie uruchomienia systemd, • „cgroups-missing” — jądro zostało skompilowane bez obsługi cgroups lub dostęp do oczekiwanych plików interfejsu jest ograniczony, • „var-run-bad” — /var/run nie jest dowiązaniem symbolicznym do /run, diff --git a/catalog/systemd.ru.catalog.in b/catalog/systemd.ru.catalog.in index 826f4fbea8..728a5435cb 100644 --- a/catalog/systemd.ru.catalog.in +++ b/catalog/systemd.ru.catalog.in @@ -388,6 +388,8 @@ Defined-By: systemd Support: %SUPPORT_URL% Перечень всех возможных меток, указывающих на проблемы конфигурации: +- "split-usr" — каталог /usr расположен на отдельной файловой системе, + которая не была смонтирована на момент запуска systemd - "cgroups-missing" — ядро собрано без поддержки контрольных групп, либо отсутствуют права для доступа к интерфейсным файлам контрольных групп - "var-run-bad" — /var/run не является символьной ссылкой на /run diff --git a/docs/DISTRO_PORTING.md b/docs/DISTRO_PORTING.md index c95a8292a9..93f36d0844 100644 --- a/docs/DISTRO_PORTING.md +++ b/docs/DISTRO_PORTING.md @@ -14,6 +14,7 @@ distribution: 1. Find the right configure parameters for: + * `-Drootprefix=` * `-Dsysvinit-path=` * `-Dsysvrcnd-path=` * `-Drc-local=` diff --git a/hwdb.d/meson.build b/hwdb.d/meson.build index 32e6505bc6..7d340d618a 100644 --- a/hwdb.d/meson.build +++ b/hwdb.d/meson.build @@ -54,7 +54,7 @@ if conf.get('ENABLE_HWDB') == 1 install_emptydir(sysconfdir / 'udev/hwdb.d') meson.add_install_script(sh, '-c', - 'test -n "$DESTDIR" || @0@/systemd-hwdb update'.format(bindir)) + 'test -n "$DESTDIR" || @0@/systemd-hwdb update'.format(rootbindir)) endif if want_tests != 'false' diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml index 199ce4f14c..cf4b790ef8 100644 --- a/man/org.freedesktop.systemd1.xml +++ b/man/org.freedesktop.systemd1.xml @@ -1632,6 +1632,17 @@ node /org/freedesktop/systemd1 { used to lower the chance of bogus bug reports. The following taints are currently known: + + split-usr + + /usr/ was not available when systemd was first invoked. It + must either be part of the root file system, or it must be mounted before + systemd is invoked. See + + Booting Without /usr is Broken for details why this is bad. + + + unmerged-usr diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index e9cef24d18..c2d0b81163 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -3654,9 +3654,12 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX Colon-separated list of directories to use when launching executables. systemd uses a fixed value of /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin - in the system manager. In case of the user manager, a different path may be configured by the - distribution. It is recommended to not rely on the order of entries, and have only one program - with a given name in $PATH. + in the system manager. When compiled for systems with "unmerged /usr/" + (/bin is not a symlink to /usr/bin), + :/sbin:/bin is appended. In case of + the user manager, a different path may be configured by the distribution. It is recommended to + not rely on the order of entries, and have only one program with a given name in + $PATH. diff --git a/meson.build b/meson.build index 3e68f43ea6..718cc51eb5 100644 --- a/meson.build +++ b/meson.build @@ -75,6 +75,14 @@ endif ##################################################################### fs = import('fs') +if get_option('split-usr') == 'auto' + split_usr = not fs.is_symlink('/bin') +else + split_usr = get_option('split-usr') == 'true' +endif +conf.set10('HAVE_SPLIT_USR', split_usr, + description : '/usr/bin and /bin directories are separate') + if get_option('split-bin') == 'auto' split_bin = not fs.is_symlink('/usr/sbin') else @@ -83,6 +91,15 @@ endif conf.set10('HAVE_SPLIT_BIN', split_bin, description : 'bin and sbin directories are separate') +rootprefixdir = get_option('rootprefix') +# Unusual rootprefixdir values are used by some distros +# (see https://github.com/systemd/systemd/pull/7461). +rootprefix_default = split_usr ? '/' : '/usr' +if rootprefixdir == '' + rootprefixdir = rootprefix_default +endif +rootprefixdir_noslash = rootprefixdir == '/' ? '' : rootprefixdir + have_standalone_binaries = get_option('standalone-binaries') sysvinit_path = get_option('sysvinit-path') @@ -106,25 +123,38 @@ prefixdir = get_option('prefix') if not prefixdir.startswith('/') error('Prefix is not absolute: "@0@"'.format(prefixdir)) endif +if prefixdir != rootprefixdir and rootprefixdir != '/' and not prefixdir.strip('/').startswith(rootprefixdir.strip('/') + '/') + error('Prefix is not below root prefix (now rootprefix=@0@ prefix=@1@)'.format( + rootprefixdir, prefixdir)) +endif -prefixdir_noslash = '/' + prefixdir.strip('/') bindir = prefixdir / get_option('bindir') -sbindir = prefixdir / (split_bin ? 'sbin' : 'bin') -sbin_to_bin = split_bin ? '../bin/' : '' libdir = prefixdir / get_option('libdir') sysconfdir = prefixdir / get_option('sysconfdir') includedir = prefixdir / get_option('includedir') datadir = prefixdir / get_option('datadir') localstatedir = '/' / get_option('localstatedir') -libexecdir = prefixdir / 'lib/systemd' -pkglibdir = libdir / 'systemd' +rootbindir = rootprefixdir / 'bin' +rootsbindir = rootprefixdir / (split_bin ? 'sbin' : 'bin') +rootlibexecdir = rootprefixdir / 'lib/systemd' + +rootlibdir = get_option('rootlibdir') +if rootlibdir == '' + # This will be a relative path if libdir is in prefix. + rootlibdir = get_option('libdir') +endif +if not rootlibdir.startswith('/') + # If we have a relative path, add rootprefixdir to the front. + rootlibdir = rootprefixdir / rootlibdir +endif +rootpkglibdir = rootlibdir / 'systemd' install_sysconfdir = get_option('install-sysconfdir') != 'false' install_sysconfdir_samples = get_option('install-sysconfdir') == 'true' # Dirs of external packages pkgconfigdatadir = get_option('pkgconfigdatadir') != '' ? get_option('pkgconfigdatadir') : datadir / 'pkgconfig' -pkgconfiglibdir = get_option('pkgconfiglibdir') != '' ? get_option('pkgconfiglibdir') : libdir / 'pkgconfig' +pkgconfiglibdir = get_option('pkgconfiglibdir') != '' ? get_option('pkgconfiglibdir') : rootlibdir / 'pkgconfig' polkitpolicydir = datadir / 'polkit-1/actions' polkitrulesdir = datadir / 'polkit-1/rules.d' polkitpkladir = localstatedir / 'lib/polkit-1/localauthority/10-vendor.d' @@ -133,7 +163,7 @@ rpmmacrosdir = get_option('rpmmacrosdir') if rpmmacrosdir != 'no' rpmmacrosdir = prefixdir / rpmmacrosdir endif -modprobedir = prefixdir / 'lib/modprobe.d' +modprobedir = rootprefixdir / 'lib/modprobe.d' # Our own paths pkgdatadir = datadir / 'systemd' @@ -147,16 +177,16 @@ sysusersdir = prefixdir / 'lib/sysusers.d' sysctldir = prefixdir / 'lib/sysctl.d' binfmtdir = prefixdir / 'lib/binfmt.d' modulesloaddir = prefixdir / 'lib/modules-load.d' -networkdir = prefixdir / 'lib/systemd/network' -systemgeneratordir = libexecdir / 'system-generators' +networkdir = rootprefixdir / 'lib/systemd/network' +systemgeneratordir = rootlibexecdir / 'system-generators' usergeneratordir = prefixdir / 'lib/systemd/user-generators' systemenvgeneratordir = prefixdir / 'lib/systemd/system-environment-generators' userenvgeneratordir = prefixdir / 'lib/systemd/user-environment-generators' -systemshutdowndir = libexecdir / 'system-shutdown' -systemsleepdir = libexecdir / 'system-sleep' -systemunitdir = prefixdir / 'lib/systemd/system' -systempresetdir = prefixdir / 'lib/systemd/system-preset' -udevlibexecdir = prefixdir / 'lib/udev' +systemshutdowndir = rootlibexecdir / 'system-shutdown' +systemsleepdir = rootlibexecdir / 'system-sleep' +systemunitdir = rootprefixdir / 'lib/systemd/system' +systempresetdir = rootprefixdir / 'lib/systemd/system-preset' +udevlibexecdir = rootprefixdir / 'lib/udev' udevrulesdir = udevlibexecdir / 'rules.d' udevhwdbdir = udevlibexecdir / 'hwdb.d' catalogdir = prefixdir / 'lib/systemd/catalog' @@ -170,9 +200,9 @@ testdata_dir = testsdir / 'testdata' systemdstatedir = localstatedir / 'lib/systemd' catalogstatedir = systemdstatedir / 'catalog' randomseeddir = localstatedir / 'lib/systemd' -profiledir = libexecdir / 'portable' / 'profile' -repartdefinitionsdir = libexecdir / 'repart/definitions' -ntpservicelistdir = prefixdir / 'lib/systemd/ntp-units.d' +profiledir = rootlibexecdir / 'portable' / 'profile' +repartdefinitionsdir = rootlibexecdir / 'repart/definitions' +ntpservicelistdir = rootprefixdir / 'lib/systemd/ntp-units.d' credstoredir = prefixdir / 'lib/credstore' pcrlockdir = prefixdir / 'lib/pcrlock.d' @@ -189,7 +219,7 @@ endif pamlibdir = get_option('pamlibdir') if pamlibdir == '' - pamlibdir = libdir / 'security' + pamlibdir = rootlibdir / 'security' endif pamconfdir = get_option('pamconfdir') @@ -199,7 +229,7 @@ endif libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir') if libcryptsetup_plugins_dir == '' - libcryptsetup_plugins_dir = libdir / 'cryptsetup' + libcryptsetup_plugins_dir = rootlibdir / 'cryptsetup' endif memory_accounting_default = get_option('memory-accounting-default') @@ -218,41 +248,44 @@ conf.set_quoted('DOCUMENT_ROOT', pkgdatadir / 'gate conf.set_quoted('ENVIRONMENT_DIR', environmentdir) conf.set_quoted('INCLUDE_DIR', includedir) conf.set_quoted('LIBDIR', libdir) -conf.set_quoted('LIBEXECDIR', libexecdir) conf.set_quoted('MODPROBE_DIR', modprobedir) conf.set_quoted('MODULESLOAD_DIR', modulesloaddir) conf.set_quoted('PKGSYSCONFDIR', pkgsysconfdir) conf.set_quoted('POLKIT_AGENT_BINARY_PATH', bindir / 'pkttyagent') conf.set_quoted('PREFIX', prefixdir) -conf.set_quoted('PREFIX_NOSLASH', prefixdir_noslash) conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed') conf.set_quoted('RANDOM_SEED_DIR', randomseeddir) conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local')) +conf.set_quoted('ROOTBINDIR', rootbindir) +conf.set_quoted('ROOTLIBDIR', rootlibdir) +conf.set_quoted('ROOTLIBEXECDIR', rootlibexecdir) +conf.set_quoted('ROOTPREFIX', rootprefixdir) +conf.set_quoted('ROOTPREFIX_NOSLASH', rootprefixdir_noslash) conf.set_quoted('SYSCONF_DIR', sysconfdir) conf.set_quoted('SYSCTL_DIR', sysctldir) -conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl') -conf.set_quoted('SYSTEMD_BINARY_PATH', libexecdir / 'systemd') -conf.set_quoted('SYSTEMD_EXECUTOR_BINARY_PATH', libexecdir / 'systemd-executor') +conf.set_quoted('SYSTEMCTL_BINARY_PATH', rootbindir / 'systemctl') +conf.set_quoted('SYSTEMD_BINARY_PATH', rootlibexecdir / 'systemd') +conf.set_quoted('SYSTEMD_EXECUTOR_BINARY_PATH', rootlibexecdir / 'systemd-executor') conf.set_quoted('SYSTEMD_CATALOG_DIR', catalogdir) -conf.set_quoted('SYSTEMD_CGROUPS_AGENT_PATH', libexecdir / 'systemd-cgroups-agent') +conf.set_quoted('SYSTEMD_CGROUPS_AGENT_PATH', rootlibexecdir / 'systemd-cgroups-agent') conf.set_quoted('SYSTEMD_CRYPTSETUP_PATH', bindir / 'systemd-cryptsetup') -conf.set_quoted('SYSTEMD_EXPORT_PATH', libexecdir / 'systemd-export') -conf.set_quoted('SYSTEMD_FSCK_PATH', libexecdir / 'systemd-fsck') -conf.set_quoted('SYSTEMD_GROWFS_PATH', libexecdir / 'systemd-growfs') -conf.set_quoted('SYSTEMD_HOMEWORK_PATH', libexecdir / 'systemd-homework') -conf.set_quoted('SYSTEMD_IMPORT_FS_PATH', libexecdir / 'systemd-import-fs') -conf.set_quoted('SYSTEMD_IMPORT_PATH', libexecdir / 'systemd-import') -conf.set_quoted('SYSTEMD_INTEGRITYSETUP_PATH', libexecdir / 'systemd-integritysetup') +conf.set_quoted('SYSTEMD_EXPORT_PATH', rootlibexecdir / 'systemd-export') +conf.set_quoted('SYSTEMD_FSCK_PATH', rootlibexecdir / 'systemd-fsck') +conf.set_quoted('SYSTEMD_GROWFS_PATH', rootlibexecdir / 'systemd-growfs') +conf.set_quoted('SYSTEMD_HOMEWORK_PATH', rootlibexecdir / 'systemd-homework') +conf.set_quoted('SYSTEMD_IMPORT_FS_PATH', rootlibexecdir / 'systemd-import-fs') +conf.set_quoted('SYSTEMD_IMPORT_PATH', rootlibexecdir / 'systemd-import') +conf.set_quoted('SYSTEMD_INTEGRITYSETUP_PATH', rootlibexecdir / 'systemd-integritysetup') conf.set_quoted('SYSTEMD_KBD_MODEL_MAP', pkgdatadir / 'kbd-model-map') conf.set_quoted('SYSTEMD_LANGUAGE_FALLBACK_MAP', pkgdatadir / 'language-fallback-map') -conf.set_quoted('SYSTEMD_MAKEFS_PATH', libexecdir / 'systemd-makefs') -conf.set_quoted('SYSTEMD_PULL_PATH', libexecdir / 'systemd-pull') -conf.set_quoted('SYSTEMD_SHUTDOWN_BINARY_PATH', libexecdir / 'systemd-shutdown') +conf.set_quoted('SYSTEMD_MAKEFS_PATH', rootlibexecdir / 'systemd-makefs') +conf.set_quoted('SYSTEMD_PULL_PATH', rootlibexecdir / 'systemd-pull') +conf.set_quoted('SYSTEMD_SHUTDOWN_BINARY_PATH', rootlibexecdir / 'systemd-shutdown') conf.set_quoted('SYSTEMD_TEST_DATA', testdata_dir) -conf.set_quoted('SYSTEMD_TTY_ASK_PASSWORD_AGENT_BINARY_PATH', bindir / 'systemd-tty-ask-password-agent') -conf.set_quoted('SYSTEMD_UPDATE_HELPER_PATH', libexecdir / 'systemd-update-helper') -conf.set_quoted('SYSTEMD_USERWORK_PATH', libexecdir / 'systemd-userwork') -conf.set_quoted('SYSTEMD_VERITYSETUP_PATH', libexecdir / 'systemd-veritysetup') +conf.set_quoted('SYSTEMD_TTY_ASK_PASSWORD_AGENT_BINARY_PATH', rootbindir / 'systemd-tty-ask-password-agent') +conf.set_quoted('SYSTEMD_UPDATE_HELPER_PATH', rootlibexecdir / 'systemd-update-helper') +conf.set_quoted('SYSTEMD_USERWORK_PATH', rootlibexecdir / 'systemd-userwork') +conf.set_quoted('SYSTEMD_VERITYSETUP_PATH', rootlibexecdir / 'systemd-veritysetup') conf.set_quoted('SYSTEM_CONFIG_UNIT_DIR', pkgsysconfdir / 'system') conf.set_quoted('SYSTEM_DATA_UNIT_DIR', systemunitdir) conf.set_quoted('SYSTEM_ENV_GENERATOR_DIR', systemenvgeneratordir) @@ -274,7 +307,7 @@ conf.set_quoted('USER_ENV_GENERATOR_DIR', userenvgeneratordi conf.set_quoted('USER_GENERATOR_DIR', usergeneratordir) conf.set_quoted('USER_KEYRING_PATH', pkgsysconfdir / 'import-pubring.gpg') conf.set_quoted('USER_PRESET_DIR', userpresetdir) -conf.set_quoted('VENDOR_KEYRING_PATH', libexecdir / 'import-pubring.gpg') +conf.set_quoted('VENDOR_KEYRING_PATH', rootlibexecdir / 'import-pubring.gpg') conf.set('ANSI_OK_COLOR', 'ANSI_' + get_option('ok-color').underscorify().to_upper()) conf.set10('ENABLE_URLIFY', get_option('urlify')) @@ -1929,7 +1962,7 @@ libsystemd = shared_library( link_depends : libsystemd_sym, install : true, install_tag: 'libsystemd', - install_dir : libdir) + install_dir : rootlibdir) alias_target('libsystemd', libsystemd) @@ -1944,7 +1977,7 @@ install_libsystemd_static = static_library( build_by_default : static_libsystemd != 'false', install : static_libsystemd != 'false', install_tag: 'libsystemd', - install_dir : libdir, + install_dir : rootlibdir, pic : static_libsystemd_pic, dependencies : [libblkid, libcap, @@ -1973,7 +2006,7 @@ libudev = shared_library( link_depends : libudev_sym, install : true, install_tag: 'libudev', - install_dir : libdir) + install_dir : rootlibdir) alias_target('libudev', libudev) @@ -1988,7 +2021,7 @@ install_libudev_static = static_library( build_by_default : static_libudev != 'false', install : static_libudev != 'false', install_tag: 'libudev', - install_dir : libdir, + install_dir : rootlibdir, link_depends : libudev_sym, dependencies : [libmount, libshared_deps, @@ -2022,16 +2055,20 @@ endif executable_template = { 'include_directories' : includes, 'link_with' : libshared, - 'install_rpath' : pkglibdir, + 'install_rpath' : rootpkglibdir, 'install' : true, } +executable_root_template = executable_template + { + 'install_dir' : rootbindir, +} + generator_template = executable_template + { 'install_dir' : systemgeneratordir, } libexec_template = executable_template + { - 'install_dir' : libexecdir, + 'install_dir' : rootlibexecdir, } executable_additional_kwargs = { @@ -2088,7 +2125,7 @@ nss_template = { ], 'install' : true, 'install_tag' : 'nss', - 'install_dir' : libdir, + 'install_dir' : rootlibdir, } pam_template = { @@ -2446,7 +2483,7 @@ if want_ukify # symlink for backwards compatibility after rename meson.add_install_script(sh, '-c', ln_s.format(bindir / 'ukify', - libexecdir / 'ukify')) + rootlibexecdir / 'ukify')) endif ############################################################ @@ -2664,11 +2701,14 @@ alt_time_epoch = run_command('date', '-Is', '-u', '-d', '@@0@'.format(time_epoch check : true).stdout().strip() summary({ + 'split /usr' : split_usr, 'split bin-sbin' : split_bin, 'prefix directory' : prefixdir, + 'rootprefix directory' : rootprefixdir, 'sysconf directory' : sysconfdir, 'include directory' : includedir, 'lib directory' : libdir, + 'rootlib directory' : rootlibdir, 'SysV init scripts' : sysvinit_path, 'SysV rc?.d directories' : sysvrcnd_path, 'PAM modules directory' : pamlibdir, @@ -2898,3 +2938,10 @@ summary({ 'enabled' : ', '.join(found), 'disabled' : ', '.join(missing)}, section : 'Features') + +if rootprefixdir != rootprefix_default + warning('\n' + + 'Note that the installation prefix was changed to "@0@".\n'.format(rootprefixdir) + + 'systemd used fixed names for unit file directories and other paths, so anything\n' + + 'except the default ("@0@") is strongly discouraged.'.format(rootprefix_default)) +endif diff --git a/meson_options.txt b/meson_options.txt index abefa28458..f87bf397e9 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -9,14 +9,14 @@ option('shared-lib-tag', type : 'string', option('mode', type : 'combo', choices : ['developer', 'release'], description : 'autoenable features suitable for systemd development/release builds') -option('split-usr', type : 'combo', choices : ['auto', 'true', 'false'], deprecated: true, - description : '''This option is deprecated and will be removed in a future release''') +option('split-usr', type : 'combo', choices : ['auto', 'true', 'false'], + description : '''/bin, /sbin aren't symlinks into /usr''') option('split-bin', type : 'combo', choices : ['auto', 'true', 'false'], description : '''sbin is not a symlink to bin''') -option('rootlibdir', type : 'string', deprecated: true, - description : '''This option is deprecated and will be removed in a future release''') -option('rootprefix', type : 'string', deprecated: true, - description : '''This option is deprecated and will be removed in a future release''') +option('rootlibdir', type : 'string', + description : '''[/usr]/lib/x86_64-linux-gnu or such''') +option('rootprefix', type : 'string', + description : '''override the root prefix [default '/' if split-usr and '/usr' otherwise]''') option('link-udev-shared', type : 'boolean', description : 'link systemd-udevd and its helpers to libsystemd-shared.so') option('link-systemctl-shared', type: 'boolean', @@ -69,7 +69,7 @@ option('loadkeys-path', type : 'string', description : 'path to loadkeys') option('setfont-path', type : 'string', description : 'path to setfont') option('nologin-path', type : 'string', description : 'path to nologin') -option('debug-shell', type : 'string', value : '/usr/bin/sh', +option('debug-shell', type : 'string', value : '/bin/sh', description : 'path to debug shell binary') option('debug-tty', type : 'string', value : '/dev/tty9', description : 'specify the tty device for debug shell') @@ -236,7 +236,7 @@ option('time-epoch', type : 'integer', value : 0, description : 'time epoch for time clients') option('clock-valid-range-usec-max', type : 'integer', value : 473364000000000, # 15 years description : 'maximum value in microseconds for the difference between RTC and epoch, exceeding which is considered an RTC error ["0" disables]') -option('default-user-shell', type : 'string', value : '/usr/bin/bash', +option('default-user-shell', type : 'string', value : '/bin/bash', description : 'default interactive shell') option('system-alloc-uid-min', type : 'integer', value : 0, diff --git a/mkosi.presets/base/mkosi.build b/mkosi.presets/base/mkosi.build index 95402f6463..b91ace7574 100755 --- a/mkosi.presets/base/mkosi.build +++ b/mkosi.presets/base/mkosi.build @@ -53,6 +53,14 @@ fi if [ ! -f "$BUILDDIR"/build.ninja ]; then sysvinit_path=$(realpath /etc/init.d) + init_path=$(realpath /sbin/init 2>/dev/null) + if [ -z "$init_path" ]; then + rootprefix="" + else + rootprefix=${init_path%/lib/systemd/systemd} + rootprefix=/${rootprefix#/} + fi + if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then UKIFY="disabled" else @@ -68,6 +76,7 @@ if [ ! -f "$BUILDDIR"/build.ninja ]; then CONFIGURE_OPTS=( -D sysvinit-path="$sysvinit_path" + -D rootprefix="$rootprefix" -D man=disabled -D translations=false -D version-tag="${VERSION_TAG}" @@ -167,7 +176,7 @@ if [ ! -f "$BUILDDIR"/build.ninja ]; then # installed in the wrong directory and not be found by cryptsetup. Assume native build. if grep -q -e "ID=debian" -e "ID_LIKE=debian" /usr/lib/os-release && command -v dpkg 2>/dev/null; then CONFIGURE_OPTS+=( - -D libdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" + -D rootlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)" -D pamlibdir="/usr/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/security" ) fi diff --git a/rules.d/64-btrfs.rules.in b/rules.d/64-btrfs.rules.in index 039d759f62..df6e12a5dd 100644 --- a/rules.d/64-btrfs.rules.in +++ b/rules.d/64-btrfs.rules.in @@ -12,6 +12,6 @@ IMPORT{builtin}="btrfs ready $devnode" ENV{ID_BTRFS_READY}=="0", ENV{SYSTEMD_READY}="0" # reconsider pending devices in case when multidevice volume awaits -ENV{ID_BTRFS_READY}=="1", RUN+="{{BINDIR}}/udevadm trigger -s block -p ID_BTRFS_READY=0" +ENV{ID_BTRFS_READY}=="1", RUN+="{{ROOTBINDIR}}/udevadm trigger -s block -p ID_BTRFS_READY=0" LABEL="btrfs_end" diff --git a/rules.d/71-seat.rules.in b/rules.d/71-seat.rules.in index 1fd7ec23b0..25e4ee7e58 100644 --- a/rules.d/71-seat.rules.in +++ b/rules.d/71-seat.rules.in @@ -71,11 +71,11 @@ SUBSYSTEM=="usb", ATTR{idVendor}=="17e9", ATTR{idProduct}=="401a", ATTR{product} SUBSYSTEM=="usb", ATTR{idVendor}=="17e9", ATTR{idProduct}=="401a", ATTR{product}=="mimo inc", \ ATTR{../idVendor}=="058f", ATTR{../idProduct}=="6254", \ ENV{ID_AVOID_LOOP}=="", \ - RUN+="{{BINDIR}}/udevadm trigger --parent-match=%p/.." + RUN+="{{ROOTBINDIR}}/udevadm trigger --parent-match=%p/.." TAG=="seat", ENV{ID_PATH}=="", IMPORT{builtin}="path_id" TAG=="seat", ENV{ID_FOR_SEAT}=="", ENV{ID_PATH_TAG}!="", ENV{ID_FOR_SEAT}="$env{SUBSYSTEM}-$env{ID_PATH_TAG}" -SUBSYSTEM=="input", ATTR{name}=="Wiebetech LLC Wiebetech", RUN+="{{BINDIR}}/loginctl lock-sessions" +SUBSYSTEM=="input", ATTR{name}=="Wiebetech LLC Wiebetech", RUN+="{{ROOTBINDIR}}/loginctl lock-sessions" LABEL="seat_end" diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in index 0d68f31d36..96b84226a5 100644 --- a/rules.d/99-systemd.rules.in +++ b/rules.d/99-systemd.rules.in @@ -65,7 +65,7 @@ SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ENV{ID_USB_INTERFACES}=="*:0701??: SUBSYSTEM=="udc", ACTION=="add", TAG+="systemd", ENV{SYSTEMD_WANTS}+="usb-gadget.target" # Apply sysctl variables to network devices (and only to those) as they appear. -ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo", RUN+="{{LIBEXECDIR}}/systemd-sysctl --prefix=/net/ipv4/conf/$name --prefix=/net/ipv4/neigh/$name --prefix=/net/ipv6/conf/$name --prefix=/net/ipv6/neigh/$name" +ACTION=="add", SUBSYSTEM=="net", KERNEL!="lo", RUN+="{{ROOTLIBEXECDIR}}/systemd-sysctl --prefix=/net/ipv4/conf/$name --prefix=/net/ipv4/neigh/$name --prefix=/net/ipv6/conf/$name --prefix=/net/ipv6/neigh/$name" {% if ENABLE_BACKLIGHT %} # Pull in backlight save/restore for all backlight devices and diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in index 03c3b70150..f732a0ac12 100644 --- a/shell-completion/bash/systemctl.in +++ b/shell-completion/bash/systemctl.in @@ -12,7 +12,7 @@ __systemctl() { } __systemd_properties() { - {{LIBEXECDIR}}/systemd --dump-bus-properties + {{ROOTLIBEXECDIR}}/systemd --dump-bus-properties } __contains_word () { diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in index 54e34a1781..2306cbf6b0 100644 --- a/shell-completion/zsh/_systemctl.in +++ b/shell-completion/zsh/_systemctl.in @@ -472,7 +472,7 @@ done (( $+functions[_systemctl_unit_properties] )) || _systemctl_unit_properties() { - local -a _sys_all_properties=( ${(f)"$({{LIBEXECDIR}}/systemd --no-pager --dump-bus-properties 2>/dev/null)"} ) + local -a _sys_all_properties=( ${(f)"$({{ROOTLIBEXECDIR}}/systemd --no-pager --dump-bus-properties 2>/dev/null)"} ) _wanted systemd-unit-properties expl 'unit property' \ _values -s , "${_sys_all_properties[@]}" } diff --git a/src/ask-password/meson.build b/src/ask-password/meson.build index 3197112ebc..321e290df1 100644 --- a/src/ask-password/meson.build +++ b/src/ask-password/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-ask-password', 'public' : true, 'sources' : files('ask-password.c'), diff --git a/src/basic/constants.h b/src/basic/constants.h index 98816d183c..0bd918287a 100644 --- a/src/basic/constants.h +++ b/src/basic/constants.h @@ -59,13 +59,22 @@ #define NOTIFY_FD_MAX 768 #define NOTIFY_BUFFER_MAX PIPE_BUF +#if HAVE_SPLIT_USR +# define _CONF_PATHS_SPLIT_USR_NULSTR(n) "/lib/" n "\0" +# define _CONF_PATHS_SPLIT_USR(n) , "/lib/" n +#else +# define _CONF_PATHS_SPLIT_USR_NULSTR(n) +# define _CONF_PATHS_SPLIT_USR(n) +#endif + /* Return a nulstr for a standard cascade of configuration paths, suitable to pass to * conf_files_list_nulstr() to implement drop-in directories for extending configuration files. */ #define CONF_PATHS_NULSTR(n) \ "/etc/" n "\0" \ "/run/" n "\0" \ "/usr/local/lib/" n "\0" \ - "/usr/lib/" n "\0" + "/usr/lib/" n "\0" \ + _CONF_PATHS_SPLIT_USR_NULSTR(n) #define CONF_PATHS_USR(n) \ "/etc/" n, \ @@ -74,7 +83,8 @@ "/usr/lib/" n #define CONF_PATHS(n) \ - CONF_PATHS_USR(n) + CONF_PATHS_USR(n) \ + _CONF_PATHS_SPLIT_USR(n) #define CONF_PATHS_USR_STRV(n) \ STRV_MAKE(CONF_PATHS_USR(n)) diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c index 4e3d59fc56..7d158a8295 100644 --- a/src/basic/path-lookup.c +++ b/src/basic/path-lookup.c @@ -530,6 +530,10 @@ int lookup_paths_init( assert(scope >= 0); assert(scope < _RUNTIME_SCOPE_MAX); +#if HAVE_SPLIT_USR + flags |= LOOKUP_PATHS_SPLIT_USR; +#endif + if (!empty_or_root(root_dir)) { if (scope == RUNTIME_SCOPE_USER) return -EINVAL; @@ -621,7 +625,6 @@ int lookup_paths_init( "/usr/local/lib/systemd/system", SYSTEM_DATA_UNIT_DIR, "/usr/lib/systemd/system", - /* To be used ONLY for images which might be legacy split-usr */ STRV_IFNOTNULL(flags & LOOKUP_PATHS_SPLIT_USR ? "/lib/systemd/system" : NULL), STRV_IFNOTNULL(generator_late)); break; diff --git a/src/basic/path-lookup.h b/src/basic/path-lookup.h index 1601787064..6d6163fb9d 100644 --- a/src/basic/path-lookup.h +++ b/src/basic/path-lookup.h @@ -10,7 +10,7 @@ typedef enum LookupPathsFlags { LOOKUP_PATHS_EXCLUDE_GENERATED = 1 << 0, LOOKUP_PATHS_TEMPORARY_GENERATED = 1 << 1, - LOOKUP_PATHS_SPLIT_USR = 1 << 2, /* Legacy, use ONLY for image payloads which might be old */ + LOOKUP_PATHS_SPLIT_USR = 1 << 2, } LookupPathsFlags; typedef struct LookupPaths { diff --git a/src/basic/path-util.h b/src/basic/path-util.h index 6d943e967f..8e5c18ab38 100644 --- a/src/basic/path-util.h +++ b/src/basic/path-util.h @@ -25,10 +25,20 @@ # define PATH_SBIN_BIN_NULSTR(x) PATH_NORMAL_SBIN_BIN_NULSTR(x) #endif -#define DEFAULT_PATH PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/") -#define DEFAULT_PATH_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/") +#define DEFAULT_PATH_NORMAL PATH_SBIN_BIN("/usr/local/") ":" PATH_SBIN_BIN("/usr/") +#define DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/usr/local/") PATH_SBIN_BIN_NULSTR("/usr/") +#define DEFAULT_PATH_SPLIT_USR DEFAULT_PATH_NORMAL ":" PATH_SBIN_BIN("/") +#define DEFAULT_PATH_SPLIT_USR_NULSTR DEFAULT_PATH_NORMAL_NULSTR PATH_SBIN_BIN_NULSTR("/") #define DEFAULT_PATH_COMPAT PATH_SPLIT_SBIN_BIN("/usr/local/") ":" PATH_SPLIT_SBIN_BIN("/usr/") ":" PATH_SPLIT_SBIN_BIN("/") +#if HAVE_SPLIT_USR +# define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR +# define DEFAULT_PATH_NULSTR DEFAULT_PATH_SPLIT_USR_NULSTR +#else +# define DEFAULT_PATH DEFAULT_PATH_NORMAL +# define DEFAULT_PATH_NULSTR DEFAULT_PATH_NORMAL_NULSTR +#endif + #ifndef DEFAULT_USER_PATH # define DEFAULT_USER_PATH DEFAULT_PATH #endif diff --git a/src/core/manager-serialize.c b/src/core/manager-serialize.c index 1d7a1bed35..902b0e24de 100644 --- a/src/core/manager-serialize.c +++ b/src/core/manager-serialize.c @@ -89,6 +89,7 @@ int manager_serialize( (void) serialize_item_format(f, "current-job-id", "%" PRIu32, m->current_job_id); (void) serialize_item_format(f, "n-installed-jobs", "%u", m->n_installed_jobs); (void) serialize_item_format(f, "n-failed-jobs", "%u", m->n_failed_jobs); + (void) serialize_bool(f, "taint-usr", m->taint_usr); (void) serialize_bool(f, "ready-sent", m->ready_sent); (void) serialize_bool(f, "taint-logged", m->taint_logged); (void) serialize_bool(f, "service-watchdogs", m->service_watchdogs); @@ -357,6 +358,15 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { else m->n_failed_jobs += n; + } else if ((val = startswith(l, "taint-usr="))) { + int b; + + b = parse_boolean(val); + if (b < 0) + log_notice("Failed to parse taint /usr flag '%s', ignoring.", val); + else + m->taint_usr = m->taint_usr || b; + } else if ((val = startswith(l, "ready-sent="))) { int b; diff --git a/src/core/manager.c b/src/core/manager.c index 6b9ce2d2ec..c5730bc0fb 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -1088,6 +1088,10 @@ int manager_new(RuntimeScope runtime_scope, ManagerTestRunFlags test_run_flags, log_full(level, "Using systemd-executor binary from '%s'", executor_path); } + m->taint_usr = + !in_initrd() && + dir_is_empty("/usr", /* ignore_hidden_or_backup= */ false) > 0; + /* Note that we do not set up the notify fd here. We do that after deserialization, * since they might have gotten serialized across the reexec. */ @@ -4838,9 +4842,12 @@ char* manager_taint_string(const Manager *m) { assert(m); - const char* stage[12] = {}; + const char* stage[13] = {}; size_t n = 0; + if (m->taint_usr) + stage[n++] = "split-usr"; + _cleanup_free_ char *usrbin = NULL; if (readlink_malloc("/bin", &usrbin) < 0 || !PATH_IN_SET(usrbin, "usr/bin", "/usr/bin")) stage[n++] = "unmerged-usr"; diff --git a/src/core/manager.h b/src/core/manager.h index d96eb7b995..921bbe5b06 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -379,6 +379,8 @@ struct Manager { /* Flags */ bool dispatching_load_queue; + bool taint_usr; + /* Have we already sent out the READY=1 notification? */ bool ready_sent; diff --git a/src/core/meson.build b/src/core/meson.build index 7701d3de0a..cbf30f548c 100644 --- a/src/core/meson.build +++ b/src/core/meson.build @@ -135,7 +135,7 @@ libcore = shared_library( threads, userspace], install : true, - install_dir : pkglibdir) + install_dir : rootpkglibdir) core_includes = [includes, include_directories('.')] @@ -245,8 +245,8 @@ if install_sysconfdir sysconfdir / 'xdg/systemd/user')) endif -install_emptydir(sbindir) -meson.add_install_script(sh, '-c', ln_s.format(libexecdir / 'systemd', sbindir / 'init')) +install_emptydir(rootsbindir) +meson.add_install_script(sh, '-c', ln_s.format(rootlibexecdir / 'systemd', rootsbindir / 'init')) ############################################################ diff --git a/src/core/namespace.c b/src/core/namespace.c index 1a4d15a800..92ad68dea5 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -153,6 +153,9 @@ static const MountEntry protect_kernel_tunables_sys_table[] = { /* ProtectKernelModules= option */ static const MountEntry protect_kernel_modules_table[] = { +#if HAVE_SPLIT_USR + { "/lib/modules", MOUNT_INACCESSIBLE, true }, +#endif { "/usr/lib/modules", MOUNT_INACCESSIBLE, true }, }; @@ -194,6 +197,14 @@ static const MountEntry protect_system_yes_table[] = { { "/usr", MOUNT_READ_ONLY, false }, { "/boot", MOUNT_READ_ONLY, true }, { "/efi", MOUNT_READ_ONLY, true }, +#if HAVE_SPLIT_USR + { "/lib", MOUNT_READ_ONLY, true }, + { "/lib64", MOUNT_READ_ONLY, true }, + { "/bin", MOUNT_READ_ONLY, true }, +# if HAVE_SPLIT_BIN + { "/sbin", MOUNT_READ_ONLY, true }, +# endif +#endif }; /* ProtectSystem=full includes ProtectSystem=yes */ @@ -202,6 +213,14 @@ static const MountEntry protect_system_full_table[] = { { "/boot", MOUNT_READ_ONLY, true }, { "/efi", MOUNT_READ_ONLY, true }, { "/etc", MOUNT_READ_ONLY, false }, +#if HAVE_SPLIT_USR + { "/lib", MOUNT_READ_ONLY, true }, + { "/lib64", MOUNT_READ_ONLY, true }, + { "/bin", MOUNT_READ_ONLY, true }, +# if HAVE_SPLIT_BIN + { "/sbin", MOUNT_READ_ONLY, true }, +# endif +#endif }; /* ProtectSystem=strict table. In this strict mode, we mount everything read-only, except for /proc, /dev, diff --git a/src/core/org.freedesktop.systemd1.policy.in b/src/core/org.freedesktop.systemd1.policy.in index 0083e0b585..9e9a20f66f 100644 --- a/src/core/org.freedesktop.systemd1.policy.in +++ b/src/core/org.freedesktop.systemd1.policy.in @@ -26,7 +26,7 @@ no auth_admin_keep - {{LIBEXECDIR}}/systemd-reply-password + {{ROOTLIBEXECDIR}}/systemd-reply-password diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in index 6cca2fad9a..693433b34b 100644 --- a/src/core/systemd.pc.in +++ b/src/core/systemd.pc.in @@ -11,19 +11,19 @@ # considered deprecated (though there is no plan to remove them). New names # shall have underscores. -prefix={{PREFIX_NOSLASH}} -root_prefix=${prefix} -rootprefix=${prefix} +prefix=/usr +root_prefix={{ROOTPREFIX_NOSLASH}} +rootprefix=${root_prefix} sysconf_dir={{SYSCONF_DIR}} sysconfdir=${sysconf_dir} -systemd_util_dir=${prefix}/lib/systemd +systemd_util_dir=${root_prefix}/lib/systemd systemdutildir=${systemd_util_dir} -systemd_system_unit_dir=${prefix}/lib/systemd/system +systemd_system_unit_dir=${rootprefix}/lib/systemd/system systemdsystemunitdir=${systemd_system_unit_dir} -systemd_system_preset_dir=${prefix}/lib/systemd/system-preset +systemd_system_preset_dir=${rootprefix}/lib/systemd/system-preset systemdsystempresetdir=${systemd_system_preset_dir} systemd_user_unit_dir=${prefix}/lib/systemd/user @@ -44,7 +44,7 @@ systemdsystemunitpath=${systemd_system_unit_path} systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user systemduserunitpath=${systemd_user_unit_path} -systemd_system_generator_dir=${prefix}/lib/systemd/system-generators +systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators systemdsystemgeneratordir=${systemd_system_generator_dir} systemd_user_generator_dir=${prefix}/lib/systemd/user-generators @@ -56,10 +56,10 @@ systemdsystemgeneratorpath=${systemd_system_generator_path} systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:/usr/local/lib/systemd/user-generators:${systemd_user_generator_dir} systemdusergeneratorpath=${systemd_user_generator_path} -systemd_sleep_dir=${prefix}/lib/systemd/system-sleep +systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep systemdsleepdir=${systemd_sleep_dir} -systemd_shutdown_dir=${prefix}/lib/systemd/system-shutdown +systemd_shutdown_dir=${root_prefix}/lib/systemd/system-shutdown systemdshutdowndir=${systemd_shutdown_dir} tmpfiles_dir=${prefix}/lib/tmpfiles.d @@ -67,16 +67,16 @@ tmpfilesdir=${tmpfiles_dir} user_tmpfiles_dir=${prefix}/share/user-tmpfiles.d -sysusers_dir=${prefix}/lib/sysusers.d +sysusers_dir=${rootprefix}/lib/sysusers.d sysusersdir=${sysusers_dir} -sysctl_dir=${prefix}/lib/sysctl.d +sysctl_dir=${rootprefix}/lib/sysctl.d sysctldir=${sysctl_dir} -binfmt_dir=${prefix}/lib/binfmt.d +binfmt_dir=${rootprefix}/lib/binfmt.d binfmtdir=${binfmt_dir} -modules_load_dir=${prefix}/lib/modules-load.d +modules_load_dir=${rootprefix}/lib/modules-load.d modulesloaddir=${modules_load_dir} catalog_dir=${prefix}/lib/systemd/catalog diff --git a/src/creds/meson.build b/src/creds/meson.build index 85572568f6..69774e6798 100644 --- a/src/creds/meson.build +++ b/src/creds/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-creds', 'public' : true, 'sources' : files('creds.c'), diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c index 904e4cd3fa..7fba1603a5 100644 --- a/src/cryptsetup/cryptsetup-generator.c +++ b/src/cryptsetup/cryptsetup-generator.c @@ -533,13 +533,13 @@ static int create_disk( } fprintf(f, - "ExecStartPost=" LIBEXECDIR "/systemd-makefs '%s' '/dev/mapper/%s'\n", + "ExecStartPost=" ROOTLIBEXECDIR "/systemd-makefs '%s' '/dev/mapper/%s'\n", tmp_fstype_escaped ?: "ext4", name_escaped); } if (swap) fprintf(f, - "ExecStartPost=" LIBEXECDIR "/systemd-makefs swap '/dev/mapper/%s'\n", + "ExecStartPost=" ROOTLIBEXECDIR "/systemd-makefs swap '/dev/mapper/%s'\n", name_escaped); r = fflush_and_check(f); diff --git a/src/cryptsetup/cryptsetup-tokens/meson.build b/src/cryptsetup/cryptsetup-tokens/meson.build index b26940c6a3..9f9c1f20b6 100644 --- a/src/cryptsetup/cryptsetup-tokens/meson.build +++ b/src/cryptsetup/cryptsetup-tokens/meson.build @@ -30,7 +30,7 @@ template = { libshared, ], 'version-script' : meson.current_source_dir() / 'cryptsetup-token.sym', - 'install_rpath' : pkglibdir, + 'install_rpath' : rootpkglibdir, 'install' : true, 'install_dir' : libcryptsetup_plugins_dir, } diff --git a/src/cryptsetup/meson.build b/src/cryptsetup/meson.build index 90e2be7a91..9cb7dac177 100644 --- a/src/cryptsetup/meson.build +++ b/src/cryptsetup/meson.build @@ -38,5 +38,5 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1 # symlink for backwards compatibility after rename meson.add_install_script(sh, '-c', ln_s.format(bindir / 'systemd-cryptsetup', - libexecdir / 'systemd-cryptsetup')) + rootlibexecdir / 'systemd-cryptsetup')) endif diff --git a/src/delta/delta.c b/src/delta/delta.c index 3337b7f081..e46cbc9750 100644 --- a/src/delta/delta.c +++ b/src/delta/delta.c @@ -35,6 +35,9 @@ static const char prefixes[] = "/usr/local/share\0" "/usr/lib\0" "/usr/share\0" +#if HAVE_SPLIT_USR + "/lib\0" +#endif ; static const char suffixes[] = @@ -365,6 +368,36 @@ static int enumerate_dir( return 0; } +static int should_skip_path(const char *prefix, const char *suffix) { +#if HAVE_SPLIT_USR + _cleanup_free_ char *target = NULL, *dirname = NULL; + + dirname = path_join(prefix, suffix); + if (!dirname) + return -ENOMEM; + + if (chase(dirname, NULL, 0, &target, NULL) < 0) + return false; + + NULSTR_FOREACH(p, prefixes) { + _cleanup_free_ char *tmp = NULL; + + if (path_startswith(dirname, p)) + continue; + + tmp = path_join(p, suffix); + if (!tmp) + return -ENOMEM; + + if (path_equal(target, tmp)) { + log_debug("%s redirects to %s, skipping.", dirname, target); + return true; + } + } +#endif + return false; +} + static int process_suffix(const char *suffix, const char *onlyprefix) { char *f, *key; OrderedHashmap *top, *bottom, *drops, *h; @@ -388,6 +421,9 @@ static int process_suffix(const char *suffix, const char *onlyprefix) { NULSTR_FOREACH(p, prefixes) { _cleanup_free_ char *t = NULL; + if (should_skip_path(p, suffix) > 0) + continue; + t = path_join(p, suffix); if (!t) { r = -ENOMEM; diff --git a/src/dissect/meson.build b/src/dissect/meson.build index e422dbdd27..7eca4750a6 100644 --- a/src/dissect/meson.build +++ b/src/dissect/meson.build @@ -10,8 +10,8 @@ executables += [ ] if conf.get('HAVE_BLKID') == 1 - install_emptydir(sbindir) + install_emptydir(rootsbindir) meson.add_install_script(sh, '-c', ln_s.format(bindir / 'systemd-dissect', - sbindir / 'mount.ddi')) + rootsbindir / 'mount.ddi')) endif diff --git a/src/escape/meson.build b/src/escape/meson.build index d21b3722cc..ffcaca5488 100644 --- a/src/escape/meson.build +++ b/src/escape/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-escape', 'public' : true, 'sources' : files('escape.c'), diff --git a/src/firstboot/meson.build b/src/firstboot/meson.build index 28c1d2703a..6d8f04cdc7 100644 --- a/src/firstboot/meson.build +++ b/src/firstboot/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-firstboot', 'public' : true, 'conditions' : ['ENABLE_FIRSTBOOT'], diff --git a/src/fstab-generator/meson.build b/src/fstab-generator/meson.build index 7b90580e90..2146d24474 100644 --- a/src/fstab-generator/meson.build +++ b/src/fstab-generator/meson.build @@ -9,4 +9,4 @@ executables += [ meson.add_install_script(sh, '-c', ln_s.format(systemgeneratordir / 'systemd-fstab-generator', - libexecdir / 'systemd-sysroot-fstab-check')) + rootlibexecdir / 'systemd-sysroot-fstab-check')) diff --git a/src/hwdb/meson.build b/src/hwdb/meson.build index 385ed854d6..acf9f4b377 100644 --- a/src/hwdb/meson.build +++ b/src/hwdb/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-hwdb', 'public' : true, 'conditions' : ['ENABLE_HWDB'], diff --git a/src/import/meson.build b/src/import/meson.build index 3f0acf8358..37a17ed61a 100644 --- a/src/import/meson.build +++ b/src/import/meson.build @@ -120,6 +120,6 @@ if conf.get('ENABLE_IMPORTD') == 1 install_dir : polkitpolicydir) install_data('import-pubring.gpg', - install_dir : libexecdir) + install_dir : rootlibexecdir) # TODO: shouldn't this be in pkgdatadir? endif diff --git a/src/integritysetup/integritysetup-generator.c b/src/integritysetup/integritysetup-generator.c index 72b890575c..ea187e0c19 100644 --- a/src/integritysetup/integritysetup-generator.c +++ b/src/integritysetup/integritysetup-generator.c @@ -101,8 +101,8 @@ static int create_disk( "Type=oneshot\n" "RemainAfterExit=yes\n" "TimeoutSec=infinity\n" - "ExecStart=" LIBEXECDIR "/systemd-integritysetup attach '%s' '%s' '%s' '%s'\n" - "ExecStop=" LIBEXECDIR "/systemd-integritysetup detach '%s'\n", + "ExecStart=" ROOTLIBEXECDIR "/systemd-integritysetup attach '%s' '%s' '%s' '%s'\n" + "ExecStop=" ROOTLIBEXECDIR "/systemd-integritysetup detach '%s'\n", name_escaped, device, empty_to_dash(key_file_escaped), empty_to_dash(options), name_escaped); diff --git a/src/journal/meson.build b/src/journal/meson.build index 36600bf2c6..2c5234aa42 100644 --- a/src/journal/meson.build +++ b/src/journal/meson.build @@ -87,7 +87,7 @@ executables += [ ], 'dependencies' : threads, }, - executable_template + { + executable_root_template + { 'name' : 'journalctl', 'public' : true, 'sources' : files('journalctl.c'), diff --git a/src/libsystemd/libsystemd.pc.in b/src/libsystemd/libsystemd.pc.in index 3a43ef6071..da6e4e667e 100644 --- a/src/libsystemd/libsystemd.pc.in +++ b/src/libsystemd/libsystemd.pc.in @@ -9,7 +9,7 @@ prefix={{PREFIX}} exec_prefix={{PREFIX}} -libdir={{LIBDIR}} +libdir={{ROOTLIBDIR}} includedir={{INCLUDE_DIR}} Name: systemd diff --git a/src/libsystemd/sd-hwdb/hwdb-internal.h b/src/libsystemd/sd-hwdb/hwdb-internal.h index 9db3b31441..5302679a62 100644 --- a/src/libsystemd/sd-hwdb/hwdb-internal.h +++ b/src/libsystemd/sd-hwdb/hwdb-internal.h @@ -86,4 +86,5 @@ struct trie_value_entry2_f { "/etc/systemd/hwdb/hwdb.bin\0" \ "/etc/udev/hwdb.bin\0" \ "/usr/lib/systemd/hwdb/hwdb.bin\0" \ + _CONF_PATHS_SPLIT_USR_NULSTR("systemd/hwdb/hwdb.bin") \ UDEVLIBEXECDIR "/hwdb.bin\0" diff --git a/src/libsystemd/sd-path/sd-path.c b/src/libsystemd/sd-path/sd-path.c index 7290d1c40a..7c3808c1e8 100644 --- a/src/libsystemd/sd-path/sd-path.c +++ b/src/libsystemd/sd-path/sd-path.c @@ -311,7 +311,7 @@ static int get_path(uint64_t type, char **buffer, const char **ret) { return from_user_dir("XDG_DESKTOP_DIR", buffer, ret); case SD_PATH_SYSTEMD_UTIL: - *ret = PREFIX_NOSLASH "/lib/systemd"; + *ret = ROOTPREFIX_NOSLASH "/lib/systemd"; return 0; case SD_PATH_SYSTEMD_SYSTEM_UNIT: @@ -319,7 +319,7 @@ static int get_path(uint64_t type, char **buffer, const char **ret) { return 0; case SD_PATH_SYSTEMD_SYSTEM_PRESET: - *ret = PREFIX_NOSLASH "/lib/systemd/system-preset"; + *ret = ROOTPREFIX_NOSLASH "/lib/systemd/system-preset"; return 0; case SD_PATH_SYSTEMD_USER_UNIT: @@ -327,7 +327,7 @@ static int get_path(uint64_t type, char **buffer, const char **ret) { return 0; case SD_PATH_SYSTEMD_USER_PRESET: - *ret = PREFIX_NOSLASH "/lib/systemd/user-preset"; + *ret = ROOTPREFIX_NOSLASH "/lib/systemd/user-preset"; return 0; case SD_PATH_SYSTEMD_SYSTEM_CONF: @@ -347,11 +347,11 @@ static int get_path(uint64_t type, char **buffer, const char **ret) { return 0; case SD_PATH_SYSTEMD_SLEEP: - *ret = PREFIX_NOSLASH "/lib/systemd/system-sleep"; + *ret = ROOTPREFIX_NOSLASH "/lib/systemd/system-sleep"; return 0; case SD_PATH_SYSTEMD_SHUTDOWN: - *ret = PREFIX_NOSLASH "/lib/systemd/system-shutdown"; + *ret = ROOTPREFIX_NOSLASH "/lib/systemd/system-shutdown"; return 0; case SD_PATH_TMPFILES: @@ -359,19 +359,19 @@ static int get_path(uint64_t type, char **buffer, const char **ret) { return 0; case SD_PATH_SYSUSERS: - *ret = PREFIX_NOSLASH "/lib/sysusers.d"; + *ret = ROOTPREFIX_NOSLASH "/lib/sysusers.d"; return 0; case SD_PATH_SYSCTL: - *ret = PREFIX_NOSLASH "/lib/sysctl.d"; + *ret = ROOTPREFIX_NOSLASH "/lib/sysctl.d"; return 0; case SD_PATH_BINFMT: - *ret = PREFIX_NOSLASH "/lib/binfmt.d"; + *ret = ROOTPREFIX_NOSLASH "/lib/binfmt.d"; return 0; case SD_PATH_MODULES_LOAD: - *ret = PREFIX_NOSLASH "/lib/modules-load.d"; + *ret = ROOTPREFIX_NOSLASH "/lib/modules-load.d"; return 0; case SD_PATH_CATALOG: @@ -531,6 +531,9 @@ static int get_search(uint64_t type, char ***list) { true, ARRAY_SBIN_BIN("/usr/local/"), ARRAY_SBIN_BIN("/usr/"), +#if HAVE_SPLIT_USR + ARRAY_SBIN_BIN("/"), +#endif NULL); case SD_PATH_SEARCH_LIBRARY_PRIVATE: @@ -541,6 +544,9 @@ static int get_search(uint64_t type, char ***list) { false, "/usr/local/lib", "/usr/lib", +#if HAVE_SPLIT_USR + "/lib", +#endif NULL); case SD_PATH_SEARCH_LIBRARY_ARCH: @@ -550,6 +556,9 @@ static int get_search(uint64_t type, char ***list) { "LD_LIBRARY_PATH", true, LIBDIR, +#if HAVE_SPLIT_USR + ROOTLIBDIR, +#endif NULL); case SD_PATH_SEARCH_SHARED: diff --git a/src/libudev/libudev.pc.in b/src/libudev/libudev.pc.in index 6541bcb1ab..1d6487fa40 100644 --- a/src/libudev/libudev.pc.in +++ b/src/libudev/libudev.pc.in @@ -9,7 +9,7 @@ prefix={{PREFIX}} exec_prefix={{PREFIX}} -libdir={{LIBDIR}} +libdir={{ROOTLIBDIR}} includedir={{INCLUDE_DIR}} Name: libudev diff --git a/src/login/meson.build b/src/login/meson.build index b5bb150258..43f8c59746 100644 --- a/src/login/meson.build +++ b/src/login/meson.build @@ -59,7 +59,7 @@ executables += [ threads, ], }, - executable_template + { + executable_root_template + { 'name' : 'loginctl', 'public' : true, 'conditions' : ['ENABLE_LOGIND'], @@ -71,7 +71,7 @@ executables += [ threads, ], }, - executable_template + { + executable_root_template + { 'name' : 'systemd-inhibit', 'public' : true, 'conditions' : ['ENABLE_LOGIND'], diff --git a/src/machine-id-setup/meson.build b/src/machine-id-setup/meson.build index 316165a54e..1498976647 100644 --- a/src/machine-id-setup/meson.build +++ b/src/machine-id-setup/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-machine-id-setup', 'sources' : files('machine-id-setup-main.c'), }, diff --git a/src/machine/meson.build b/src/machine/meson.build index b3a1ffce8f..3dc42c47b3 100644 --- a/src/machine/meson.build +++ b/src/machine/meson.build @@ -29,7 +29,7 @@ executables += [ libshared, ], }, - executable_template + { + executable_root_template + { 'name' : 'machinectl', 'public' : true, 'conditions' : ['ENABLE_MACHINED'], diff --git a/src/network/meson.build b/src/network/meson.build index 5c05eba095..a016b8f738 100644 --- a/src/network/meson.build +++ b/src/network/meson.build @@ -193,7 +193,7 @@ executables += [ 'sources' : systemd_networkd_wait_online_sources, 'link_with' : networkd_link_with, }, - executable_template + { + executable_root_template + { 'name' : 'networkctl', 'public' : true, 'conditions' : ['ENABLE_NETWORKD'], diff --git a/src/notify/meson.build b/src/notify/meson.build index 3baa086a92..c78f17d879 100644 --- a/src/notify/meson.build +++ b/src/notify/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-notify', 'public' : true, 'sources' : files('notify.c'), diff --git a/src/partition/meson.build b/src/partition/meson.build index 78cde2ff52..5d37d8f292 100644 --- a/src/partition/meson.build +++ b/src/partition/meson.build @@ -9,7 +9,7 @@ executables += [ 'name' : 'systemd-makefs', 'sources' : files('makefs.c'), }, - executable_template + { + executable_root_template + { 'name' : 'systemd-repart', 'public' : true, 'conditions' : ['ENABLE_REPART'], diff --git a/src/portable/meson.build b/src/portable/meson.build index 210829b851..3e9a5e295a 100644 --- a/src/portable/meson.build +++ b/src/portable/meson.build @@ -30,7 +30,7 @@ executables += [ threads, ], }, - executable_template + { + executable_root_template + { 'name' : 'portablectl', 'public' : true, 'conditions' : ['ENABLE_PORTABLED'], diff --git a/src/portable/portable.c b/src/portable/portable.c index d4b448a627..3aca7f20ee 100644 --- a/src/portable/portable.c +++ b/src/portable/portable.c @@ -241,8 +241,8 @@ static int extract_now( } /* Then, send unit file data to the parent (or/and add it to the hashmap). For that we use our usual unit - * discovery logic. Note that we force looking inside of /lib/systemd/system/ for units too, as the - * image might have a legacy split-usr layout. */ + * discovery logic. Note that we force looking inside of /lib/systemd/system/ for units too, as we mightbe + * compiled for a split-usr system but the image might be a legacy-usr one. */ r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, LOOKUP_PATHS_SPLIT_USR, where); if (r < 0) return log_debug_errno(r, "Failed to acquire lookup paths: %m"); @@ -1508,7 +1508,7 @@ int portable_attach( strempty(extensions_joined)); } - r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, /* flags= */ 0, NULL); + r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, LOOKUP_PATHS_SPLIT_USR, NULL); if (r < 0) return r; @@ -1708,7 +1708,7 @@ int portable_detach( assert(name_or_path); - r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, /* flags= */ 0, NULL); + r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, LOOKUP_PATHS_SPLIT_USR, NULL); if (r < 0) return r; @@ -1895,7 +1895,7 @@ static int portable_get_state_internal( assert(name_or_path); assert(ret); - r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, /* flags= */ 0, NULL); + r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, LOOKUP_PATHS_SPLIT_USR, NULL); if (r < 0) return r; diff --git a/src/resolve/meson.build b/src/resolve/meson.build index e7867e2f85..f3193bb109 100644 --- a/src/resolve/meson.build +++ b/src/resolve/meson.build @@ -218,12 +218,12 @@ if conf.get('ENABLE_RESOLVE') == 1 install_data('org.freedesktop.resolve1.policy', install_dir : polkitpolicydir) install_data('resolv.conf', - install_dir : libexecdir) + install_dir : rootlibexecdir) - install_emptydir(sbindir) + install_emptydir(rootsbindir) meson.add_install_script(sh, '-c', ln_s.format(bindir / 'resolvectl', - sbindir / 'resolvconf')) + rootsbindir / 'resolvconf')) # symlink for backwards compatibility after rename meson.add_install_script(sh, '-c', diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in index 241e4b9c49..8d5895eba1 100644 --- a/src/rpm/macros.systemd.in +++ b/src/rpm/macros.systemd.in @@ -5,7 +5,7 @@ # RPM macros for packages installing systemd unit files -%_systemd_util_dir {{LIBEXECDIR}} +%_systemd_util_dir {{ROOTLIBEXECDIR}} %_unitdir {{SYSTEM_DATA_UNIT_DIR}} %_userunitdir {{USER_DATA_UNIT_DIR}} %_presetdir {{SYSTEM_PRESET_DIR}} @@ -190,10 +190,10 @@ SYSTEMD_INLINE_EOF\ %sysctl_apply() \ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# sysctl_apply}} \ -[ -x {{LIBEXECDIR}}/systemd-sysctl ] && {{LIBEXECDIR}}/systemd-sysctl %{?*} || : \ +[ -x {{ROOTLIBEXECDIR}}/systemd-sysctl ] && {{ROOTLIBEXECDIR}}/systemd-sysctl %{?*} || : \ %{nil} %binfmt_apply() \ %{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# binfmt_apply}} \ -[ -x {{LIBEXECDIR}}/systemd-binfmt ] && {{LIBEXECDIR}}/systemd-binfmt %{?*} || : \ +[ -x {{ROOTLIBEXECDIR}}/systemd-binfmt ] && {{ROOTLIBEXECDIR}}/systemd-binfmt %{?*} || : \ %{nil} diff --git a/src/rpm/meson.build b/src/rpm/meson.build index af39ff145a..817665912a 100644 --- a/src/rpm/meson.build +++ b/src/rpm/meson.build @@ -3,8 +3,8 @@ in_files = [ ['macros.systemd', rpmmacrosdir != 'no', rpmmacrosdir], - # we conditionalize on rpmmacrosdir, but install into libexecdir - ['systemd-update-helper', rpmmacrosdir != 'no', libexecdir], + # we conditionalize on rpmmacrosdir, but install into rootlibexecdir + ['systemd-update-helper', rpmmacrosdir != 'no', rootlibexecdir], ['triggers.systemd', false], ['triggers.systemd.sh', false]] diff --git a/src/rpm/triggers.systemd.in b/src/rpm/triggers.systemd.in index d480ab84b6..60b963fffd 100644 --- a/src/rpm/triggers.systemd.in +++ b/src/rpm/triggers.systemd.in @@ -58,7 +58,7 @@ assert(rpm.execute("journalctl", "--update-catalog")) -- This script will automatically apply binfmt rules if files have been -- installed or updated in {{BINFMT_DIR}}. if posix.access("/run/systemd/system") then - assert(rpm.execute("{{LIBEXECDIR}}/systemd-binfmt")) + assert(rpm.execute("{{ROOTLIBEXECDIR}}/systemd-binfmt")) end %transfiletriggerin -P 1000600 -p -- {{TMPFILES_DIR}} @@ -78,5 +78,5 @@ end -- This script will automatically apply sysctl rules if files have been -- installed or updated in {{SYSCTL_DIR}}. if posix.access("/run/systemd/system") then - assert(rpm.execute("{{LIBEXECDIR}}/systemd-sysctl")) + assert(rpm.execute("{{ROOTLIBEXECDIR}}/systemd-sysctl")) end diff --git a/src/rpm/triggers.systemd.sh.in b/src/rpm/triggers.systemd.sh.in index 1b94f7d73a..8c301f5ed9 100644 --- a/src/rpm/triggers.systemd.sh.in +++ b/src/rpm/triggers.systemd.sh.in @@ -61,7 +61,7 @@ journalctl --update-catalog || : if test -d "/run/systemd/system"; then # systemd-binfmt might fail if binfmt_misc kernel module is not loaded # during install - {{LIBEXECDIR}}/systemd-binfmt || : + {{ROOTLIBEXECDIR}}/systemd-binfmt || : fi %transfiletriggerin -P 1000600 -- {{TMPFILES_DIR}} @@ -83,5 +83,5 @@ fi # This script will automatically apply sysctl rules if files have been # installed or updated in {{SYSCTL_DIR}}. if test -d "/run/systemd/system"; then - {{LIBEXECDIR}}/systemd-sysctl || : + {{ROOTLIBEXECDIR}}/systemd-sysctl || : fi diff --git a/src/shared/install.c b/src/shared/install.c index 0f4dab4aa2..3730d86aa0 100644 --- a/src/shared/install.c +++ b/src/shared/install.c @@ -261,6 +261,11 @@ static int path_is_vendor_or_generator(const LookupPaths *lp, const char *path) if (path_startswith(rpath, "/usr")) return true; +#if HAVE_SPLIT_USR + if (path_startswith(rpath, "/lib")) + return true; +#endif + if (path_is_generator(lp, rpath)) return true; diff --git a/src/shared/kbd-util.h b/src/shared/kbd-util.h index aca0dee4bc..a2fc2e6a3e 100644 --- a/src/shared/kbd-util.h +++ b/src/shared/kbd-util.h @@ -3,10 +3,18 @@ #include +#if HAVE_SPLIT_USR +#define KBD_KEYMAP_DIRS \ + "/usr/share/keymaps/\0" \ + "/usr/share/kbd/keymaps/\0" \ + "/usr/lib/kbd/keymaps/\0" \ + "/lib/kbd/keymaps/\0" +#else #define KBD_KEYMAP_DIRS \ "/usr/share/keymaps/\0" \ "/usr/share/kbd/keymaps/\0" \ "/usr/lib/kbd/keymaps/\0" +#endif int get_keymaps(char ***l); bool keymap_is_valid(const char *name); diff --git a/src/shared/meson.build b/src/shared/meson.build index fc5cc1c59c..f124a464b0 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -358,7 +358,7 @@ libshared = shared_library( dependencies : [libshared_deps, userspace], install : true, - install_dir : pkglibdir) + install_dir : rootpkglibdir) shared_fdisk_sources = files( 'fdisk-util.c', diff --git a/src/shared/resolve-util.h b/src/shared/resolve-util.h index 2d210f9af7..7c9008c705 100644 --- a/src/shared/resolve-util.h +++ b/src/shared/resolve-util.h @@ -96,4 +96,4 @@ DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_; #define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf" /* A static resolv.conf file containing no domains, but only our own DNS server address */ -#define PRIVATE_STATIC_RESOLV_CONF LIBEXECDIR "/resolv.conf" +#define PRIVATE_STATIC_RESOLV_CONF ROOTLIBEXECDIR "/resolv.conf" diff --git a/src/shared/userdb-dropin.h b/src/shared/userdb-dropin.h index 3bd1b9c845..fad3981f7c 100644 --- a/src/shared/userdb-dropin.h +++ b/src/shared/userdb-dropin.h @@ -13,7 +13,8 @@ "/run/" n "\0" \ "/run/host/" n "\0" \ "/usr/local/lib/" n "\0" \ - "/usr/lib/" n "\0" + "/usr/lib/" n "\0" \ + _CONF_PATHS_SPLIT_USR_NULSTR(n) int dropin_user_record_by_name(const char *name, const char *path, UserDBFlags flags, UserRecord **ret); int dropin_user_record_by_uid(uid_t uid, const char *path, UserDBFlags flags, UserRecord **ret); diff --git a/src/shared/userdb.c b/src/shared/userdb.c index f60d48ace4..80caf209f4 100644 --- a/src/shared/userdb.c +++ b/src/shared/userdb.c @@ -1448,7 +1448,7 @@ int userdb_block_nss_systemd(int b) { /* Note that we might be called from libnss_systemd.so.2 itself, but that should be fine, really. */ - dl = dlopen(LIBDIR "/libnss_systemd.so.2", RTLD_LAZY|RTLD_NODELETE); + dl = dlopen(ROOTLIBDIR "/libnss_systemd.so.2", RTLD_LAZY|RTLD_NODELETE); if (!dl) { /* If the file isn't installed, don't complain loudly */ log_debug("Failed to dlopen(libnss_systemd.so.2), ignoring: %s", dlerror()); diff --git a/src/sysext/meson.build b/src/sysext/meson.build index 2983970d80..b1eb906946 100644 --- a/src/sysext/meson.build +++ b/src/sysext/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-sysext', 'public' : true, 'conditions' : ['ENABLE_SYSEXT'], @@ -10,6 +10,6 @@ executables += [ ] if conf.get('ENABLE_SYSEXT') == 1 - meson.add_install_script(sh, '-c', ln_s.format(bindir / 'systemd-sysext', - bindir / 'systemd-confext')) + meson.add_install_script(sh, '-c', ln_s.format(rootbindir / 'systemd-sysext', + rootbindir / 'systemd-confext')) endif diff --git a/src/systemctl/meson.build b/src/systemctl/meson.build index 255c639b5f..0361c1570f 100644 --- a/src/systemctl/meson.build +++ b/src/systemctl/meson.build @@ -49,7 +49,7 @@ else endif executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemctl', 'public' : true, 'sources' : systemctl_sources, @@ -75,8 +75,8 @@ executables += [ foreach alias : (['halt', 'poweroff', 'reboot', 'shutdown'] + (conf.get('HAVE_SYSV_COMPAT') == 1 ? ['runlevel', 'telinit'] : [])) - install_emptydir(sbindir) + install_emptydir(rootsbindir) meson.add_install_script(sh, '-c', - ln_s.format(bindir / 'systemctl', - sbindir / alias)) + ln_s.format(rootbindir / 'systemctl', + rootsbindir / alias)) endforeach diff --git a/src/systemctl/systemctl-sysv-compat.c b/src/systemctl/systemctl-sysv-compat.c index 2aa1ec6d83..53ec6637b6 100644 --- a/src/systemctl/systemctl-sysv-compat.c +++ b/src/systemctl/systemctl-sysv-compat.c @@ -137,7 +137,7 @@ int enable_sysv_units(const char *verb, char **args) { while (args[f]) { const char *argv[] = { - LIBEXECDIR "/systemd-sysv-install", + ROOTLIBEXECDIR "/systemd-sysv-install", NULL, /* --root= */ NULL, /* verb */ NULL, /* service */ diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build index fcb291d02c..237b72bec3 100644 --- a/src/sysusers/meson.build +++ b/src/sysusers/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-sysusers', 'public' : true, 'conditions' : ['ENABLE_SYSUSERS'], diff --git a/src/test/test-manager.c b/src/test/test-manager.c index 76e094bf01..89f9277b28 100644 --- a/src/test/test-manager.c +++ b/src/test/test-manager.c @@ -8,12 +8,22 @@ TEST(manager_taint_string) { _cleanup_free_ char *a = manager_taint_string(&m); assert_se(a); - log_debug("taint string: '%s'", a); + log_debug("taint string w/o split-usr: '%s'", a); + /* split-usr is the only one that is cached in Manager, so we know it's not present. + * The others are queried dynamically, so we'd need to duplicate the logic here + * to test for them. Let's do just one. */ + assert_se(!strstr(a, "split-usr")); if (cg_all_unified() == 0) assert_se(strstr(a, "cgroupsv1")); else assert_se(!strstr(a, "cgroupsv1")); + + m.taint_usr = true; + _cleanup_free_ char *b = manager_taint_string(&m); + assert_se(b); + log_debug("taint string w/ split-usr: '%s'", b); + assert_se(strstr(b, "split-usr")); } DEFINE_TEST_MAIN(LOG_DEBUG); diff --git a/src/tmpfiles/meson.build b/src/tmpfiles/meson.build index 8a24a21a27..7748d945bf 100644 --- a/src/tmpfiles/meson.build +++ b/src/tmpfiles/meson.build @@ -6,7 +6,7 @@ systemd_tmpfiles_sources = files( ) executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-tmpfiles', 'public' : true, 'conditions' : ['ENABLE_TMPFILES'], diff --git a/src/tty-ask-password-agent/meson.build b/src/tty-ask-password-agent/meson.build index ad0c73bc4e..84d8e646a6 100644 --- a/src/tty-ask-password-agent/meson.build +++ b/src/tty-ask-password-agent/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: LGPL-2.1-or-later executables += [ - executable_template + { + executable_root_template + { 'name' : 'systemd-tty-ask-password-agent', 'public' : true, 'sources' : files('tty-ask-password-agent.c'), diff --git a/src/udev/meson.build b/src/udev/meson.build index 824ec47803..9e47017df4 100644 --- a/src/udev/meson.build +++ b/src/udev/meson.build @@ -97,7 +97,7 @@ link_config_gperf_c = custom_target( if get_option('link-udev-shared') udev_link_with = [libshared] - udev_rpath = pkglibdir + udev_rpath = rootpkglibdir else udev_link_with = [libshared_static, libsystemd_static] @@ -146,7 +146,7 @@ udev_test_template = test_template + udev_common_template udev_fuzz_template = fuzz_template + udev_common_template executables += [ - executable_template + { + executable_root_template + { 'name' : 'udevadm', 'public' : true, 'sources' : udevadm_sources, @@ -249,8 +249,8 @@ executables += [ }, ] -meson.add_install_script(sh, '-c', ln_s.format(bindir / 'udevadm', - libexecdir / 'systemd-udevd')) +meson.add_install_script(sh, '-c', ln_s.format(rootbindir / 'udevadm', + rootlibexecdir / 'systemd-udevd')) if install_sysconfdir_samples install_data('udev.conf', diff --git a/src/xdg-autostart-generator/xdg-autostart-service.c b/src/xdg-autostart-generator/xdg-autostart-service.c index 90321b892f..10e9443675 100644 --- a/src/xdg-autostart-generator/xdg-autostart-service.c +++ b/src/xdg-autostart-generator/xdg-autostart-service.c @@ -665,7 +665,7 @@ int xdg_autostart_service_generate_unit( /* Just assume the values are reasonably sane */ fprintf(f, - "ExecCondition=" LIBEXECDIR "/systemd-xdg-autostart-condition \"%s\" \"%s\"\n", + "ExecCondition=" ROOTLIBEXECDIR "/systemd-xdg-autostart-condition \"%s\" \"%s\"\n", e_only_show_in, e_not_show_in); } diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in index 90c080bdfe..5fb551a8cf 100644 --- a/sysctl.d/50-coredump.conf.in +++ b/sysctl.d/50-coredump.conf.in @@ -13,7 +13,7 @@ # the core dump. # # See systemd-coredump(8) and core(5). -kernel.core_pattern=|{{LIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h +kernel.core_pattern=|{{ROOTLIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h # Allow 16 coredumps to be dispatched in parallel by the kernel. # We collect metadata from /proc/%P/, and thus need to make sure the crashed diff --git a/test/fuzz/fuzz-catalog/systemd.pl.catalog b/test/fuzz/fuzz-catalog/systemd.pl.catalog index 6e99c04d85..043627c739 100644 --- a/test/fuzz/fuzz-catalog/systemd.pl.catalog +++ b/test/fuzz/fuzz-catalog/systemd.pl.catalog @@ -376,6 +376,8 @@ Defined-By: systemd Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel Możliwe są następujące „etykiety”: +• „split-usr” — /usr jest oddzielnym systemem plików, który nie był + zamontowany w czasie uruchomienia systemd, • „cgroups-missing” — jądro zostało skompilowane bez obsługi cgroups lub dostęp do oczekiwanych plików interfejsu jest ograniczony, • „var-run-bad” — /var/run nie jest dowiązaniem symbolicznym do /run, diff --git a/test/test-fstab-generator.sh b/test/test-fstab-generator.sh index af8fa7c226..476312133e 100755 --- a/test/test-fstab-generator.sh +++ b/test/test-fstab-generator.sh @@ -59,6 +59,11 @@ test_one() ( touch "$i" done + # For split-usr system + for i in "$out"/systemd-*.service; do + sed -i -e 's:ExecStart=/lib/systemd/:ExecStart=/usr/lib/systemd/:' "$i" + done + if [[ "${input##*/}" =~ \.fstab\.input ]]; then for i in "$out"/*.{automount,mount,swap}; do sed -i -e 's:SourcePath=.*$:SourcePath=/etc/fstab:' "$i" diff --git a/test/test-functions b/test/test-functions index 8663f902d8..ec22943a10 100644 --- a/test/test-functions +++ b/test/test-functions @@ -91,7 +91,7 @@ else fi if ! ROOTLIBDIR=$(pkg-config --variable=systemdutildir systemd); then - echo "WARNING! Cannot determine libdir from pkg-config, assuming /usr/lib/systemd" >&2 + echo "WARNING! Cannot determine rootlibdir from pkg-config, assuming /usr/lib/systemd" >&2 ROOTLIBDIR=/usr/lib/systemd fi @@ -2242,6 +2242,14 @@ install_keymaps() { dinfo "Install console keymaps" + if command -v meson >/dev/null \ + && [[ "$(meson configure "${BUILD_DIR:?}" | grep 'split-usr' | awk '{ print $2 }')" == "true" ]] \ + || [[ ! -L /lib ]]; then + prefix+=( + "/lib" + ) + fi + if (( $# == 0 )); then for p in "${prefix[@]}"; do # The first three paths may be deprecated. diff --git a/units/emergency.service.in b/units/emergency.service.in index 8f70cbe567..2846b43ec5 100644 --- a/units/emergency.service.in +++ b/units/emergency.service.in @@ -20,7 +20,7 @@ Before=rescue.service Environment=HOME=/root WorkingDirectory=-/root ExecStartPre=-{{BINDIR}}/plymouth --wait quit -ExecStart=-{{LIBEXECDIR}}/systemd-sulogin-shell emergency +ExecStart=-{{ROOTLIBEXECDIR}}/systemd-sulogin-shell emergency Type=idle StandardInput=tty-force StandardOutput=inherit diff --git a/units/initrd-parse-etc.service.in b/units/initrd-parse-etc.service.in index 3dadab1123..b04e69f055 100644 --- a/units/initrd-parse-etc.service.in +++ b/units/initrd-parse-etc.service.in @@ -24,7 +24,7 @@ OnFailureJobMode=replace-irreversibly Type=oneshot # FIXME: once dracut is patched to install the symlink, change to: -# ExecStart={{LIBEXECDIR}}/systemd-sysroot-fstab-check +# ExecStart={{ROOTLIBEXECDIR}}/systemd-sysroot-fstab-check ExecStart=@{{SYSTEM_GENERATOR_DIR}}/systemd-fstab-generator systemd-sysroot-fstab-check # We want to enqueue initrd-cleanup.service/start after we finished the part diff --git a/units/rescue.service.in b/units/rescue.service.in index 5113408942..75122b19a5 100644 --- a/units/rescue.service.in +++ b/units/rescue.service.in @@ -19,7 +19,7 @@ Before=shutdown.target Environment=HOME=/root WorkingDirectory=-/root ExecStartPre=-{{BINDIR}}/plymouth --wait quit -ExecStart=-{{LIBEXECDIR}}/systemd-sulogin-shell rescue +ExecStart=-{{ROOTLIBEXECDIR}}/systemd-sulogin-shell rescue Type=idle StandardInput=tty-force StandardOutput=inherit diff --git a/units/systemd-backlight@.service.in b/units/systemd-backlight@.service.in index e7e35ecf0d..981d0f278e 100644 --- a/units/systemd-backlight@.service.in +++ b/units/systemd-backlight@.service.in @@ -19,7 +19,7 @@ Before=sysinit.target shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-backlight load %i -ExecStop={{LIBEXECDIR}}/systemd-backlight save %i +ExecStart={{ROOTLIBEXECDIR}}/systemd-backlight load %i +ExecStop={{ROOTLIBEXECDIR}}/systemd-backlight save %i TimeoutSec=90s StateDirectory=systemd/backlight diff --git a/units/systemd-battery-check.service.in b/units/systemd-battery-check.service.in index a5f532da70..d41322e3ad 100644 --- a/units/systemd-battery-check.service.in +++ b/units/systemd-battery-check.service.in @@ -21,5 +21,5 @@ Before=initrd-root-device.target systemd-hibernate-resume.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-battery-check +ExecStart={{ROOTLIBEXECDIR}}/systemd-battery-check FailureAction=poweroff-force diff --git a/units/systemd-binfmt.service.in b/units/systemd-binfmt.service.in index 6861c76674..b04412e037 100644 --- a/units/systemd-binfmt.service.in +++ b/units/systemd-binfmt.service.in @@ -28,6 +28,6 @@ ConditionDirectoryNotEmpty=|/run/binfmt.d [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-binfmt -ExecStop={{LIBEXECDIR}}/systemd-binfmt --unregister +ExecStart={{ROOTLIBEXECDIR}}/systemd-binfmt +ExecStop={{ROOTLIBEXECDIR}}/systemd-binfmt --unregister TimeoutSec=90s diff --git a/units/systemd-bless-boot.service.in b/units/systemd-bless-boot.service.in index e7a4548144..557f77b16f 100644 --- a/units/systemd-bless-boot.service.in +++ b/units/systemd-bless-boot.service.in @@ -19,4 +19,4 @@ Before=shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-bless-boot good +ExecStart={{ROOTLIBEXECDIR}}/systemd-bless-boot good diff --git a/units/systemd-boot-check-no-failures.service.in b/units/systemd-boot-check-no-failures.service.in index eaadd0e554..47f182226b 100644 --- a/units/systemd-boot-check-no-failures.service.in +++ b/units/systemd-boot-check-no-failures.service.in @@ -18,7 +18,7 @@ Before=shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-boot-check-no-failures +ExecStart={{ROOTLIBEXECDIR}}/systemd-boot-check-no-failures [Install] RequiredBy=boot-complete.target diff --git a/units/systemd-bsod.service.in b/units/systemd-bsod.service.in index 2d2f988fbf..ffed2dba04 100644 --- a/units/systemd-bsod.service.in +++ b/units/systemd-bsod.service.in @@ -18,4 +18,4 @@ Conflicts=shutdown.target [Service] RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-bsod --continuous +ExecStart={{ROOTLIBEXECDIR}}/systemd-bsod --continuous diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 012c60d2f6..15bfb243b4 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -17,7 +17,7 @@ Requires=systemd-journald.socket Before=shutdown.target [Service] -ExecStart=-{{LIBEXECDIR}}/systemd-coredump +ExecStart=-{{ROOTLIBEXECDIR}}/systemd-coredump IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-fsck-root.service.in b/units/systemd-fsck-root.service.in index ebe8262a49..8cfbe7ce98 100644 --- a/units/systemd-fsck-root.service.in +++ b/units/systemd-fsck-root.service.in @@ -20,5 +20,5 @@ OnFailureJobMode=replace-irreversibly [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-fsck +ExecStart={{ROOTLIBEXECDIR}}/systemd-fsck TimeoutSec=infinity diff --git a/units/systemd-fsck@.service.in b/units/systemd-fsck@.service.in index 65521b1087..d773229812 100644 --- a/units/systemd-fsck@.service.in +++ b/units/systemd-fsck@.service.in @@ -19,5 +19,5 @@ Before=systemd-quotacheck.service shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-fsck %f +ExecStart={{ROOTLIBEXECDIR}}/systemd-fsck %f TimeoutSec=infinity diff --git a/units/systemd-growfs-root.service.in b/units/systemd-growfs-root.service.in index a6568638b0..0468774cb0 100644 --- a/units/systemd-growfs-root.service.in +++ b/units/systemd-growfs-root.service.in @@ -19,5 +19,5 @@ Before=shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-growfs / +ExecStart={{ROOTLIBEXECDIR}}/systemd-growfs / TimeoutSec=infinity diff --git a/units/systemd-growfs@.service.in b/units/systemd-growfs@.service.in index 8099b1ea47..90fb0a8661 100644 --- a/units/systemd-growfs@.service.in +++ b/units/systemd-growfs@.service.in @@ -20,5 +20,5 @@ Before=shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-growfs %f +ExecStart={{ROOTLIBEXECDIR}}/systemd-growfs %f TimeoutSec=infinity diff --git a/units/systemd-hibernate-resume.service.in b/units/systemd-hibernate-resume.service.in index dce4f0ffe1..abd821ee69 100644 --- a/units/systemd-hibernate-resume.service.in +++ b/units/systemd-hibernate-resume.service.in @@ -21,4 +21,4 @@ AssertPathExists=/etc/initrd-release [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-hibernate-resume +ExecStart={{ROOTLIBEXECDIR}}/systemd-hibernate-resume diff --git a/units/systemd-hibernate.service.in b/units/systemd-hibernate.service.in index 25cd7a0ff9..9a7b3633cb 100644 --- a/units/systemd-hibernate.service.in +++ b/units/systemd-hibernate.service.in @@ -16,4 +16,4 @@ After=sleep.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-sleep hibernate +ExecStart={{ROOTLIBEXECDIR}}/systemd-sleep hibernate diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in index 2ca5e063e3..52caa4e22e 100644 --- a/units/systemd-homed.service.in +++ b/units/systemd-homed.service.in @@ -20,7 +20,7 @@ DeviceAllow=/dev/loop-control rw DeviceAllow=/dev/mapper/control rw DeviceAllow=block-* rw DeviceAllow=char-hidraw rw -ExecStart={{LIBEXECDIR}}/systemd-homed +ExecStart={{ROOTLIBEXECDIR}}/systemd-homed KillMode=mixed LimitNOFILE={{HIGH_RLIMIT_NOFILE}} LockPersonality=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 31b45e0fa8..9ac56baf42 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -17,7 +17,7 @@ Documentation=man:org.freedesktop.hostname1(5) [Service] BusName=org.freedesktop.hostname1 CapabilityBoundingSet=CAP_SYS_ADMIN -ExecStart={{LIBEXECDIR}}/systemd-hostnamed +ExecStart={{ROOTLIBEXECDIR}}/systemd-hostnamed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-hybrid-sleep.service.in b/units/systemd-hybrid-sleep.service.in index fe57f57fae..cce764f30a 100644 --- a/units/systemd-hybrid-sleep.service.in +++ b/units/systemd-hybrid-sleep.service.in @@ -16,4 +16,4 @@ After=sleep.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-sleep hybrid-sleep +ExecStart={{ROOTLIBEXECDIR}}/systemd-sleep hybrid-sleep diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index fc24a05098..080cc646a9 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -13,7 +13,7 @@ Documentation=man:systemd-importd.service(8) Documentation=man:org.freedesktop.import1(5) [Service] -ExecStart={{LIBEXECDIR}}/systemd-importd +ExecStart={{ROOTLIBEXECDIR}}/systemd-importd BusName=org.freedesktop.import1 KillMode=mixed CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index 6a19058186..efac5c4b11 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -13,7 +13,7 @@ Documentation=man:systemd-initctl.service(8) DefaultDependencies=no [Service] -ExecStart={{LIBEXECDIR}}/systemd-initctl +ExecStart={{ROOTLIBEXECDIR}}/systemd-initctl NoNewPrivileges=yes NotifyAccess=all SystemCallArchitectures=native diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 27ae42ccce..81c53fa01f 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -14,7 +14,7 @@ Requires=systemd-journal-gatewayd.socket [Service] DynamicUser=yes -ExecStart={{LIBEXECDIR}}/systemd-journal-gatewayd +ExecStart={{ROOTLIBEXECDIR}}/systemd-journal-gatewayd LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 6517410990..d8f28f252c 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -13,7 +13,7 @@ Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5) Requires=systemd-journal-remote.socket [Service] -ExecStart={{LIBEXECDIR}}/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/ +ExecStart={{ROOTLIBEXECDIR}}/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/ LockPersonality=yes LogsDirectory=journal/remote MemoryDenyWriteExecute=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 273511e72f..7e64870e9d 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -15,7 +15,7 @@ After=network-online.target [Service] DynamicUser=yes -ExecStart={{LIBEXECDIR}}/systemd-journal-upload --save-state +ExecStart={{ROOTLIBEXECDIR}}/systemd-journal-upload --save-state LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 1c36ec8903..79ec60c937 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -22,7 +22,7 @@ IgnoreOnIsolate=yes [Service] DeviceAllow=char-* rw -ExecStart={{LIBEXECDIR}}/systemd-journald +ExecStart={{ROOTLIBEXECDIR}}/systemd-journald FileDescriptorStoreMax=4224 IPAddressDeny=any LockPersonality=yes diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in index b705ce08ff..35c998285f 100644 --- a/units/systemd-journald@.service.in +++ b/units/systemd-journald@.service.in @@ -16,7 +16,7 @@ After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket [Service] CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE DevicePolicy=closed -ExecStart={{LIBEXECDIR}}/systemd-journald %i +ExecStart={{ROOTLIBEXECDIR}}/systemd-journald %i FileDescriptorStoreMax=4224 Group=systemd-journal IPAddressDeny=any diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 19383ae423..f9a92fef7b 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -17,7 +17,7 @@ Documentation=man:org.freedesktop.locale1(5) [Service] BusName=org.freedesktop.locale1 CapabilityBoundingSet= -ExecStart={{LIBEXECDIR}}/systemd-localed +ExecStart={{ROOTLIBEXECDIR}}/systemd-localed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 39dc0c2241..24f5ddaa17 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -30,7 +30,7 @@ DeviceAllow=char-drm rw DeviceAllow=char-input rw DeviceAllow=char-tty rw DeviceAllow=char-vcs rw -ExecStart={{LIBEXECDIR}}/systemd-logind +ExecStart={{ROOTLIBEXECDIR}}/systemd-logind FileDescriptorStoreMax=512 IPAddressDeny=any LockPersonality=yes diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 47aa5deeed..d3f8abd9e4 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -19,7 +19,7 @@ RequiresMountsFor=/var/lib/machines [Service] BusName=org.freedesktop.machine1 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_LINUX_IMMUTABLE -ExecStart={{LIBEXECDIR}}/systemd-machined +ExecStart={{ROOTLIBEXECDIR}}/systemd-machined IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-modules-load.service.in b/units/systemd-modules-load.service.in index 0fe6740bda..604d8712a0 100644 --- a/units/systemd-modules-load.service.in +++ b/units/systemd-modules-load.service.in @@ -25,5 +25,5 @@ ConditionKernelCommandLine=|rd.modules-load [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-modules-load +ExecStart={{ROOTLIBEXECDIR}}/systemd-modules-load TimeoutSec=90s diff --git a/units/systemd-network-generator.service.in b/units/systemd-network-generator.service.in index d87e1a4adc..2b79ca6b8a 100644 --- a/units/systemd-network-generator.service.in +++ b/units/systemd-network-generator.service.in @@ -20,7 +20,7 @@ Before=shutdown.target initrd-switch-root.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-network-generator +ExecStart={{ROOTLIBEXECDIR}}/systemd-network-generator [Install] WantedBy=sysinit.target diff --git a/units/systemd-networkd-wait-online.service.in b/units/systemd-networkd-wait-online.service.in index 7768121f5f..3dc5ce9265 100644 --- a/units/systemd-networkd-wait-online.service.in +++ b/units/systemd-networkd-wait-online.service.in @@ -19,7 +19,7 @@ Before=network-online.target shutdown.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-networkd-wait-online +ExecStart={{ROOTLIBEXECDIR}}/systemd-networkd-wait-online RemainAfterExit=yes [Install] diff --git a/units/systemd-networkd-wait-online@.service.in b/units/systemd-networkd-wait-online@.service.in index 60d173490b..b7a1e409f4 100644 --- a/units/systemd-networkd-wait-online@.service.in +++ b/units/systemd-networkd-wait-online@.service.in @@ -19,7 +19,7 @@ Before=network-online.target shutdown.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-networkd-wait-online -i %i +ExecStart={{ROOTLIBEXECDIR}}/systemd-networkd-wait-online -i %i RemainAfterExit=yes [Install] diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 3608458aa5..9f0af57fdc 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -24,7 +24,7 @@ AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET BusName=org.freedesktop.network1 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW DeviceAllow=char-* rw -ExecStart=!!{{LIBEXECDIR}}/systemd-networkd +ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-networkd FileDescriptorStoreMax=512 LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in index 82bd6245f8..c138f5eefa 100644 --- a/units/systemd-oomd.service.in +++ b/units/systemd-oomd.service.in @@ -26,7 +26,7 @@ After=systemd-oomd.socket AmbientCapabilities=CAP_KILL CAP_DAC_OVERRIDE BusName=org.freedesktop.oom1 CapabilityBoundingSet=CAP_KILL CAP_DAC_OVERRIDE -ExecStart={{LIBEXECDIR}}/systemd-oomd +ExecStart={{ROOTLIBEXECDIR}}/systemd-oomd IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-pcrextend@.service.in b/units/systemd-pcrextend@.service.in index 2305b1cd4c..303e24ba18 100644 --- a/units/systemd-pcrextend@.service.in +++ b/units/systemd-pcrextend@.service.in @@ -16,4 +16,4 @@ Before=shutdown.target initrd-switch-root.target [Service] Environment=LISTEN_FDNAMES=varlink -ExecStart=-{{LIBEXECDIR}}/systemd-pcrextend +ExecStart=-{{ROOTLIBEXECDIR}}/systemd-pcrextend diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in index 11dc747194..55526e673c 100644 --- a/units/systemd-pcrfs-root.service.in +++ b/units/systemd-pcrfs-root.service.in @@ -20,4 +20,4 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=/ +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful --file-system=/ diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in index fbaec4b999..e35111e29f 100644 --- a/units/systemd-pcrfs@.service.in +++ b/units/systemd-pcrfs@.service.in @@ -21,4 +21,4 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --file-system=%f +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful --file-system=%f diff --git a/units/systemd-pcrlock-file-system.service.in b/units/systemd-pcrlock-file-system.service.in index d68a42e09a..d02a00a5e3 100644 --- a/units/systemd-pcrlock-file-system.service.in +++ b/units/systemd-pcrlock-file-system.service.in @@ -19,7 +19,7 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-file-system +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrlock lock-file-system [Install] WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-firmware-code.service.in b/units/systemd-pcrlock-firmware-code.service.in index a24f2ba015..0428807ba1 100644 --- a/units/systemd-pcrlock-firmware-code.service.in +++ b/units/systemd-pcrlock-firmware-code.service.in @@ -20,7 +20,7 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-firmware-code +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrlock lock-firmware-code [Install] WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-firmware-config.service.in b/units/systemd-pcrlock-firmware-config.service.in index 64e63f86a6..07df518175 100644 --- a/units/systemd-pcrlock-firmware-config.service.in +++ b/units/systemd-pcrlock-firmware-config.service.in @@ -20,7 +20,7 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-firmware-config +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrlock lock-firmware-config [Install] WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-machine-id.service.in b/units/systemd-pcrlock-machine-id.service.in index 0ff22c586e..0aff4b2b4e 100644 --- a/units/systemd-pcrlock-machine-id.service.in +++ b/units/systemd-pcrlock-machine-id.service.in @@ -19,7 +19,7 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-machine-id +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrlock lock-machine-id [Install] WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-make-policy.service.in b/units/systemd-pcrlock-make-policy.service.in index 4127cc7c61..494ac49d75 100644 --- a/units/systemd-pcrlock-make-policy.service.in +++ b/units/systemd-pcrlock-make-policy.service.in @@ -20,7 +20,7 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrlock make-policy --location=770 +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrlock make-policy --location=770 [Install] WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-secureboot-authority.service.in b/units/systemd-pcrlock-secureboot-authority.service.in index a8d55bad3c..60788e2531 100644 --- a/units/systemd-pcrlock-secureboot-authority.service.in +++ b/units/systemd-pcrlock-secureboot-authority.service.in @@ -20,7 +20,7 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-secureboot-authority +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrlock lock-secureboot-authority [Install] WantedBy=sysinit.target diff --git a/units/systemd-pcrlock-secureboot-policy.service.in b/units/systemd-pcrlock-secureboot-policy.service.in index 10e603c1b6..02b1d75af5 100644 --- a/units/systemd-pcrlock-secureboot-policy.service.in +++ b/units/systemd-pcrlock-secureboot-policy.service.in @@ -20,7 +20,7 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrlock lock-secureboot-policy +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrlock lock-secureboot-policy [Install] WantedBy=sysinit.target diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in index fb7d3ce601..b9042d7e35 100644 --- a/units/systemd-pcrmachine.service.in +++ b/units/systemd-pcrmachine.service.in @@ -19,4 +19,4 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful --machine-id +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful --machine-id diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in index b337d602ba..bb68443810 100644 --- a/units/systemd-pcrphase-initrd.service.in +++ b/units/systemd-pcrphase-initrd.service.in @@ -19,5 +19,5 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful enter-initrd -ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful leave-initrd +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful enter-initrd +ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful leave-initrd diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in index 08f73973be..d2359e1d74 100644 --- a/units/systemd-pcrphase-sysinit.service.in +++ b/units/systemd-pcrphase-sysinit.service.in @@ -20,5 +20,5 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful sysinit -ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful final +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful sysinit +ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful final diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in index c94ad756d4..22040a88e5 100644 --- a/units/systemd-pcrphase.service.in +++ b/units/systemd-pcrphase.service.in @@ -18,5 +18,5 @@ ConditionSecurity=measured-uki [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-pcrextend --graceful ready -ExecStop={{LIBEXECDIR}}/systemd-pcrextend --graceful shutdown +ExecStart={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful ready +ExecStop={{ROOTLIBEXECDIR}}/systemd-pcrextend --graceful shutdown diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in index b4ec252c03..ab660ce36c 100644 --- a/units/systemd-portabled.service.in +++ b/units/systemd-portabled.service.in @@ -14,7 +14,7 @@ Documentation=man:org.freedesktop.portable1(5) RequiresMountsFor=/var/lib/portables [Service] -ExecStart={{LIBEXECDIR}}/systemd-portabled +ExecStart={{ROOTLIBEXECDIR}}/systemd-portabled BusName=org.freedesktop.portable1 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD MemoryDenyWriteExecute=yes diff --git a/units/systemd-pstore.service.in b/units/systemd-pstore.service.in index 0b5a20a353..02ac29caa4 100644 --- a/units/systemd-pstore.service.in +++ b/units/systemd-pstore.service.in @@ -20,7 +20,7 @@ Wants=modprobe@efi_pstore.service [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-pstore +ExecStart={{ROOTLIBEXECDIR}}/systemd-pstore RemainAfterExit=yes StateDirectory=systemd/pstore diff --git a/units/systemd-quotacheck.service.in b/units/systemd-quotacheck.service.in index 0f94e38286..60b56496fa 100644 --- a/units/systemd-quotacheck.service.in +++ b/units/systemd-quotacheck.service.in @@ -21,5 +21,5 @@ Before=shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-quotacheck +ExecStart={{ROOTLIBEXECDIR}}/systemd-quotacheck TimeoutSec=infinity diff --git a/units/systemd-random-seed.service.in b/units/systemd-random-seed.service.in index 99b5f33ea2..820fdd8536 100644 --- a/units/systemd-random-seed.service.in +++ b/units/systemd-random-seed.service.in @@ -25,8 +25,8 @@ Before=shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-random-seed load -ExecStop={{LIBEXECDIR}}/systemd-random-seed save +ExecStart={{ROOTLIBEXECDIR}}/systemd-random-seed load +ExecStop={{ROOTLIBEXECDIR}}/systemd-random-seed save # This service waits until the kernel's entropy pool is initialized, and may be # used as ordering barrier for service that require an initialized entropy diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in index fe3c31b30c..be1dfd6199 100644 --- a/units/systemd-remount-fs.service.in +++ b/units/systemd-remount-fs.service.in @@ -22,4 +22,4 @@ Before=shutdown.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-remount-fs +ExecStart={{ROOTLIBEXECDIR}}/systemd-remount-fs diff --git a/units/systemd-repart.service.in b/units/systemd-repart.service.in index 2b57b93ca8..1649d5206d 100644 --- a/units/systemd-repart.service.in +++ b/units/systemd-repart.service.in @@ -29,7 +29,7 @@ Before=shutdown.target initrd-switch-root.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{BINDIR}}/systemd-repart --dry-run=no +ExecStart={{ROOTBINDIR}}/systemd-repart --dry-run=no # The tool returns 76 if it can't find the root block device SuccessExitStatus=76 diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 736f36848c..a078a9dd68 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -24,7 +24,7 @@ Wants=nss-lookup.target AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE BusName=org.freedesktop.resolve1 CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE -ExecStart=!!{{LIBEXECDIR}}/systemd-resolved +ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-resolved LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index c6b32a18ea..4034d7a557 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -19,7 +19,7 @@ After=sys-devices-virtual-misc-rfkill.device Before=shutdown.target [Service] -ExecStart={{LIBEXECDIR}}/systemd-rfkill +ExecStart={{ROOTLIBEXECDIR}}/systemd-rfkill NoNewPrivileges=yes StateDirectory=systemd/rfkill TimeoutSec=30s diff --git a/units/systemd-storagetm.service.in b/units/systemd-storagetm.service.in index 0fe91eff27..28716abbc2 100644 --- a/units/systemd-storagetm.service.in +++ b/units/systemd-storagetm.service.in @@ -24,4 +24,4 @@ Type=notify RemainAfterExit=yes StandardInput=tty StandardOutput=tty -ExecStart={{LIBEXECDIR}}/systemd-storagetm --all +ExecStart={{ROOTLIBEXECDIR}}/systemd-storagetm --all diff --git a/units/systemd-suspend-then-hibernate.service.in b/units/systemd-suspend-then-hibernate.service.in index 150d8d2c23..19c30e9017 100644 --- a/units/systemd-suspend-then-hibernate.service.in +++ b/units/systemd-suspend-then-hibernate.service.in @@ -16,4 +16,4 @@ After=sleep.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-sleep suspend-then-hibernate +ExecStart={{ROOTLIBEXECDIR}}/systemd-sleep suspend-then-hibernate diff --git a/units/systemd-suspend.service.in b/units/systemd-suspend.service.in index aa264e860c..2515575e10 100644 --- a/units/systemd-suspend.service.in +++ b/units/systemd-suspend.service.in @@ -16,4 +16,4 @@ After=sleep.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-sleep suspend +ExecStart={{ROOTLIBEXECDIR}}/systemd-sleep suspend diff --git a/units/systemd-sysctl.service.in b/units/systemd-sysctl.service.in index 4179753cde..7307601a7d 100644 --- a/units/systemd-sysctl.service.in +++ b/units/systemd-sysctl.service.in @@ -19,6 +19,6 @@ ConditionPathIsReadWrite=/proc/sys/net/ [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-sysctl +ExecStart={{ROOTLIBEXECDIR}}/systemd-sysctl TimeoutSec=90s ImportCredential=sysctl.* diff --git a/units/systemd-sysupdate-reboot.service.in b/units/systemd-sysupdate-reboot.service.in index 5d4011a213..9d7b7d1657 100644 --- a/units/systemd-sysupdate-reboot.service.in +++ b/units/systemd-sysupdate-reboot.service.in @@ -14,7 +14,7 @@ ConditionVirtualization=!container [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-sysupdate reboot +ExecStart={{ROOTLIBEXECDIR}}/systemd-sysupdate reboot [Install] Also=systemd-sysupdate-reboot.timer diff --git a/units/systemd-sysupdate.service.in b/units/systemd-sysupdate.service.in index 1becbec5ed..085a9c4a22 100644 --- a/units/systemd-sysupdate.service.in +++ b/units/systemd-sysupdate.service.in @@ -17,7 +17,7 @@ ConditionVirtualization=!container [Service] Type=simple NotifyAccess=main -ExecStart={{LIBEXECDIR}}/systemd-sysupdate update +ExecStart={{ROOTLIBEXECDIR}}/systemd-sysupdate update CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CAP_LINUX_IMMUTABLE NoNewPrivileges=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-time-wait-sync.service.in b/units/systemd-time-wait-sync.service.in index 6b99393f69..25adecc86b 100644 --- a/units/systemd-time-wait-sync.service.in +++ b/units/systemd-time-wait-sync.service.in @@ -28,7 +28,7 @@ Conflicts=shutdown.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-time-wait-sync +ExecStart={{ROOTLIBEXECDIR}}/systemd-time-wait-sync TimeoutStartSec=infinity RemainAfterExit=yes diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 00f6643ba7..a8da138761 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -17,7 +17,7 @@ Documentation=man:org.freedesktop.timedate1(5) BusName=org.freedesktop.timedate1 CapabilityBoundingSet=CAP_SYS_TIME DeviceAllow=char-rtc r -ExecStart={{LIBEXECDIR}}/systemd-timedated +ExecStart={{ROOTLIBEXECDIR}}/systemd-timedated IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index cf233fbffd..c606461091 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -26,7 +26,7 @@ CapabilityBoundingSet=CAP_SYS_TIME # correct time to work, but we likely won't acquire that without NTP. Let's # break this chicken-and-egg cycle here. Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0 -ExecStart=!!{{LIBEXECDIR}}/systemd-timesyncd +ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-timesyncd LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in index c1597ea3f9..de1f66f3ef 100644 --- a/units/systemd-tpm2-setup-early.service.in +++ b/units/systemd-tpm2-setup-early.service.in @@ -19,4 +19,4 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes +ExecStart={{ROOTLIBEXECDIR}}/systemd-tpm2-setup --early=yes diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in index 6c99f3af0a..a8728933c9 100644 --- a/units/systemd-tpm2-setup.service.in +++ b/units/systemd-tpm2-setup.service.in @@ -21,4 +21,4 @@ ConditionPathExists=!/etc/initrd-release [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup +ExecStart={{ROOTLIBEXECDIR}}/systemd-tpm2-setup diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index b59fdef9b0..a0ee9e0a50 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -25,7 +25,7 @@ OOMScoreAdjust=-1000 Sockets=systemd-udevd-control.socket systemd-udevd-kernel.socket Restart=always RestartSec=0 -ExecStart={{LIBEXECDIR}}/systemd-udevd +ExecStart={{ROOTLIBEXECDIR}}/systemd-udevd KillMode=mixed TasksMax=infinity PrivateMounts=yes diff --git a/units/systemd-update-done.service.in b/units/systemd-update-done.service.in index 4ea43c7dca..53cc6dd621 100644 --- a/units/systemd-update-done.service.in +++ b/units/systemd-update-done.service.in @@ -20,4 +20,4 @@ ConditionNeedsUpdate=|/var [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-update-done +ExecStart={{ROOTLIBEXECDIR}}/systemd-update-done diff --git a/units/systemd-update-utmp-runlevel.service.in b/units/systemd-update-utmp-runlevel.service.in index 17772d4576..18c92f9b5a 100644 --- a/units/systemd-update-utmp-runlevel.service.in +++ b/units/systemd-update-utmp-runlevel.service.in @@ -22,4 +22,4 @@ Before=shutdown.target [Service] Type=oneshot -ExecStart={{LIBEXECDIR}}/systemd-update-utmp runlevel +ExecStart={{ROOTLIBEXECDIR}}/systemd-update-utmp runlevel diff --git a/units/systemd-update-utmp.service.in b/units/systemd-update-utmp.service.in index 1a88b7b2b8..73a848390e 100644 --- a/units/systemd-update-utmp.service.in +++ b/units/systemd-update-utmp.service.in @@ -22,5 +22,5 @@ RequiresMountsFor=/var/log/wtmp [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-update-utmp reboot -ExecStop={{LIBEXECDIR}}/systemd-update-utmp shutdown +ExecStart={{ROOTLIBEXECDIR}}/systemd-update-utmp reboot +ExecStop={{ROOTLIBEXECDIR}}/systemd-update-utmp shutdown diff --git a/units/systemd-user-sessions.service.in b/units/systemd-user-sessions.service.in index ae694bf21b..adca848c2a 100644 --- a/units/systemd-user-sessions.service.in +++ b/units/systemd-user-sessions.service.in @@ -15,5 +15,5 @@ After=remote-fs.target nss-user-lookup.target network.target home.mount [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-user-sessions start -ExecStop={{LIBEXECDIR}}/systemd-user-sessions stop +ExecStart={{ROOTLIBEXECDIR}}/systemd-user-sessions start +ExecStop={{ROOTLIBEXECDIR}}/systemd-user-sessions stop diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in index 1c092654b9..b57661100c 100644 --- a/units/systemd-userdbd.service.in +++ b/units/systemd-userdbd.service.in @@ -17,7 +17,7 @@ DefaultDependencies=no [Service] CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE -ExecStart={{LIBEXECDIR}}/systemd-userdbd +ExecStart={{ROOTLIBEXECDIR}}/systemd-userdbd IPAddressDeny=any LimitNOFILE={{HIGH_RLIMIT_NOFILE}} LockPersonality=yes diff --git a/units/systemd-vconsole-setup.service.in b/units/systemd-vconsole-setup.service.in index 3475d456bc..96417e19bd 100644 --- a/units/systemd-vconsole-setup.service.in +++ b/units/systemd-vconsole-setup.service.in @@ -25,6 +25,6 @@ Type=oneshot SuccessExitStatus=SIGTERM RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-vconsole-setup +ExecStart={{ROOTLIBEXECDIR}}/systemd-vconsole-setup ImportCredential=vconsole.* diff --git a/units/systemd-volatile-root.service.in b/units/systemd-volatile-root.service.in index 6f221dc5ec..5a0ec89fd6 100644 --- a/units/systemd-volatile-root.service.in +++ b/units/systemd-volatile-root.service.in @@ -19,4 +19,4 @@ AssertPathExists=/etc/initrd-release [Service] Type=oneshot RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-volatile-root yes /sysroot +ExecStart={{ROOTLIBEXECDIR}}/systemd-volatile-root yes /sysroot diff --git a/units/user-runtime-dir@.service.in b/units/user-runtime-dir@.service.in index 0641dd0b0a..7314173324 100644 --- a/units/user-runtime-dir@.service.in +++ b/units/user-runtime-dir@.service.in @@ -15,8 +15,8 @@ StopWhenUnneeded=yes IgnoreOnIsolate=yes [Service] -ExecStart={{LIBEXECDIR}}/systemd-user-runtime-dir start %i -ExecStop={{LIBEXECDIR}}/systemd-user-runtime-dir stop %i +ExecStart={{ROOTLIBEXECDIR}}/systemd-user-runtime-dir start %i +ExecStop={{ROOTLIBEXECDIR}}/systemd-user-runtime-dir stop %i Type=oneshot RemainAfterExit=yes Slice=user-%i.slice diff --git a/units/user@.service.in b/units/user@.service.in index da5f98c994..86ab4ffcc6 100644 --- a/units/user@.service.in +++ b/units/user@.service.in @@ -18,7 +18,7 @@ IgnoreOnIsolate=yes User=%i PAMName=systemd-user Type=notify-reload -ExecStart={{LIBEXECDIR}}/systemd --user +ExecStart={{ROOTLIBEXECDIR}}/systemd --user Slice=user-%i.slice KillMode=mixed Delegate=pids memory cpu -- 2.42.1