diff --git a/.systemd.metadata b/.systemd.metadata
index 8ab9fd3..a883c33 100644
--- a/.systemd.metadata
+++ b/.systemd.metadata
@@ -1 +1 @@
-249634e3d6b3532f15465719f0437ce04c3eb377 SOURCES/systemd-239.tar.gz
+8803baa484cbe36680463c8c5e6febeff074b8e7 SOURCES/systemd-239.tar.gz
diff --git a/SOURCES/0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch b/SOURCES/0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch
new file mode 100644
index 0000000..7791008
--- /dev/null
+++ b/SOURCES/0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch
@@ -0,0 +1,24 @@
+From 3a35fcaad4bb3831808280854eb84f68975279a1 Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Tue, 19 Jul 2022 22:44:07 +0200
+Subject: [PATCH] ci: bump the worker Ubuntu version to Jammy
+
+rhel-only
+Related: #2087152
+---
+ .github/workflows/unit_tests.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
+index 87b162fa71..f397e8ed6e 100644
+--- a/.github/workflows/unit_tests.yml
++++ b/.github/workflows/unit_tests.yml
+@@ -6,7 +6,7 @@ on: [pull_request]
+
+ jobs:
+ build:
+- runs-on: ubuntu-20.04
++ runs-on: ubuntu-22.04
+ strategy:
+ fail-fast: false
+ matrix:
diff --git a/SOURCES/0793-test-make-test-execute-pass-on-Linux-5.15.patch b/SOURCES/0793-test-make-test-execute-pass-on-Linux-5.15.patch
new file mode 100644
index 0000000..9bc14ce
--- /dev/null
+++ b/SOURCES/0793-test-make-test-execute-pass-on-Linux-5.15.patch
@@ -0,0 +1,43 @@
+From 434b4b64d17e16ed23f90c99c26dbd0e4ce6cd88 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 24 Nov 2021 15:58:50 +0100
+Subject: [PATCH] test: make test-execute pass on Linux 5.15
+
+Linux 5.15 broke kernel API:
+
+https://github.com/torvalds/linux/commit/e70344c05995a190a56bbd1a23dc2218bcc8c924
+
+Previously setting IOPRIO_CLASS_NONE for a process would then report
+IOPRIO_CLASS_NONE back. But since 5.15 it reports IOPRIO_CLASS_BE
+instead. Since IOPRIO_CLASS_NONE is an alias for a special setting of
+IOPRIO_CLASS_BE this makes some sense, but it's also a kernel API
+breakage that our testsuite trips up on.
+
+(I made some minimal effort to inform the kernel people about this API
+breakage during the 5.15 rc phase, but noone was interested.)
+
+Either way let's hadle this gracefully in our test suite and accept
+"best-effort" too when "none" was set.
+
+(This is only triggable if the tests are run on 5.15 with full privs)
+
+(cherry picked from commit d9b8771108cf2955efc3852b477391017d2c599a)
+
+Related: #2087152
+---
+ test/test-execute/exec-ioschedulingclass-none.service | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/test/test-execute/exec-ioschedulingclass-none.service b/test/test-execute/exec-ioschedulingclass-none.service
+index b6af122a1e..8f917d345d 100644
+--- a/test/test-execute/exec-ioschedulingclass-none.service
++++ b/test/test-execute/exec-ioschedulingclass-none.service
+@@ -2,6 +2,7 @@
+ Description=Test for IOSchedulingClass=none
+
+ [Service]
+-ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "none"'
++# Old kernels might report "none" here, new kernels "best-effort".
++ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "none" -o "$${c%%:*}" = "best-effort"'
+ Type=oneshot
+ IOSchedulingClass=none
diff --git a/SOURCES/0794-ci-install-iputils.patch b/SOURCES/0794-ci-install-iputils.patch
new file mode 100644
index 0000000..97881f9
--- /dev/null
+++ b/SOURCES/0794-ci-install-iputils.patch
@@ -0,0 +1,25 @@
+From 128d784dacb456f9ea675911e88d4b47925bda0d Mon Sep 17 00:00:00 2001
+From: Frantisek Sumsal <frantisek@sumsal.cz>
+Date: Wed, 20 Jul 2022 10:24:36 +0200
+Subject: [PATCH] ci: install iputils
+
+Required by test-bpf.
+
+rhel-only
+Related: #2087152
+---
+ .github/workflows/unit_tests.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh
+index c1311310fb..3859433720 100755
+--- a/.github/workflows/unit_tests.sh
++++ b/.github/workflows/unit_tests.sh
+@@ -11,6 +11,7 @@ ADDITIONAL_DEPS=(
+ dnsmasq
+ e2fsprogs
+ hostname
++ iputils
+ libasan
+ libubsan
+ nc
diff --git a/SOURCES/0795-ci-Mergify-Add-ci-waived-logic.patch b/SOURCES/0795-ci-Mergify-Add-ci-waived-logic.patch
new file mode 100644
index 0000000..4841062
--- /dev/null
+++ b/SOURCES/0795-ci-Mergify-Add-ci-waived-logic.patch
@@ -0,0 +1,63 @@
+From 0feaf0be515c02a10ca12f726b4a8424262cf09c Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Tue, 19 Jul 2022 12:43:43 +0200
+Subject: [PATCH] ci(Mergify): Add `ci-waived` logic
+
+RHEL-only
+
+Related: #2087152
+---
+ .mergify.yml | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/.mergify.yml b/.mergify.yml
+index 6fa400effd..3afd04f18e 100644
+--- a/.mergify.yml
++++ b/.mergify.yml
+@@ -4,6 +4,7 @@
+ pull_request_rules:
+ - name: Add `needs-ci` label on CI fail
+ conditions:
++ - label!=ci-waived
+ - or:
+ # Unit tests
+ - -check-success=build (stream8, GCC)
+@@ -27,21 +28,24 @@ pull_request_rules:
+
+ - name: Remove `needs-ci` label on CI success
+ conditions:
+- # Unit tests
+- - check-success=build (stream8, GCC)
+- - check-success=build (stream8, GCC_ASAN)
+- # CentOS Stream CI
+- - check-success=CentOS CI (CentOS Stream 8)
+- # LGTM
+ - or:
+- - "check-success=LGTM analysis: JavaScript"
+- - "check-neutral=LGTM analysis: JavaScript"
+- - or:
+- - "check-success=LGTM analysis: Python"
+- - "check-neutral=LGTM analysis: Python"
+- - or:
+- - "check-success=LGTM analysis: C/C++"
+- - "check-neutral=LGTM analysis: C/C++"
++ - label=ci-waived
++ - and:
++ # Unit tests
++ - check-success=build (stream8, GCC)
++ - check-success=build (stream8, GCC_ASAN)
++ # CentOS Stream CI
++ - check-success=CentOS CI (CentOS Stream 8)
++ # LGTM
++ - or:
++ - "check-success=LGTM analysis: JavaScript"
++ - "check-neutral=LGTM analysis: JavaScript"
++ - or:
++ - "check-success=LGTM analysis: Python"
++ - "check-neutral=LGTM analysis: Python"
++ - or:
++ - "check-success=LGTM analysis: C/C++"
++ - "check-neutral=LGTM analysis: C/C++"
+ actions:
+ label:
+ remove:
diff --git a/SOURCES/0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch b/SOURCES/0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch
new file mode 100644
index 0000000..1c94030
--- /dev/null
+++ b/SOURCES/0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch
@@ -0,0 +1,33 @@
+From e48586dcfa66731a353ecc832e43fab75559e2cf Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 30 Oct 2019 16:37:42 +0100
+Subject: [PATCH] sd-event: don't invalidate source type on disconnect
+
+This fixes fd closing if fd ownership is requested.
+
+(cherry picked from commit f59825595182d70b9ead238d1e885d0db99cc201)
+
+Resolves: #2115396
+---
+ src/libsystemd/sd-event/sd-event.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
+index 0adfdd9e1a..09d4584bf9 100644
+--- a/src/libsystemd/sd-event/sd-event.c
++++ b/src/libsystemd/sd-event/sd-event.c
+@@ -1104,11 +1104,13 @@ static void source_disconnect(sd_event_source *s) {
+
+ event = s->event;
+
+- s->type = _SOURCE_EVENT_SOURCE_TYPE_INVALID;
+ s->event = NULL;
+ LIST_REMOVE(sources, event->sources, s);
+ event->n_sources--;
+
++ /* Note that we don't invalidate the type here, since we still need it in order to close the fd or
++ * pidfd associated with this event source, which we'll do only on source_free(). */
++
+ if (!s->floating)
+ sd_event_unref(event);
+ }
diff --git a/SOURCES/0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch b/SOURCES/0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch
new file mode 100644
index 0000000..eb18da9
--- /dev/null
+++ b/SOURCES/0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch
@@ -0,0 +1,98 @@
+From e6cd875a767ba23b218cdca395307ac6fb7fd882 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 30 May 2022 14:50:05 +0200
+Subject: [PATCH] tests: make sure we delay running mount start jobs when
+ /p/s/mountinfo is rate limited
+
+(cherry picked from commit 9e15be6c8d55abd800bf33f9776dd0e307ed37bc)
+
+Related: #2095744
+---
+ test/TEST-60-MOUNT-RATELIMIT/testsuite.sh | 53 +++++++++++++++++++++++
+ test/test-functions | 2 +-
+ 2 files changed, 54 insertions(+), 1 deletion(-)
+
+diff --git a/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh b/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh
+index 6211050faf..84fe9640e1 100755
+--- a/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh
++++ b/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh
+@@ -2,6 +2,56 @@
+ set -eux
+ set -o pipefail
+
++test_issue_20329() {
++ local tmpdir unit
++ tmpdir="$(mktemp -d)"
++ unit=$(systemd-escape --suffix mount --path "$tmpdir")
++
++ # Set up test mount unit
++ cat > /run/systemd/system/"$unit" <<EOF
++[Mount]
++What=tmpfs
++Where=$tmpdir
++Type=tmpfs
++Options=defaults,nofail
++EOF
++
++ # Start the unit
++ systemctl daemon-reload
++ systemctl start "$unit"
++
++ [[ "$(systemctl show --property SubState --value "$unit")" = "mounted" ]] || {
++ echo >&2 "Test mount \"$unit\" unit isn't mounted"
++ return 1
++ }
++ mountpoint -q "$tmpdir"
++
++ trap 'systemctl stop $unit' RETURN
++
++ # Trigger the mount ratelimiting
++ cd "$(mktemp -d)"
++ mkdir foo
++ for ((i=0;i<50;++i)); do
++ mount --bind foo foo
++ umount foo
++ done
++
++ # Unmount the test mount and start it immediately again via systemd
++ umount "$tmpdir"
++ systemctl start "$unit"
++
++ # Make sure it is seen as mounted by systemd and it actually is mounted
++ [[ "$(systemctl show --property SubState --value "$unit")" = "mounted" ]] || {
++ echo >&2 "Test mount \"$unit\" unit isn't in \"mounted\" state"
++ return 1
++ }
++
++ mountpoint -q "$tmpdir" || {
++ echo >&2 "Test mount \"$unit\" is in \"mounted\" state, actually is not mounted"
++ return 1
++ }
++}
++
+ systemd-analyze log-level debug
+ systemd-analyze log-target journal
+
+@@ -85,6 +135,9 @@ if systemctl list-units -t mount tmp-meow* | grep -q tmp-meow; then
+ exit 42
+ fi
+
++# test that handling of mount start jobs is delayed when /proc/self/mouninfo monitor is rate limited
++test_issue_20329
++
+ systemd-analyze log-level info
+
+ echo OK >/testok
+diff --git a/test/test-functions b/test/test-functions
+index 4d7832b1fb..ed8ab98173 100644
+--- a/test/test-functions
++++ b/test/test-functions
+@@ -23,7 +23,7 @@ fi
+
+ PATH_TO_INIT=$ROOTLIBDIR/systemd
+
+-BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe sed cmp tee rm true false chmod chown ln xargs env"
++BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe sed cmp tee rm true false chmod chown ln xargs env mktemp mountpoint"
+ DEBUGTOOLS="df free ls stty cat ps ln ip route dmesg dhclient mkdir cp ping dhclient strace less grep id tty touch du sort hostname find"
+
+ STATEDIR="${BUILD_DIR:-.}/test/$(basename $(dirname $(realpath $0)))"
diff --git a/SOURCES/0798-core-drop-references-to-StandardOutputFileToCreate.patch b/SOURCES/0798-core-drop-references-to-StandardOutputFileToCreate.patch
new file mode 100644
index 0000000..b789e1f
--- /dev/null
+++ b/SOURCES/0798-core-drop-references-to-StandardOutputFileToCreate.patch
@@ -0,0 +1,29 @@
+From 0bf1df5c35c310c3efe49c7a3cb8c3be3e33492b Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 26 Nov 2018 21:05:37 +0100
+Subject: [PATCH] core: drop references to 'StandardOutputFileToCreate'
+
+This property never existed, let's drop any reference to it.
+
+(cherry picked from commit 922ce049d1ed37ce77e3322711e29f256d9e5959)
+
+Related: #2093479
+---
+ src/core/dbus-execute.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
+index 2e64f0baf4..05134851c5 100644
+--- a/src/core/dbus-execute.c
++++ b/src/core/dbus-execute.c
+@@ -1809,8 +1809,8 @@ int bus_exec_context_set_transient_property(
+
+ } else if (STR_IN_SET(name,
+ "StandardInputFile",
+- "StandardOutputFile", "StandardOutputFileToCreate", "StandardOutputFileToAppend",
+- "StandardErrorFile", "StandardErrorFileToCreate", "StandardErrorFileToAppend")) {
++ "StandardOutputFile", "StandardOutputFileToAppend",
++ "StandardErrorFile", "StandardErrorFileToAppend")) {
+ const char *s;
+
+ r = sd_bus_message_read(message, "s", &s);
diff --git a/SOURCES/0799-dbus-execute-fix-indentation.patch b/SOURCES/0799-dbus-execute-fix-indentation.patch
new file mode 100644
index 0000000..741b756
--- /dev/null
+++ b/SOURCES/0799-dbus-execute-fix-indentation.patch
@@ -0,0 +1,29 @@
+From 2ba82e6b7e9a7b138c985561dd7d26b9e4111fbe Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 26 Nov 2018 21:06:19 +0100
+Subject: [PATCH] dbus-execute: fix indentation
+
+(cherry picked from commit dbe6c4b657aa5c58bfc049d869b94f00b41b7d95)
+
+Related: #2093479
+---
+ src/core/dbus-execute.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
+index 05134851c5..fc433cc96f 100644
+--- a/src/core/dbus-execute.c
++++ b/src/core/dbus-execute.c
+@@ -1858,9 +1858,9 @@ int bus_exec_context_set_transient_property(
+ c->std_error = EXEC_OUTPUT_FILE;
+ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=file:%s", s);
+ } else {
+- assert(streq(name, "StandardErrorFileToAppend"));
+- c->std_error = EXEC_OUTPUT_FILE_APPEND;
+- unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=append:%s", s);
++ assert(streq(name, "StandardErrorFileToAppend"));
++ c->std_error = EXEC_OUTPUT_FILE_APPEND;
++ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=append:%s", s);
+ }
+ }
+ }
diff --git a/SOURCES/0800-dbus-execute-generate-the-correct-transient-unit-set.patch b/SOURCES/0800-dbus-execute-generate-the-correct-transient-unit-set.patch
new file mode 100644
index 0000000..c84dea6
--- /dev/null
+++ b/SOURCES/0800-dbus-execute-generate-the-correct-transient-unit-set.patch
@@ -0,0 +1,30 @@
+From 4fbd505c5a15f2b6078dc43e5a1ff999993e8b23 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 26 Nov 2018 21:07:06 +0100
+Subject: [PATCH] dbus-execute: generate the correct transient unit setting
+
+(cherry picked from commit 1704fba92f7b2c92238b0833943669045374daf9)
+
+Related: #2093479
+---
+ src/core/dbus-execute.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
+index fc433cc96f..00f4aeacef 100644
+--- a/src/core/dbus-execute.c
++++ b/src/core/dbus-execute.c
+@@ -1856,11 +1856,11 @@ int bus_exec_context_set_transient_property(
+
+ if (streq(name, "StandardErrorFile")) {
+ c->std_error = EXEC_OUTPUT_FILE;
+- unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=file:%s", s);
++ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardError=file:%s", s);
+ } else {
+ assert(streq(name, "StandardErrorFileToAppend"));
+ c->std_error = EXEC_OUTPUT_FILE_APPEND;
+- unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=append:%s", s);
++ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardError=append:%s", s);
+ }
+ }
+ }
diff --git a/SOURCES/0801-bus-unit-util-properly-accept-StandardOutput-append-.patch b/SOURCES/0801-bus-unit-util-properly-accept-StandardOutput-append-.patch
new file mode 100644
index 0000000..004b1fa
--- /dev/null
+++ b/SOURCES/0801-bus-unit-util-properly-accept-StandardOutput-append-.patch
@@ -0,0 +1,33 @@
+From b06347d1e85c98507ba386b24e6c7159edf4784f Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 26 Nov 2018 21:07:39 +0100
+Subject: [PATCH] =?UTF-8?q?bus-unit-util:=20properly=20accept=20StandardOu?=
+ =?UTF-8?q?tput=3Dappend:=E2=80=A6=20settings?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit 8d33232ef1ad051b5ed00bd7b5fffb5a19bb83ae)
+
+Resolves: #2093479
+---
+ src/shared/bus-unit-util.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
+index 9010448aaf..3910dfa812 100644
+--- a/src/shared/bus-unit-util.c
++++ b/src/shared/bus-unit-util.c
+@@ -894,9 +894,11 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
+ } else if ((n = startswith(eq, "file:"))) {
+ appended = strjoina(field, "File");
+ r = sd_bus_message_append(m, "(sv)", appended, "s", n);
++ } else if ((n = startswith(eq, "append:"))) {
++ appended = strjoina(field, "FileToAppend");
++ r = sd_bus_message_append(m, "(sv)", appended, "s", n);
+ } else
+ r = sd_bus_message_append(m, "(sv)", field, "s", eq);
+-
+ if (r < 0)
+ return bus_log_create_error(r);
+
diff --git a/SOURCES/0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch b/SOURCES/0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch
new file mode 100644
index 0000000..68ef399
--- /dev/null
+++ b/SOURCES/0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch
@@ -0,0 +1,68 @@
+From d6ffd324cc933efec946a3ffbed6fccfe7077203 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 26 Nov 2018 21:07:48 +0100
+Subject: [PATCH] core: be more careful when inheriting stdout fds to stderr
+
+We need to compare the fd name/file name if we inherit an fd from stdout
+to stderr. Let's do that.
+
+Fixes: #10875
+(cherry picked from commit 41fc585a7a3b8ae857cad5fdad1bc70cdacfa8e5)
+
+Related: #2093479
+---
+ src/core/execute.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index 9cbb678ac4..b1d8dceb32 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -545,6 +545,30 @@ static int setup_input(
+ }
+ }
+
++static bool can_inherit_stderr_from_stdout(
++ const ExecContext *context,
++ ExecOutput o,
++ ExecOutput e) {
++
++ assert(context);
++
++ /* Returns true, if given the specified STDERR and STDOUT output we can directly dup() the stdout fd to the
++ * stderr fd */
++
++ if (e == EXEC_OUTPUT_INHERIT)
++ return true;
++ if (e != o)
++ return false;
++
++ if (e == EXEC_OUTPUT_NAMED_FD)
++ return streq_ptr(context->stdio_fdname[STDOUT_FILENO], context->stdio_fdname[STDERR_FILENO]);
++
++ if (IN_SET(e, EXEC_OUTPUT_FILE, EXEC_OUTPUT_FILE_APPEND))
++ return streq_ptr(context->stdio_file[STDOUT_FILENO], context->stdio_file[STDERR_FILENO]);
++
++ return true;
++}
++
+ static int setup_output(
+ const Unit *unit,
+ const ExecContext *context,
+@@ -603,7 +627,7 @@ static int setup_output(
+ return fileno;
+
+ /* Duplicate from stdout if possible */
+- if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT)
++ if (can_inherit_stderr_from_stdout(context, o, e))
+ return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno;
+
+ o = e;
+@@ -694,7 +718,6 @@ static int setup_output(
+ flags |= O_APPEND;
+
+ fd = acquire_path(context->stdio_file[fileno], flags, 0666 & ~context->umask);
+-
+ if (fd < 0)
+ return fd;
+
diff --git a/SOURCES/0803-test-add-a-test-for-StandardError-file.patch b/SOURCES/0803-test-add-a-test-for-StandardError-file.patch
new file mode 100644
index 0000000..ed9f18d
--- /dev/null
+++ b/SOURCES/0803-test-add-a-test-for-StandardError-file.patch
@@ -0,0 +1,136 @@
+From 2bbaa4b647c8a60a6c6a591f71313b0667447246 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 26 Nov 2018 21:09:07 +0100
+Subject: [PATCH] =?UTF-8?q?test:=20add=20a=20test=20for=20StandardError=3D?=
+ =?UTF-8?q?file:=E2=80=A6?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This deserves a test of its, given how broken on so many levels this
+previously was.
+
+(cherry picked from commit 196b0a11f306b8041e35316feb05ed1f00380957)
+
+Related: #2093479
+---
+ test/TEST-27-STDOUTFILE/Makefile | 1 +
+ test/TEST-27-STDOUTFILE/test.sh | 52 ++++++++++++++++++++++++++++
+ test/TEST-27-STDOUTFILE/testsuite.sh | 40 +++++++++++++++++++++
+ 3 files changed, 93 insertions(+)
+ create mode 120000 test/TEST-27-STDOUTFILE/Makefile
+ create mode 100755 test/TEST-27-STDOUTFILE/test.sh
+ create mode 100755 test/TEST-27-STDOUTFILE/testsuite.sh
+
+diff --git a/test/TEST-27-STDOUTFILE/Makefile b/test/TEST-27-STDOUTFILE/Makefile
+new file mode 120000
+index 0000000000..e9f93b1104
+--- /dev/null
++++ b/test/TEST-27-STDOUTFILE/Makefile
+@@ -0,0 +1 @@
++../TEST-01-BASIC/Makefile
+\ No newline at end of file
+diff --git a/test/TEST-27-STDOUTFILE/test.sh b/test/TEST-27-STDOUTFILE/test.sh
+new file mode 100755
+index 0000000000..724dbef231
+--- /dev/null
++++ b/test/TEST-27-STDOUTFILE/test.sh
+@@ -0,0 +1,52 @@
++#!/bin/bash
++# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
++# ex: ts=8 sw=4 sts=4 et filetype=sh
++set -e
++TEST_DESCRIPTION="test StandardOutput=file:"
++
++. $TEST_BASE_DIR/test-functions
++
++test_setup() {
++ create_empty_image
++ mkdir -p $TESTDIR/root
++ mount ${LOOPDEV}p1 $TESTDIR/root
++
++ (
++ LOG_LEVEL=5
++ eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
++
++ inst_binary cmp
++
++ setup_basic_environment
++
++ # mask some services that we do not want to run in these tests
++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service
++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service
++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.service
++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.socket
++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-resolved.service
++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-machined.service
++
++ # setup the testsuite service
++ cat >$initdir/etc/systemd/system/testsuite.service <<EOF
++[Unit]
++Description=Testsuite service
++
++[Service]
++ExecStart=/testsuite.sh
++Type=oneshot
++StandardOutput=tty
++StandardError=tty
++NotifyAccess=all
++EOF
++ cp testsuite.sh $initdir/
++
++ setup_testsuite
++ ) || return 1
++ setup_nspawn_root
++
++ ddebug "umount $TESTDIR/root"
++ umount $TESTDIR/root
++}
++
++do_test "$@"
+diff --git a/test/TEST-27-STDOUTFILE/testsuite.sh b/test/TEST-27-STDOUTFILE/testsuite.sh
+new file mode 100755
+index 0000000000..75559e03e5
+--- /dev/null
++++ b/test/TEST-27-STDOUTFILE/testsuite.sh
+@@ -0,0 +1,40 @@
++#!/bin/bash
++# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
++# ex: ts=8 sw=4 sts=4 et filetype=sh
++set -ex
++set -o pipefail
++
++systemd-analyze set-log-level debug
++systemd-analyze set-log-target console
++
++systemd-run --unit=one -p StandardOutput=file:/tmp/stdout -p StandardError=file:/tmp/stderr -p Type=exec sh -c 'echo x ; echo y >&2'
++cmp /tmp/stdout <<EOF
++x
++EOF
++cmp /tmp/stderr <<EOF
++y
++EOF
++
++systemd-run --unit=two -p StandardOutput=file:/tmp/stdout -p StandardError=file:/tmp/stderr -p Type=exec sh -c 'echo z ; echo a >&2'
++cmp /tmp/stdout <<EOF
++z
++EOF
++cmp /tmp/stderr <<EOF
++a
++EOF
++
++systemd-run --unit=three -p StandardOutput=append:/tmp/stdout -p StandardError=append:/tmp/stderr -p Type=exec sh -c 'echo b ; echo c >&2'
++cmp /tmp/stdout <<EOF
++z
++b
++EOF
++cmp /tmp/stderr <<EOF
++a
++c
++EOF
++
++systemd-analyze set-log-level info
++
++echo OK > /testok
++
++exit 0
diff --git a/SOURCES/0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch b/SOURCES/0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch
new file mode 100644
index 0000000..d4e5b2c
--- /dev/null
+++ b/SOURCES/0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch
@@ -0,0 +1,260 @@
+From aa93c2acd6c9ed4eb0152be9002f59ecd9cc277e Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Fri, 24 Jun 2022 09:13:42 +0200
+Subject: [PATCH] =?UTF-8?q?tree-wide:=20allow=20ASCII=20fallback=20for=20?=
+ =?UTF-8?q?=E2=86=92=20in=20logs?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit e2341b6bc325932b3f9f10874956952cbdbd6361)
+
+Resolves: #2093479
+---
+ src/basic/mount-util.c | 5 +++--
+ src/core/dbus.c | 4 +++-
+ src/core/namespace.c | 7 +++++--
+ src/core/socket.c | 4 +++-
+ src/libsystemd/sd-bus/sd-bus.c | 4 +++-
+ src/login/logind-acl.c | 5 +++--
+ src/resolve/resolved-dns-query.c | 11 +++++++++--
+ src/shared/dns-domain.c | 9 ++++++---
+ src/tmpfiles/tmpfiles.c | 4 +++-
+ 9 files changed, 38 insertions(+), 15 deletions(-)
+
+diff --git a/src/basic/mount-util.c b/src/basic/mount-util.c
+index 0c709001be..e7f9e514c2 100644
+--- a/src/basic/mount-util.c
++++ b/src/basic/mount-util.c
+@@ -18,6 +18,7 @@
+ #include "fileio.h"
+ #include "fs-util.h"
+ #include "hashmap.h"
++#include "locale-util.h"
+ #include "mount-util.h"
+ #include "parse-util.h"
+ #include "path-util.h"
+@@ -844,8 +845,8 @@ int mount_verbose(
+ log_debug("Bind-mounting %s on %s (%s \"%s\")...",
+ what, where, strnull(fl), strempty(o));
+ else if (f & MS_MOVE)
+- log_debug("Moving mount %s → %s (%s \"%s\")...",
+- what, where, strnull(fl), strempty(o));
++ log_debug("Moving mount %s %s %s (%s \"%s\")...",
++ what, special_glyph(ARROW), where, strnull(fl), strempty(o));
+ else
+ log_debug("Mounting %s on %s (%s \"%s\")...",
+ strna(type), where, strnull(fl), strempty(o));
+diff --git a/src/core/dbus.c b/src/core/dbus.c
+index 584a8a1b01..66d838cdb4 100644
+--- a/src/core/dbus.c
++++ b/src/core/dbus.c
+@@ -31,6 +31,7 @@
+ #include "dbus.h"
+ #include "fd-util.h"
+ #include "fs-util.h"
++#include "locale-util.h"
+ #include "log.h"
+ #include "missing.h"
+ #include "mkdir.h"
+@@ -751,7 +752,8 @@ static int manager_dispatch_sync_bus_names(sd_event_source *es, void *userdata)
+ assert(s);
+
+ if (!streq_ptr(s->bus_name, name)) {
+- log_unit_warning(u, "Bus name has changed from %s → %s, ignoring.", s->bus_name, name);
++ log_unit_warning(u, "Bus name has changed from %s %s %s, ignoring.",
++ s->bus_name, special_glyph(ARROW), name);
+ continue;
+ }
+
+diff --git a/src/core/namespace.c b/src/core/namespace.c
+index e4930db15c..3566795d46 100644
+--- a/src/core/namespace.c
++++ b/src/core/namespace.c
+@@ -15,6 +15,7 @@
+ #include "fd-util.h"
+ #include "fs-util.h"
+ #include "label.h"
++#include "locale-util.h"
+ #include "loop-util.h"
+ #include "loopback-setup.h"
+ #include "missing.h"
+@@ -841,7 +842,8 @@ static int follow_symlink(
+ return -ELOOP;
+ }
+
+- log_debug("Followed mount entry path symlink %s → %s.", mount_entry_path(m), target);
++ log_debug("Followed mount entry path symlink %s %s %s.",
++ mount_entry_path(m), special_glyph(ARROW), target);
+
+ free_and_replace(m->path_malloc, target);
+ m->has_prefix = true;
+@@ -920,7 +922,8 @@ static int apply_mount(
+ if (r < 0)
+ return log_debug_errno(r, "Failed to follow symlinks on %s: %m", mount_entry_source(m));
+
+- log_debug("Followed source symlinks %s → %s.", mount_entry_source(m), chased);
++ log_debug("Followed source symlinks %s %s %s.",
++ mount_entry_source(m), special_glyph(ARROW), chased);
+
+ free_and_replace(m->source_malloc, chased);
+
+diff --git a/src/core/socket.c b/src/core/socket.c
+index 6f9a0f7575..bdfeb43a70 100644
+--- a/src/core/socket.c
++++ b/src/core/socket.c
+@@ -25,6 +25,7 @@
+ #include "in-addr-util.h"
+ #include "io-util.h"
+ #include "label.h"
++#include "locale-util.h"
+ #include "log.h"
+ #include "missing.h"
+ #include "mkdir.h"
+@@ -1355,7 +1356,8 @@ static int socket_symlink(Socket *s) {
+ }
+
+ if (r < 0)
+- log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i);
++ log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s %s %s, ignoring: %m",
++ p, special_glyph(ARROW), *i);
+ }
+
+ return 0;
+diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
+index 803f3f50d6..21e54591f7 100644
+--- a/src/libsystemd/sd-bus/sd-bus.c
++++ b/src/libsystemd/sd-bus/sd-bus.c
+@@ -31,6 +31,7 @@
+ #include "cgroup-util.h"
+ #include "def.h"
+ #include "fd-util.h"
++#include "locale-util.h"
+ #include "hexdecoct.h"
+ #include "hostname-util.h"
+ #include "macro.h"
+@@ -518,7 +519,8 @@ void bus_set_state(sd_bus *bus, enum bus_state state) {
+ if (state == bus->state)
+ return;
+
+- log_debug("Bus %s: changing state %s → %s", strna(bus->description), table[bus->state], table[state]);
++ log_debug("Bus %s: changing state %s %s %s", strna(bus->description),
++ table[bus->state], special_glyph(ARROW), table[state]);
+ bus->state = state;
+ }
+
+diff --git a/src/login/logind-acl.c b/src/login/logind-acl.c
+index cafeb8822f..fe17eac0e6 100644
+--- a/src/login/logind-acl.c
++++ b/src/login/logind-acl.c
+@@ -9,6 +9,7 @@
+ #include "escape.h"
+ #include "fd-util.h"
+ #include "format-util.h"
++#include "locale-util.h"
+ #include "logind-acl.h"
+ #include "set.h"
+ #include "string-util.h"
+@@ -260,8 +261,8 @@ int devnode_acl_all(struct udev *udev,
+ SET_FOREACH(n, nodes, i) {
+ int k;
+
+- log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"→"UID_FMT"%s%s)",
+- n, seat, old_uid, new_uid,
++ log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"%s"UID_FMT"%s%s)",
++ n, seat, old_uid, special_glyph(ARROW), new_uid,
+ del ? " del" : "", add ? " add" : "");
+
+ k = devnode_acl(n, flush, del, old_uid, add, new_uid);
+diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
+index c921fe841f..573e27d662 100644
+--- a/src/resolve/resolved-dns-query.c
++++ b/src/resolve/resolved-dns-query.c
+@@ -3,6 +3,7 @@
+ #include "alloc-util.h"
+ #include "dns-domain.h"
+ #include "dns-type.h"
++#include "locale-util.h"
+ #include "hostname-util.h"
+ #include "local-addresses.h"
+ #include "resolved-dns-query.h"
+@@ -942,7 +943,10 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
+ if (r < 0)
+ return r;
+ else if (r > 0)
+- log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna));
++ log_debug("Following CNAME/DNAME %s %s %s.",
++ dns_question_first_name(q->question_idna),
++ special_glyph(ARROW),
++ dns_question_first_name(nq_idna));
+
+ k = dns_question_is_equal(q->question_idna, q->question_utf8);
+ if (k < 0)
+@@ -956,7 +960,10 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
+ if (k < 0)
+ return k;
+ else if (k > 0)
+- log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8));
++ log_debug("Following UTF8 CNAME/DNAME %s %s %s.",
++ dns_question_first_name(q->question_utf8),
++ special_glyph(ARROW),
++ dns_question_first_name(nq_utf8));
+ }
+
+ if (r == 0 && k == 0) /* No actual cname happened? */
+diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
+index de2fcca8b2..59799dec56 100644
+--- a/src/shared/dns-domain.c
++++ b/src/shared/dns-domain.c
+@@ -17,6 +17,7 @@
+
+ #include "alloc-util.h"
+ #include "dns-domain.h"
++#include "locale-util.h"
+ #include "hashmap.h"
+ #include "hexdecoct.h"
+ #include "in-addr-util.h"
+@@ -1260,7 +1261,7 @@ int dns_name_apply_idna(const char *name, char **ret) {
+
+ r = idn2_lookup_u8((uint8_t*) name, (uint8_t**) &t,
+ IDN2_NFC_INPUT | IDN2_NONTRANSITIONAL);
+- log_debug("idn2_lookup_u8: %s → %s", name, t);
++ log_debug("idn2_lookup_u8: %s %s %s", name, special_glyph(ARROW), t);
+ if (r == IDN2_OK) {
+ if (!startswith(name, "xn--")) {
+ _cleanup_free_ char *s = NULL;
+@@ -1273,8 +1274,10 @@ int dns_name_apply_idna(const char *name, char **ret) {
+ }
+
+ if (!streq_ptr(name, s)) {
+- log_debug("idn2 roundtrip failed: \"%s\" → \"%s\" → \"%s\", ignoring.",
+- name, t, s);
++ log_debug("idn2 roundtrip failed: \"%s\" %s \"%s\" %s \"%s\", ignoring.",
++ name, special_glyph(ARROW), t,
++ special_glyph(ARROW), s);
++ *ret = NULL;
+ return 0;
+ }
+ }
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 50fada99dd..b3c2aac746 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -36,6 +36,7 @@
+ #include "fs-util.h"
+ #include "glob-util.h"
+ #include "io-util.h"
++#include "locale-util.h"
+ #include "label.h"
+ #include "log.h"
+ #include "macro.h"
+@@ -2143,7 +2144,8 @@ static int patch_var_run(const char *fname, unsigned line, char **path) {
+ * there's no immediate need for action by the user. However, in the interest of making things less confusing
+ * to the user, let's still inform the user that these snippets should really be updated. */
+
+- log_notice("[%s:%u] Line references path below legacy directory /var/run/, updating %s → %s; please update the tmpfiles.d/ drop-in file accordingly.", fname, line, *path, n);
++ log_notice("[%s:%u] Line references path below legacy directory /var/run/, updating %s %s %s; please update the tmpfiles.d/ drop-in file accordingly.",
++ fname, line, *path, special_glyph(ARROW), n);
+
+ free(*path);
+ *path = n;
diff --git a/SOURCES/0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch b/SOURCES/0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch
new file mode 100644
index 0000000..19fb968
--- /dev/null
+++ b/SOURCES/0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch
@@ -0,0 +1,129 @@
+From f27568d24a29590b34fec3a96a5b3b5d290ba3d8 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Fri, 24 Jun 2022 09:59:44 +0200
+Subject: [PATCH] =?UTF-8?q?tree-wide:=20allow=20ASCII=20fallback=20for=20?=
+ =?UTF-8?q?=E2=80=A6=20in=20logs?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit 28e5e1e97f47067bce190ea6b3404907d63e4320)
+
+Related: #2093479
+---
+ src/core/manager.c | 5 +++--
+ src/shared/vlan-util.c | 3 ++-
+ src/sysusers/sysusers.c | 5 +++--
+ src/tmpfiles/tmpfiles.c | 6 +++---
+ 4 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 845c26f498..5873e5b6d7 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -49,6 +49,7 @@
+ #include "io-util.h"
+ #include "label.h"
+ #include "locale-setup.h"
++#include "locale-util.h"
+ #include "log.h"
+ #include "macro.h"
+ #include "manager.h"
+@@ -1404,7 +1405,7 @@ static void manager_coldplug(Manager *m) {
+
+ assert(m);
+
+- log_debug("Invoking unit coldplug() handlers…");
++ log_debug("Invoking unit coldplug() handlers%s", special_glyph(ELLIPSIS));
+
+ /* Let's place the units back into their deserialized state */
+ HASHMAP_FOREACH_KEY(u, k, m->units, i) {
+@@ -1426,7 +1427,7 @@ static void manager_catchup(Manager *m) {
+
+ assert(m);
+
+- log_debug("Invoking unit catchup() handlers…");
++ log_debug("Invoking unit catchup() handlers%s", special_glyph(ELLIPSIS));
+
+ /* Let's catch up on any state changes that happened while we were reloading/reexecing */
+ HASHMAP_FOREACH_KEY(u, k, m->units, i) {
+diff --git a/src/shared/vlan-util.c b/src/shared/vlan-util.c
+index 400994a354..9301dacbe2 100644
+--- a/src/shared/vlan-util.c
++++ b/src/shared/vlan-util.c
+@@ -1,6 +1,7 @@
+ /* SPDX-License-Identifier: LGPL-2.1+ */
+
+ #include "conf-parser.h"
++#include "locale-util.h"
+ #include "parse-util.h"
+ #include "string-util.h"
+ #include "vlan-util.h"
+@@ -67,7 +68,7 @@ int config_parse_vlanid(
+
+ r = parse_vlanid(rvalue, id);
+ if (r == -ERANGE) {
+- log_syntax(unit, LOG_ERR, filename, line, r, "VLAN identifier outside of valid range 0…4094, ignoring: %s", rvalue);
++ log_syntax(unit, LOG_ERR, filename, line, r, "VLAN identifier outside of valid range 0%s4094, ignoring: %s", special_glyph(ELLIPSIS), rvalue);
+ return 0;
+ }
+ if (r < 0) {
+diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
+index a374ebaaf4..f547388151 100644
+--- a/src/sysusers/sysusers.c
++++ b/src/sysusers/sysusers.c
+@@ -12,6 +12,7 @@
+ #include "format-util.h"
+ #include "fs-util.h"
+ #include "hashmap.h"
++#include "locale-util.h"
+ #include "pager.h"
+ #include "path-util.h"
+ #include "selinux-util.h"
+@@ -1890,13 +1891,13 @@ static int read_config_files(char **args) {
+
+ STRV_FOREACH(f, files)
+ if (p && path_equal(*f, p)) {
+- log_debug("Parsing arguments at position \"%s\"…", *f);
++ log_debug("Parsing arguments at position \"%s\"%s", *f, special_glyph(ELLIPSIS));
+
+ r = parse_arguments(args);
+ if (r < 0)
+ return r;
+ } else {
+- log_debug("Reading config file \"%s\"…", *f);
++ log_debug("Reading config file \"%s\"%s", *f, special_glyph(ELLIPSIS));
+
+ /* Just warn, ignore result otherwise */
+ (void) read_config_file(*f, true);
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index b3c2aac746..8da525120b 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -2654,7 +2654,7 @@ static int read_config_file(char **config_dirs, const char *fn, bool ignore_enoe
+ assert(fn);
+
+ if (streq(fn, "-")) {
+- log_debug("Reading config from stdin…");
++ log_debug("Reading config from stdin%s", special_glyph(ELLIPSIS));
+ fn = "<stdin>";
+ f = stdin;
+ } else {
+@@ -2667,7 +2667,7 @@ static int read_config_file(char **config_dirs, const char *fn, bool ignore_enoe
+
+ return log_error_errno(r, "Failed to open '%s': %m", fn);
+ }
+- log_debug("Reading config file \"%s\"…", fn);
++ log_debug("Reading config file \"%s\"%s", fn, special_glyph(ELLIPSIS));
+ f = _f;
+ }
+
+@@ -2765,7 +2765,7 @@ static int read_config_files(char **config_dirs, char **args, bool *invalid_conf
+
+ STRV_FOREACH(f, files)
+ if (p && path_equal(*f, p)) {
+- log_debug("Parsing arguments at position \"%s\"…", *f);
++ log_debug("Parsing arguments at position \"%s\"%s", *f, special_glyph(ELLIPSIS));
+
+ r = parse_arguments(config_dirs, args, invalid_config);
+ if (r < 0)
diff --git a/SOURCES/0806-core-allow-to-set-default-timeout-for-devices.patch b/SOURCES/0806-core-allow-to-set-default-timeout-for-devices.patch
new file mode 100644
index 0000000..a730ce9
--- /dev/null
+++ b/SOURCES/0806-core-allow-to-set-default-timeout-for-devices.patch
@@ -0,0 +1,115 @@
+From 207f51115c18c668982ef8bdb8a024fccaeb87f0 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Sat, 16 Jul 2022 09:49:12 +0200
+Subject: [PATCH] core: allow to set default timeout for devices
+
+Fixes: #19879
+(cherry picked from commit a0fe19f9f791c05af236265954b1d73e8fcf5468)
+
+Resolves: #1967245
+---
+ src/core/dbus-manager.c | 1 +
+ src/core/device.c | 2 +-
+ src/core/main.c | 4 ++++
+ src/core/manager.c | 1 +
+ src/core/manager.h | 1 +
+ src/core/system.conf.in | 1 +
+ 6 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
+index 7488f22116..5b1ed3646e 100644
+--- a/src/core/dbus-manager.c
++++ b/src/core/dbus-manager.c
+@@ -2509,6 +2509,7 @@ const sd_bus_vtable bus_manager_vtable[] = {
+ SD_BUS_PROPERTY("DefaultTimerAccuracyUSec", "t", bus_property_get_usec, offsetof(Manager, default_timer_accuracy_usec), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("DefaultTimeoutStartUSec", "t", bus_property_get_usec, offsetof(Manager, default_timeout_start_usec), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("DefaultTimeoutStopUSec", "t", bus_property_get_usec, offsetof(Manager, default_timeout_stop_usec), SD_BUS_VTABLE_PROPERTY_CONST),
++ SD_BUS_PROPERTY("DefaultDeviceTimeoutUSec", "t", bus_property_get_usec, offsetof(Manager, default_device_timeout_usec), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("DefaultRestartUSec", "t", bus_property_get_usec, offsetof(Manager, default_restart_usec), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("DefaultStartLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Manager, default_start_limit_interval), SD_BUS_VTABLE_PROPERTY_CONST),
+ /* The following two items are obsolete alias */
+diff --git a/src/core/device.c b/src/core/device.c
+index cb8b66dfc5..71b7c1ef81 100644
+--- a/src/core/device.c
++++ b/src/core/device.c
+@@ -97,7 +97,7 @@ static void device_init(Unit *u) {
+ * indefinitely for plugged in devices, something which cannot
+ * happen for the other units since their operations time out
+ * anyway. */
+- u->job_running_timeout = u->manager->default_timeout_start_usec;
++ u->job_running_timeout = u->manager->default_device_timeout_usec;
+
+ u->ignore_on_isolate = true;
+
+diff --git a/src/core/main.c b/src/core/main.c
+index 08a4df3c97..bfd4c531a7 100644
+--- a/src/core/main.c
++++ b/src/core/main.c
+@@ -109,6 +109,7 @@ static usec_t arg_default_restart_usec;
+ static usec_t arg_default_timeout_start_usec;
+ static usec_t arg_default_timeout_stop_usec;
+ static usec_t arg_default_timeout_abort_usec;
++static usec_t arg_default_device_timeout_usec;
+ static bool arg_default_timeout_abort_set;
+ static usec_t arg_default_start_limit_interval;
+ static unsigned arg_default_start_limit_burst;
+@@ -687,6 +688,7 @@ static int parse_config_file(void) {
+ { "Manager", "DefaultStandardError", config_parse_output_restricted,0, &arg_default_std_error },
+ { "Manager", "DefaultTimeoutStartSec", config_parse_sec, 0, &arg_default_timeout_start_usec },
+ { "Manager", "DefaultTimeoutStopSec", config_parse_sec, 0, &arg_default_timeout_stop_usec },
++ { "Manager", "DefaultDeviceTimeoutSec", config_parse_sec, 0, &arg_default_device_timeout_usec },
+ { "Manager", "DefaultRestartSec", config_parse_sec, 0, &arg_default_restart_usec },
+ { "Manager", "DefaultStartLimitInterval", config_parse_sec, 0, &arg_default_start_limit_interval }, /* obsolete alias */
+ { "Manager", "DefaultStartLimitIntervalSec",config_parse_sec, 0, &arg_default_start_limit_interval },
+@@ -754,6 +756,7 @@ static void set_manager_defaults(Manager *m) {
+ m->default_std_error = arg_default_std_error;
+ m->default_timeout_start_usec = arg_default_timeout_start_usec;
+ m->default_timeout_stop_usec = arg_default_timeout_stop_usec;
++ m->default_device_timeout_usec = arg_default_device_timeout_usec;
+ m->default_restart_usec = arg_default_restart_usec;
+ m->default_start_limit_interval = arg_default_start_limit_interval;
+ m->default_start_limit_burst = arg_default_start_limit_burst;
+@@ -2077,6 +2080,7 @@ static void reset_arguments(void) {
+ arg_default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC;
+ arg_default_timeout_abort_usec = DEFAULT_TIMEOUT_USEC;
+ arg_default_timeout_abort_set = false;
++ arg_default_device_timeout_usec = DEFAULT_TIMEOUT_USEC;
+ arg_default_start_limit_interval = DEFAULT_START_LIMIT_INTERVAL;
+ arg_default_start_limit_burst = DEFAULT_START_LIMIT_BURST;
+ arg_runtime_watchdog = 0;
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 5873e5b6d7..f4611e6f8f 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -731,6 +731,7 @@ int manager_new(UnitFileScope scope, unsigned test_run_flags, Manager **_m) {
+ m->default_tasks_max = UINT64_MAX;
+ m->default_timeout_start_usec = DEFAULT_TIMEOUT_USEC;
+ m->default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC;
++ m->default_device_timeout_usec = DEFAULT_TIMEOUT_USEC,
+ m->default_restart_usec = DEFAULT_RESTART_USEC;
+ m->original_log_level = -1;
+ m->original_log_target = _LOG_TARGET_INVALID;
+diff --git a/src/core/manager.h b/src/core/manager.h
+index 7b572c8dfd..3f2cfc5e2e 100644
+--- a/src/core/manager.h
++++ b/src/core/manager.h
+@@ -285,6 +285,7 @@ struct Manager {
+ ExecOutput default_std_output, default_std_error;
+
+ usec_t default_restart_usec, default_timeout_start_usec, default_timeout_stop_usec;
++ usec_t default_device_timeout_usec;
+
+ usec_t default_start_limit_interval;
+ unsigned default_start_limit_burst;
+diff --git a/src/core/system.conf.in b/src/core/system.conf.in
+index 84246c0e36..2f6852a89f 100644
+--- a/src/core/system.conf.in
++++ b/src/core/system.conf.in
+@@ -37,6 +37,7 @@
+ #DefaultStandardError=inherit
+ #DefaultTimeoutStartSec=90s
+ #DefaultTimeoutStopSec=90s
++#DefaultDeviceTimeoutSec=90s
+ #DefaultRestartSec=100ms
+ #DefaultStartLimitIntervalSec=10s
+ #DefaultStartLimitBurst=5
diff --git a/SOURCES/0807-man-document-DefaultDeviceTimeoutSec.patch b/SOURCES/0807-man-document-DefaultDeviceTimeoutSec.patch
new file mode 100644
index 0000000..eb248e3
--- /dev/null
+++ b/SOURCES/0807-man-document-DefaultDeviceTimeoutSec.patch
@@ -0,0 +1,34 @@
+From ba81eba0feaf5c34f52141301e2b7ca93128fed0 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Sat, 16 Jul 2022 10:16:41 +0200
+Subject: [PATCH] man: document DefaultDeviceTimeoutSec=
+
+(cherry picked from commit 9e69bd4801588c12811c611a1c68b54cecbe1718)
+
+Related: #1967245
+---
+ man/systemd-system.conf.xml | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
+index 988c4e7665..3670f34cb5 100644
+--- a/man/systemd-system.conf.xml
++++ b/man/systemd-system.conf.xml
+@@ -305,6 +305,17 @@
+ 100ms.</para></listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><varname>DefaultDeviceTimeoutSec=</varname></term>
++
++ <listitem><para>Configures the default timeout for waiting for devices. It can be changed per
++ device via the <varname>x-systemd.device-timeout=</varname> option in <filename>/etc/fstab</filename>
++ and <filename>/etc/crypttab</filename> (see
++ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
++ Defaults to 90s.</para></listitem>
++ </varlistentry>
++
+ <varlistentry>
+ <term><varname>DefaultStartLimitIntervalSec=</varname></term>
+ <term><varname>DefaultStartLimitBurst=</varname></term>
diff --git a/SOURCES/0808-Revert-core-Propagate-condition-failed-state-to-trig.patch b/SOURCES/0808-Revert-core-Propagate-condition-failed-state-to-trig.patch
new file mode 100644
index 0000000..51df34e
--- /dev/null
+++ b/SOURCES/0808-Revert-core-Propagate-condition-failed-state-to-trig.patch
@@ -0,0 +1,255 @@
+From f1a1ff976ed0787c79a0f57d773bc555ab756b8c Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Fri, 17 Dec 2021 19:39:29 +0100
+Subject: [PATCH] Revert "core: Propagate condition failed state to triggering
+ units."
+
+This reverts commit 12ab94a1e4961a39c32efb60b71866ab588d3ea2.
+
+(cherry picked from commit 40f41f34d4af15d0147b5b2525f0b87ff62eae9a)
+
+Related: #2114005
+---
+ src/core/automount.c | 14 ++++----------
+ src/core/automount.h | 1 -
+ src/core/path.c | 16 +++++-----------
+ src/core/path.h | 1 -
+ src/core/socket.c | 28 +++++++++-------------------
+ src/core/socket.h | 1 -
+ src/core/timer.c | 12 +++---------
+ src/core/timer.h | 1 -
+ src/core/unit.c | 10 ----------
+ src/core/unit.h | 2 --
+ 10 files changed, 21 insertions(+), 65 deletions(-)
+
+diff --git a/src/core/automount.c b/src/core/automount.c
+index bac3b2fab7..c1c513d4a5 100644
+--- a/src/core/automount.c
++++ b/src/core/automount.c
+@@ -776,11 +776,6 @@ static void automount_enter_running(Automount *a) {
+ goto fail;
+ }
+
+- if (unit_has_failed_condition_or_assert(trigger)) {
+- automount_enter_dead(a, AUTOMOUNT_FAILURE_MOUNT_CONDITION_FAILED);
+- return;
+- }
+-
+ r = manager_add_job(UNIT(a)->manager, JOB_START, trigger, JOB_REPLACE, NULL, &error, NULL);
+ if (r < 0) {
+ log_unit_warning(UNIT(a), "Failed to queue mount startup job: %s", bus_error_message(&error, r));
+@@ -1092,11 +1087,10 @@ static int automount_can_start(Unit *u) {
+ }
+
+ static const char* const automount_result_table[_AUTOMOUNT_RESULT_MAX] = {
+- [AUTOMOUNT_SUCCESS] = "success",
+- [AUTOMOUNT_FAILURE_RESOURCES] = "resources",
+- [AUTOMOUNT_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
+- [AUTOMOUNT_FAILURE_MOUNT_START_LIMIT_HIT] = "mount-start-limit-hit",
+- [AUTOMOUNT_FAILURE_MOUNT_CONDITION_FAILED] = "mount-condition-failed",
++ [AUTOMOUNT_SUCCESS] = "success",
++ [AUTOMOUNT_FAILURE_RESOURCES] = "resources",
++ [AUTOMOUNT_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
++ [AUTOMOUNT_FAILURE_MOUNT_START_LIMIT_HIT] = "mount-start-limit-hit",
+ };
+
+ DEFINE_STRING_TABLE_LOOKUP(automount_result, AutomountResult);
+diff --git a/src/core/automount.h b/src/core/automount.h
+index a7417d195c..21dd1c0774 100644
+--- a/src/core/automount.h
++++ b/src/core/automount.h
+@@ -10,7 +10,6 @@ typedef enum AutomountResult {
+ AUTOMOUNT_FAILURE_RESOURCES,
+ AUTOMOUNT_FAILURE_START_LIMIT_HIT,
+ AUTOMOUNT_FAILURE_MOUNT_START_LIMIT_HIT,
+- AUTOMOUNT_FAILURE_MOUNT_CONDITION_FAILED,
+ _AUTOMOUNT_RESULT_MAX,
+ _AUTOMOUNT_RESULT_INVALID = -1
+ } AutomountResult;
+diff --git a/src/core/path.c b/src/core/path.c
+index bf7e1bf3c2..c2facf0b16 100644
+--- a/src/core/path.c
++++ b/src/core/path.c
+@@ -453,7 +453,7 @@ static void path_enter_dead(Path *p, PathResult f) {
+ else
+ unit_log_failure(UNIT(p), path_result_to_string(p->result));
+
+- path_set_state(p, p->result == PATH_SUCCESS ? PATH_DEAD : PATH_FAILED);
++ path_set_state(p, p->result != PATH_SUCCESS ? PATH_FAILED : PATH_DEAD);
+ }
+
+ static void path_enter_running(Path *p) {
+@@ -711,11 +711,6 @@ static void path_trigger_notify(Unit *u, Unit *other) {
+ return;
+ }
+
+- if (unit_has_failed_condition_or_assert(other)) {
+- path_enter_dead(p, PATH_FAILURE_UNIT_CONDITION_FAILED);
+- return;
+- }
+-
+ /* Don't propagate anything if there's still a job queued */
+ if (other->job)
+ return;
+@@ -768,11 +763,10 @@ static const char* const path_type_table[_PATH_TYPE_MAX] = {
+ DEFINE_STRING_TABLE_LOOKUP(path_type, PathType);
+
+ static const char* const path_result_table[_PATH_RESULT_MAX] = {
+- [PATH_SUCCESS] = "success",
+- [PATH_FAILURE_RESOURCES] = "resources",
+- [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
+- [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit",
+- [PATH_FAILURE_UNIT_CONDITION_FAILED] = "unit-condition-failed",
++ [PATH_SUCCESS] = "success",
++ [PATH_FAILURE_RESOURCES] = "resources",
++ [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
++ [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit",
+ };
+
+ DEFINE_STRING_TABLE_LOOKUP(path_result, PathResult);
+diff --git a/src/core/path.h b/src/core/path.h
+index 0ad6bd12c6..8a69f06c13 100644
+--- a/src/core/path.h
++++ b/src/core/path.h
+@@ -46,7 +46,6 @@ typedef enum PathResult {
+ PATH_FAILURE_RESOURCES,
+ PATH_FAILURE_START_LIMIT_HIT,
+ PATH_FAILURE_UNIT_START_LIMIT_HIT,
+- PATH_FAILURE_UNIT_CONDITION_FAILED,
+ _PATH_RESULT_MAX,
+ _PATH_RESULT_INVALID = -1
+ } PathResult;
+diff --git a/src/core/socket.c b/src/core/socket.c
+index bdfeb43a70..9d47ca2616 100644
+--- a/src/core/socket.c
++++ b/src/core/socket.c
+@@ -2274,15 +2274,6 @@ static void socket_enter_running(Socket *s, int cfd) {
+ goto refuse;
+ }
+
+- if (UNIT_ISSET(s->service) && cfd < 0) {
+- Unit *service = UNIT_DEREF(s->service);
+-
+- if (unit_has_failed_condition_or_assert(service)) {
+- socket_enter_dead(s, SOCKET_FAILURE_SERVICE_CONDITION_FAILED);
+- return;
+- }
+- }
+-
+ if (cfd < 0) {
+ bool pending = false;
+ Unit *other;
+@@ -3298,16 +3289,15 @@ static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
+ DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand);
+
+ static const char* const socket_result_table[_SOCKET_RESULT_MAX] = {
+- [SOCKET_SUCCESS] = "success",
+- [SOCKET_FAILURE_RESOURCES] = "resources",
+- [SOCKET_FAILURE_TIMEOUT] = "timeout",
+- [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
+- [SOCKET_FAILURE_SIGNAL] = "signal",
+- [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
+- [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
+- [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
+- [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit",
+- [SOCKET_FAILURE_SERVICE_CONDITION_FAILED] = "service-condition-failed",
++ [SOCKET_SUCCESS] = "success",
++ [SOCKET_FAILURE_RESOURCES] = "resources",
++ [SOCKET_FAILURE_TIMEOUT] = "timeout",
++ [SOCKET_FAILURE_EXIT_CODE] = "exit-code",
++ [SOCKET_FAILURE_SIGNAL] = "signal",
++ [SOCKET_FAILURE_CORE_DUMP] = "core-dump",
++ [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
++ [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
++ [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit"
+ };
+
+ DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult);
+diff --git a/src/core/socket.h b/src/core/socket.h
+index b171b94316..2409dbf2a0 100644
+--- a/src/core/socket.h
++++ b/src/core/socket.h
+@@ -39,7 +39,6 @@ typedef enum SocketResult {
+ SOCKET_FAILURE_START_LIMIT_HIT,
+ SOCKET_FAILURE_TRIGGER_LIMIT_HIT,
+ SOCKET_FAILURE_SERVICE_START_LIMIT_HIT,
+- SOCKET_FAILURE_SERVICE_CONDITION_FAILED,
+ _SOCKET_RESULT_MAX,
+ _SOCKET_RESULT_INVALID = -1
+ } SocketResult;
+diff --git a/src/core/timer.c b/src/core/timer.c
+index 3c8d89771d..990f05fee4 100644
+--- a/src/core/timer.c
++++ b/src/core/timer.c
+@@ -567,11 +567,6 @@ static void timer_enter_running(Timer *t) {
+ return;
+ }
+
+- if (unit_has_failed_condition_or_assert(trigger)) {
+- timer_enter_dead(t, TIMER_FAILURE_UNIT_CONDITION_FAILED);
+- return;
+- }
+-
+ r = manager_add_job(UNIT(t)->manager, JOB_START, trigger, JOB_REPLACE, NULL, &error, NULL);
+ if (r < 0)
+ goto fail;
+@@ -855,10 +850,9 @@ static const char* const timer_base_table[_TIMER_BASE_MAX] = {
+ DEFINE_STRING_TABLE_LOOKUP(timer_base, TimerBase);
+
+ static const char* const timer_result_table[_TIMER_RESULT_MAX] = {
+- [TIMER_SUCCESS] = "success",
+- [TIMER_FAILURE_RESOURCES] = "resources",
+- [TIMER_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
+- [TIMER_FAILURE_UNIT_CONDITION_FAILED] = "unit-condition-failed",
++ [TIMER_SUCCESS] = "success",
++ [TIMER_FAILURE_RESOURCES] = "resources",
++ [TIMER_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
+ };
+
+ DEFINE_STRING_TABLE_LOOKUP(timer_result, TimerResult);
+diff --git a/src/core/timer.h b/src/core/timer.h
+index d23e19d622..833aadb0b8 100644
+--- a/src/core/timer.h
++++ b/src/core/timer.h
+@@ -32,7 +32,6 @@ typedef enum TimerResult {
+ TIMER_SUCCESS,
+ TIMER_FAILURE_RESOURCES,
+ TIMER_FAILURE_START_LIMIT_HIT,
+- TIMER_FAILURE_UNIT_CONDITION_FAILED,
+ _TIMER_RESULT_MAX,
+ _TIMER_RESULT_INVALID = -1
+ } TimerResult;
+diff --git a/src/core/unit.c b/src/core/unit.c
+index 0810bf5a58..dfe0c243ef 100644
+--- a/src/core/unit.c
++++ b/src/core/unit.c
+@@ -5661,16 +5661,6 @@ int unit_thaw_vtable_common(Unit *u) {
+ return unit_cgroup_freezer_action(u, FREEZER_THAW);
+ }
+
+-bool unit_has_failed_condition_or_assert(Unit *u) {
+- if (dual_timestamp_is_set(&u->condition_timestamp) && !u->condition_result)
+- return true;
+-
+- if (dual_timestamp_is_set(&u->assert_timestamp) && !u->assert_result)
+- return true;
+-
+- return false;
+-}
+-
+ static const char* const collect_mode_table[_COLLECT_MODE_MAX] = {
+ [COLLECT_INACTIVE] = "inactive",
+ [COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed",
+diff --git a/src/core/unit.h b/src/core/unit.h
+index a924bd2e83..b8b914711f 100644
+--- a/src/core/unit.h
++++ b/src/core/unit.h
+@@ -847,8 +847,6 @@ void unit_thawed(Unit *u);
+ int unit_freeze_vtable_common(Unit *u);
+ int unit_thaw_vtable_common(Unit *u);
+
+-bool unit_has_failed_condition_or_assert(Unit *u);
+-
+ /* Macros which append UNIT= or USER_UNIT= to the message */
+
+ #define log_unit_full(unit, level, error, ...) \
diff --git a/SOURCES/0809-core-Check-unit-start-rate-limiting-earlier.patch b/SOURCES/0809-core-Check-unit-start-rate-limiting-earlier.patch
new file mode 100644
index 0000000..45f95d4
--- /dev/null
+++ b/SOURCES/0809-core-Check-unit-start-rate-limiting-earlier.patch
@@ -0,0 +1,137 @@
+From e393372ad5ba67acb9b397f044efdb1c9a100644 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Tue, 24 Aug 2021 16:46:47 +0100
+Subject: [PATCH] core: Check unit start rate limiting earlier
+
+[dtardon: This adds the test that's been left out by commit
+471eda89a25a3ceac91a2d05e39a54aae78038ed]
+
+(cherry picked from commit 9727f2427ff6b2e1f4ab927cc57ad8e888f04e95)
+
+Related: #2114005
+---
+ test/TEST-10-ISSUE-2467/test.sh | 3 ++
+ test/TEST-63-ISSUE-17433/Makefile | 1 +
+ test/TEST-63-ISSUE-17433/test.sh | 42 ++++++++++++++++++++++
+ test/TEST-63-ISSUE-17433/test63.path | 2 ++
+ test/TEST-63-ISSUE-17433/test63.service | 5 +++
+ test/TEST-63-ISSUE-17433/testsuite.service | 17 +++++++++
+ 6 files changed, 70 insertions(+)
+ create mode 120000 test/TEST-63-ISSUE-17433/Makefile
+ create mode 100755 test/TEST-63-ISSUE-17433/test.sh
+ create mode 100644 test/TEST-63-ISSUE-17433/test63.path
+ create mode 100644 test/TEST-63-ISSUE-17433/test63.service
+ create mode 100644 test/TEST-63-ISSUE-17433/testsuite.service
+
+diff --git a/test/TEST-10-ISSUE-2467/test.sh b/test/TEST-10-ISSUE-2467/test.sh
+index 0e61236686..a839ef79de 100755
+--- a/test/TEST-10-ISSUE-2467/test.sh
++++ b/test/TEST-10-ISSUE-2467/test.sh
+@@ -42,6 +42,9 @@ EOF
+ [Unit]
+ Requires=test.socket
+ ConditionPathExistsGlob=/tmp/nonexistent
++# Make sure we hit the socket trigger limit in the test and not the service start limit.
++StartLimitInterval=1000
++StartLimitBurst=1000
+
+ [Service]
+ ExecStart=/bin/true
+diff --git a/test/TEST-63-ISSUE-17433/Makefile b/test/TEST-63-ISSUE-17433/Makefile
+new file mode 120000
+index 0000000000..e9f93b1104
+--- /dev/null
++++ b/test/TEST-63-ISSUE-17433/Makefile
+@@ -0,0 +1 @@
++../TEST-01-BASIC/Makefile
+\ No newline at end of file
+diff --git a/test/TEST-63-ISSUE-17433/test.sh b/test/TEST-63-ISSUE-17433/test.sh
+new file mode 100755
+index 0000000000..406a1e214c
+--- /dev/null
++++ b/test/TEST-63-ISSUE-17433/test.sh
+@@ -0,0 +1,42 @@
++#!/usr/bin/env bash
++set -e
++
++TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/17433"
++
++# shellcheck source=test/test-functions
++. "${TEST_BASE_DIR:?}/test-functions"
++
++test_setup() {
++ create_empty_image
++ mkdir -p $TESTDIR/root
++ mount ${LOOPDEV}p1 $TESTDIR/root
++
++ # Create what will eventually be our root filesystem onto an overlay
++ (
++ LOG_LEVEL=5
++ eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
++
++ setup_basic_environment
++
++ # setup the testsuite service
++ cp testsuite.service $initdir/etc/systemd/system/testsuite.service
++
++ cp test63.path $initdir/etc/systemd/system/test63.path
++ cp test63.service $initdir/etc/systemd/system/test63.service
++
++ setup_testsuite
++ ) || return 1
++ setup_nspawn_root
++
++ # mask some services that we do not want to run in these tests
++ ln -s /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service
++ ln -s /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service
++ ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.service
++ ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.socket
++ ln -s /dev/null $initdir/etc/systemd/system/systemd-resolved.service
++
++ ddebug "umount $TESTDIR/root"
++ umount $TESTDIR/root
++}
++
++do_test "$@"
+diff --git a/test/TEST-63-ISSUE-17433/test63.path b/test/TEST-63-ISSUE-17433/test63.path
+new file mode 100644
+index 0000000000..a6573bda0a
+--- /dev/null
++++ b/test/TEST-63-ISSUE-17433/test63.path
+@@ -0,0 +1,2 @@
++[Path]
++PathExists=/tmp/test63
+diff --git a/test/TEST-63-ISSUE-17433/test63.service b/test/TEST-63-ISSUE-17433/test63.service
+new file mode 100644
+index 0000000000..c83801874d
+--- /dev/null
++++ b/test/TEST-63-ISSUE-17433/test63.service
+@@ -0,0 +1,5 @@
++[Unit]
++ConditionPathExists=!/tmp/nonexistent
++
++[Service]
++ExecStart=true
+diff --git a/test/TEST-63-ISSUE-17433/testsuite.service b/test/TEST-63-ISSUE-17433/testsuite.service
+new file mode 100644
+index 0000000000..d3ca5b002b
+--- /dev/null
++++ b/test/TEST-63-ISSUE-17433/testsuite.service
+@@ -0,0 +1,17 @@
++[Unit]
++Description=TEST-63-ISSUE-17433
++
++[Service]
++ExecStartPre=rm -f /failed /testok
++Type=oneshot
++ExecStart=rm -f /tmp/nonexistent
++ExecStart=systemctl start test63.path
++ExecStart=touch /tmp/test63
++# Make sure systemd has sufficient time to hit the start limit for test63.service.
++ExecStart=sleep 2
++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = failed'
++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = start-limit-hit'
++# FIXME: The path remains active, which it should not
++# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p ActiveState)" = failed'
++# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = unit-start-limit-hit'
++ExecStart=sh -x -c 'echo OK >/testok'
diff --git a/SOURCES/0810-core-Add-trigger-limit-for-path-units.patch b/SOURCES/0810-core-Add-trigger-limit-for-path-units.patch
new file mode 100644
index 0000000..7ddde88
--- /dev/null
+++ b/SOURCES/0810-core-Add-trigger-limit-for-path-units.patch
@@ -0,0 +1,127 @@
+From 9d3f5e5d222308d29aad9bf7b2bfc440143a8606 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Fri, 17 Dec 2021 20:01:31 +0100
+Subject: [PATCH] core: Add trigger limit for path units
+
+When conditions fail on a service unit, a path unit can cause
+PID 1 to busy loop as it keeps trying to activate the service unit.
+To avoid this from happening, add a trigger limit to the path unit,
+identical to the trigger limit we have for socket units.
+
+Initially, let's start with a high limit and not make it configurable.
+If needed, we can add properties to configure the rate limit similar
+to the ones we have for socket units.
+
+(cherry picked from commit aaae822b37aa3ca39aebb516fdc6bef36d730c25)
+
+Resolves: #2114005
+---
+ src/core/path.c | 10 ++++++++++
+ src/core/path.h | 3 +++
+ test/TEST-63-ISSUE-17433/test63.service | 2 +-
+ test/TEST-63-ISSUE-17433/testsuite.service | 21 +++++++++++++++++----
+ 4 files changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/src/core/path.c b/src/core/path.c
+index c2facf0b16..b899bde0de 100644
+--- a/src/core/path.c
++++ b/src/core/path.c
+@@ -238,6 +238,9 @@ static void path_init(Unit *u) {
+ assert(u->load_state == UNIT_STUB);
+
+ p->directory_mode = 0755;
++
++ p->trigger_limit.interval = 2 * USEC_PER_SEC;
++ p->trigger_limit.burst = 200;
+ }
+
+ void path_free_specs(Path *p) {
+@@ -467,6 +470,12 @@ static void path_enter_running(Path *p) {
+ if (unit_stop_pending(UNIT(p)))
+ return;
+
++ if (!ratelimit_below(&p->trigger_limit)) {
++ log_unit_warning(UNIT(p), "Trigger limit hit, refusing further activation.");
++ path_enter_dead(p, PATH_FAILURE_TRIGGER_LIMIT_HIT);
++ return;
++ }
++
+ trigger = UNIT_TRIGGER(UNIT(p));
+ if (!trigger) {
+ log_unit_error(UNIT(p), "Unit to trigger vanished.");
+@@ -767,6 +776,7 @@ static const char* const path_result_table[_PATH_RESULT_MAX] = {
+ [PATH_FAILURE_RESOURCES] = "resources",
+ [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit",
+ [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit",
++ [PATH_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit",
+ };
+
+ DEFINE_STRING_TABLE_LOOKUP(path_result, PathResult);
+diff --git a/src/core/path.h b/src/core/path.h
+index 8a69f06c13..12fd13fbe3 100644
+--- a/src/core/path.h
++++ b/src/core/path.h
+@@ -46,6 +46,7 @@ typedef enum PathResult {
+ PATH_FAILURE_RESOURCES,
+ PATH_FAILURE_START_LIMIT_HIT,
+ PATH_FAILURE_UNIT_START_LIMIT_HIT,
++ PATH_FAILURE_TRIGGER_LIMIT_HIT,
+ _PATH_RESULT_MAX,
+ _PATH_RESULT_INVALID = -1
+ } PathResult;
+@@ -63,6 +64,8 @@ struct Path {
+ mode_t directory_mode;
+
+ PathResult result;
++
++ RateLimit trigger_limit;
+ };
+
+ void path_free_specs(Path *p);
+diff --git a/test/TEST-63-ISSUE-17433/test63.service b/test/TEST-63-ISSUE-17433/test63.service
+index c83801874d..6292434c5c 100644
+--- a/test/TEST-63-ISSUE-17433/test63.service
++++ b/test/TEST-63-ISSUE-17433/test63.service
+@@ -1,5 +1,5 @@
+ [Unit]
+-ConditionPathExists=!/tmp/nonexistent
++ConditionPathExists=/tmp/nonexistent
+
+ [Service]
+ ExecStart=true
+diff --git a/test/TEST-63-ISSUE-17433/testsuite.service b/test/TEST-63-ISSUE-17433/testsuite.service
+index d3ca5b002b..39f9643890 100644
+--- a/test/TEST-63-ISSUE-17433/testsuite.service
++++ b/test/TEST-63-ISSUE-17433/testsuite.service
+@@ -4,14 +4,27 @@ Description=TEST-63-ISSUE-17433
+ [Service]
+ ExecStartPre=rm -f /failed /testok
+ Type=oneshot
++
++# Test that a path unit continuously triggering a service that fails condition checks eventually fails with
++# the trigger-limit-hit error.
+ ExecStart=rm -f /tmp/nonexistent
+ ExecStart=systemctl start test63.path
+ ExecStart=touch /tmp/test63
+-# Make sure systemd has sufficient time to hit the start limit for test63.service.
++# Make sure systemd has sufficient time to hit the trigger limit for test63.path.
+ ExecStart=sleep 2
+-ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = failed'
+-ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = start-limit-hit'
++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = inactive'
++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = success'
+ # FIXME: The path remains active, which it should not
+ # ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p ActiveState)" = failed'
+-# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = unit-start-limit-hit'
++# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = trigger-limit-hit'
++
++# Test that starting the service manually doesn't affect the path unit.
++ExecStart=rm -f /tmp/test63
++ExecStart=systemctl reset-failed
++ExecStart=systemctl start test63.path
++ExecStart=systemctl start test63.service
++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = inactive'
++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = success'
++ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p ActiveState)" = active'
++ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = success'
+ ExecStart=sh -x -c 'echo OK >/testok'
diff --git a/SOURCES/0811-meson-add-syscall-names-update-target.patch b/SOURCES/0811-meson-add-syscall-names-update-target.patch
new file mode 100644
index 0000000..84961ed
--- /dev/null
+++ b/SOURCES/0811-meson-add-syscall-names-update-target.patch
@@ -0,0 +1,680 @@
+From f20ccc0d505eccd59bb3814f59a63ea036be5bd5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 18 Aug 2020 16:27:20 +0200
+Subject: [PATCH] meson: add syscall-names-update target
+
+The calls to find_program("tools/*") are moved earlier so they can be used
+in libshared/ (and it doesn't make sense to split them).
+
+(cherry picked from commit 47354b440e90626c320d8f142cb742ff569e3a40)
+
+Related: #2040247
+---
+ meson.build | 13 +-
+ src/shared/meson.build | 6 +
+ src/shared/syscall-names.text | 597 ++++++++++++++++++++++++++++++++++
+ tools/syscall-names-update.sh | 6 +
+ 4 files changed, 617 insertions(+), 5 deletions(-)
+ create mode 100644 src/shared/syscall-names.text
+ create mode 100755 tools/syscall-names-update.sh
+
+diff --git a/meson.build b/meson.build
+index 57de947367..6729a9ea5e 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1417,6 +1417,14 @@ install_libsystemd_static = static_library(
+
+ ############################################################
+
++hwdb_update_sh = find_program('tools/meson-hwdb-update.sh')
++make_directive_index_py = find_program('tools/make-directive-index.py')
++make_man_index_py = find_program('tools/make-man-index.py')
++syscall_names_update_sh = find_program('tools/syscall-names-update.sh')
++xml_helper_py = find_program('tools/xml_helper.py')
++
++############################################################
++
+ # binaries that have --help and are intended for use by humans,
+ # usually, but not always, installed in /bin.
+ public_programs = []
+@@ -2721,11 +2729,6 @@ run_target('fuzzers',
+
+ ############################################################
+
+-make_directive_index_py = find_program('tools/make-directive-index.py')
+-make_man_index_py = find_program('tools/make-man-index.py')
+-xml_helper_py = find_program('tools/xml_helper.py')
+-hwdb_update_sh = find_program('tools/meson-hwdb-update.sh')
+-
+ subdir('units')
+ subdir('sysctl.d')
+ subdir('sysusers.d')
+diff --git a/src/shared/meson.build b/src/shared/meson.build
+index d0a1bba4c6..c9dd0a3a4e 100644
+--- a/src/shared/meson.build
++++ b/src/shared/meson.build
+@@ -165,3 +165,9 @@ libshared = shared_library(
+ dependencies : libshared_deps,
+ install : true,
+ install_dir : rootlibexecdir)
++
++############################################################
++
++run_target(
++ 'syscall-names-update',
++ command : [syscall_names_update_sh, meson.current_source_dir()])
+diff --git a/src/shared/syscall-names.text b/src/shared/syscall-names.text
+new file mode 100644
+index 0000000000..40d18a8894
+--- /dev/null
++++ b/src/shared/syscall-names.text
+@@ -0,0 +1,597 @@
++_llseek
++_newselect
++_sysctl
++accept
++accept4
++access
++acct
++add_key
++adjtimex
++alarm
++arc_gettls
++arc_settls
++arc_usr_cmpxchg
++arch_prctl
++arm_fadvise64_64
++arm_sync_file_range
++atomic_barrier
++atomic_cmpxchg_32
++bdflush
++bfin_spinlock
++bind
++bpf
++brk
++cache_sync
++cachectl
++cacheflush
++capget
++capset
++chdir
++chmod
++chown
++chown32
++chroot
++clock_adjtime
++clock_adjtime64
++clock_getres
++clock_getres_time64
++clock_gettime
++clock_gettime64
++clock_nanosleep
++clock_nanosleep_time64
++clock_settime
++clock_settime64
++clone
++clone2
++clone3
++close
++close_range
++connect
++copy_file_range
++creat
++create_module
++delete_module
++dipc
++dup
++dup2
++dup3
++epoll_create
++epoll_create1
++epoll_ctl
++epoll_ctl_old
++epoll_pwait
++epoll_wait
++epoll_wait_old
++eventfd
++eventfd2
++exec_with_loader
++execv
++execve
++execveat
++exit
++exit_group
++faccessat
++faccessat2
++fadvise64
++fadvise64_64
++fallocate
++fanotify_init
++fanotify_mark
++fchdir
++fchmod
++fchmodat
++fchown
++fchown32
++fchownat
++fcntl
++fcntl64
++fdatasync
++fgetxattr
++finit_module
++flistxattr
++flock
++fork
++fp_udfiex_crtl
++fremovexattr
++fsconfig
++fsetxattr
++fsmount
++fsopen
++fspick
++fstat
++fstat64
++fstatat64
++fstatfs
++fstatfs64
++fsync
++ftruncate
++ftruncate64
++futex
++futex_time64
++futimesat
++get_kernel_syms
++get_mempolicy
++get_robust_list
++get_thread_area
++getcpu
++getcwd
++getdents
++getdents64
++getdomainname
++getdtablesize
++getegid
++getegid32
++geteuid
++geteuid32
++getgid
++getgid32
++getgroups
++getgroups32
++gethostname
++getitimer
++getpagesize
++getpeername
++getpgid
++getpgrp
++getpid
++getpmsg
++getppid
++getpriority
++getrandom
++getresgid
++getresgid32
++getresuid
++getresuid32
++getrlimit
++getrusage
++getsid
++getsockname
++getsockopt
++gettid
++gettimeofday
++getuid
++getuid32
++getunwind
++getxattr
++getxgid
++getxpid
++getxuid
++idle
++init_module
++inotify_add_watch
++inotify_init
++inotify_init1
++inotify_rm_watch
++io_cancel
++io_destroy
++io_getevents
++io_pgetevents
++io_pgetevents_time64
++io_setup
++io_submit
++io_uring_enter
++io_uring_register
++io_uring_setup
++ioctl
++ioperm
++iopl
++ioprio_get
++ioprio_set
++ipc
++kcmp
++kern_features
++kexec_file_load
++kexec_load
++keyctl
++kill
++lchown
++lchown32
++lgetxattr
++link
++linkat
++listen
++listxattr
++llistxattr
++lookup_dcookie
++lremovexattr
++lseek
++lsetxattr
++lstat
++lstat64
++madvise
++mbind
++membarrier
++memfd_create
++memory_ordering
++migrate_pages
++mincore
++mkdir
++mkdirat
++mknod
++mknodat
++mlock
++mlock2
++mlockall
++mmap
++mmap2
++modify_ldt
++mount
++move_mount
++move_pages
++mprotect
++mq_getsetattr
++mq_notify
++mq_open
++mq_timedreceive
++mq_timedreceive_time64
++mq_timedsend
++mq_timedsend_time64
++mq_unlink
++mremap
++msgctl
++msgget
++msgrcv
++msgsnd
++msync
++multiplexer
++munlock
++munlockall
++munmap
++name_to_handle_at
++nanosleep
++newfstatat
++nfsservctl
++ni_syscall
++nice
++old_adjtimex
++old_getpagesize
++oldfstat
++oldlstat
++oldolduname
++oldstat
++oldumount
++olduname
++open
++open_by_handle_at
++open_tree
++openat
++openat2
++or1k_atomic
++osf_adjtime
++osf_afs_syscall
++osf_alt_plock
++osf_alt_setsid
++osf_alt_sigpending
++osf_asynch_daemon
++osf_audcntl
++osf_audgen
++osf_chflags
++osf_execve
++osf_exportfs
++osf_fchflags
++osf_fdatasync
++osf_fpathconf
++osf_fstat
++osf_fstatfs
++osf_fstatfs64
++osf_fuser
++osf_getaddressconf
++osf_getdirentries
++osf_getdomainname
++osf_getfh
++osf_getfsstat
++osf_gethostid
++osf_getitimer
++osf_getlogin
++osf_getmnt
++osf_getrusage
++osf_getsysinfo
++osf_gettimeofday
++osf_kloadcall
++osf_kmodcall
++osf_lstat
++osf_memcntl
++osf_mincore
++osf_mount
++osf_mremap
++osf_msfs_syscall
++osf_msleep
++osf_mvalid
++osf_mwakeup
++osf_naccept
++osf_nfssvc
++osf_ngetpeername
++osf_ngetsockname
++osf_nrecvfrom
++osf_nrecvmsg
++osf_nsendmsg
++osf_ntp_adjtime
++osf_ntp_gettime
++osf_old_creat
++osf_old_fstat
++osf_old_getpgrp
++osf_old_killpg
++osf_old_lstat
++osf_old_open
++osf_old_sigaction
++osf_old_sigblock
++osf_old_sigreturn
++osf_old_sigsetmask
++osf_old_sigvec
++osf_old_stat
++osf_old_vadvise
++osf_old_vtrace
++osf_old_wait
++osf_oldquota
++osf_pathconf
++osf_pid_block
++osf_pid_unblock
++osf_plock
++osf_priocntlset
++osf_profil
++osf_proplist_syscall
++osf_reboot
++osf_revoke
++osf_sbrk
++osf_security
++osf_select
++osf_set_program_attributes
++osf_set_speculative
++osf_sethostid
++osf_setitimer
++osf_setlogin
++osf_setsysinfo
++osf_settimeofday
++osf_shmat
++osf_signal
++osf_sigprocmask
++osf_sigsendset
++osf_sigstack
++osf_sigwaitprim
++osf_sstk
++osf_stat
++osf_statfs
++osf_statfs64
++osf_subsys_info
++osf_swapctl
++osf_swapon
++osf_syscall
++osf_sysinfo
++osf_table
++osf_uadmin
++osf_usleep_thread
++osf_uswitch
++osf_utc_adjtime
++osf_utc_gettime
++osf_utimes
++osf_utsname
++osf_wait4
++osf_waitid
++pause
++pciconfig_iobase
++pciconfig_read
++pciconfig_write
++perf_event_open
++perfctr
++perfmonctl
++personality
++pidfd_getfd
++pidfd_open
++pidfd_send_signal
++pipe
++pipe2
++pivot_root
++pkey_alloc
++pkey_free
++pkey_mprotect
++poll
++ppoll
++ppoll_time64
++prctl
++pread64
++preadv
++preadv2
++prlimit64
++process_vm_readv
++process_vm_writev
++pselect6
++pselect6_time64
++ptrace
++pwrite64
++pwritev
++pwritev2
++query_module
++quotactl
++read
++readahead
++readdir
++readlink
++readlinkat
++readv
++reboot
++recv
++recvfrom
++recvmmsg
++recvmmsg_time64
++recvmsg
++remap_file_pages
++removexattr
++rename
++renameat
++renameat2
++request_key
++restart_syscall
++riscv_flush_icache
++rmdir
++rseq
++rt_sigaction
++rt_sigpending
++rt_sigprocmask
++rt_sigqueueinfo
++rt_sigreturn
++rt_sigsuspend
++rt_sigtimedwait
++rt_sigtimedwait_time64
++rt_tgsigqueueinfo
++rtas
++s390_guarded_storage
++s390_pci_mmio_read
++s390_pci_mmio_write
++s390_runtime_instr
++s390_sthyi
++sched_get_affinity
++sched_get_priority_max
++sched_get_priority_min
++sched_getaffinity
++sched_getattr
++sched_getparam
++sched_getscheduler
++sched_rr_get_interval
++sched_rr_get_interval_time64
++sched_set_affinity
++sched_setaffinity
++sched_setattr
++sched_setparam
++sched_setscheduler
++sched_yield
++seccomp
++select
++semctl
++semget
++semop
++semtimedop
++semtimedop_time64
++send
++sendfile
++sendfile64
++sendmmsg
++sendmsg
++sendto
++set_mempolicy
++set_robust_list
++set_thread_area
++set_tid_address
++setdomainname
++setfsgid
++setfsgid32
++setfsuid
++setfsuid32
++setgid
++setgid32
++setgroups
++setgroups32
++sethae
++sethostname
++setitimer
++setns
++setpgid
++setpgrp
++setpriority
++setregid
++setregid32
++setresgid
++setresgid32
++setresuid
++setresuid32
++setreuid
++setreuid32
++setrlimit
++setsid
++setsockopt
++settimeofday
++setuid
++setuid32
++setxattr
++sgetmask
++shmat
++shmctl
++shmdt
++shmget
++shutdown
++sigaction
++sigaltstack
++signal
++signalfd
++signalfd4
++sigpending
++sigprocmask
++sigreturn
++sigsuspend
++socket
++socketcall
++socketpair
++splice
++spu_create
++spu_run
++ssetmask
++stat
++stat64
++statfs
++statfs64
++statx
++stime
++subpage_prot
++swapcontext
++swapoff
++swapon
++switch_endian
++symlink
++symlinkat
++sync
++sync_file_range
++sync_file_range2
++syncfs
++sys_debug_setcontext
++syscall
++sysfs
++sysinfo
++syslog
++sysmips
++tee
++tgkill
++time
++timer_create
++timer_delete
++timer_getoverrun
++timer_gettime
++timer_gettime64
++timer_settime
++timer_settime64
++timerfd
++timerfd_create
++timerfd_gettime
++timerfd_gettime64
++timerfd_settime
++timerfd_settime64
++times
++tkill
++truncate
++truncate64
++udftrap
++ugetrlimit
++umask
++umount
++umount2
++uname
++unlink
++unlinkat
++unshare
++uselib
++userfaultfd
++ustat
++utime
++utimensat
++utimensat_time64
++utimes
++utimesat
++utrap_install
++vfork
++vhangup
++vm86
++vm86old
++vmsplice
++wait4
++waitid
++waitpid
++write
++writev
+diff --git a/tools/syscall-names-update.sh b/tools/syscall-names-update.sh
+new file mode 100755
+index 0000000000..c884b93cda
+--- /dev/null
++++ b/tools/syscall-names-update.sh
+@@ -0,0 +1,6 @@
++#!/bin/sh
++set -eu
++
++cd "$1"
++
++curl -L -o syscall-names.text 'https://raw.githubusercontent.com/hrw/syscalls-table/master/syscall-names.text'
diff --git a/SOURCES/0812-syscall-names-add-process_madvise-which-is-planned-f.patch b/SOURCES/0812-syscall-names-add-process_madvise-which-is-planned-f.patch
new file mode 100644
index 0000000..4bd00ec
--- /dev/null
+++ b/SOURCES/0812-syscall-names-add-process_madvise-which-is-planned-f.patch
@@ -0,0 +1,27 @@
+From bcc0f8bfbc0ea220895c1d3a8bf2d3124ddcef16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sun, 25 Oct 2020 13:54:20 +0100
+Subject: [PATCH] syscall-names: add process_madvise which is planned for 5.10
+
+It was added in v5.9-11793-gecb8ac8b1f and is still present in v5.10-rc1, so it
+seems likely that it'll be in 5.10 too.
+
+(cherry picked from commit 397cca2453465d4ad5a51b16ad71acf45a3de352)
+
+Related: #2040247
+---
+ src/shared/syscall-names.text | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/shared/syscall-names.text b/src/shared/syscall-names.text
+index 40d18a8894..f1b7e29d50 100644
+--- a/src/shared/syscall-names.text
++++ b/src/shared/syscall-names.text
+@@ -392,6 +392,7 @@ pread64
+ preadv
+ preadv2
+ prlimit64
++process_madvise
+ process_vm_readv
+ process_vm_writev
+ pselect6
diff --git a/SOURCES/0813-shared-add-known-syscall-list.patch b/SOURCES/0813-shared-add-known-syscall-list.patch
new file mode 100644
index 0000000..eb4f2f4
--- /dev/null
+++ b/SOURCES/0813-shared-add-known-syscall-list.patch
@@ -0,0 +1,157 @@
+From f3c6abebbe4718085fcf17ed3ab0690e379fbb7e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 19 Aug 2020 17:43:23 +0200
+Subject: [PATCH] shared: add @known syscall list
+
+(cherry picked from commit 95aac01259db689dac7d8e5bfafb60e8c70cd734)
+
+Related: #2040247
+---
+ man/systemd.exec.xml | 4 ++++
+ src/shared/generate-syscall-list.py | 5 +++++
+ src/shared/meson.build | 11 +++++++++++
+ src/shared/seccomp-util.c | 6 ++++++
+ src/shared/seccomp-util.h | 3 ++-
+ src/test/test-seccomp.c | 19 ++++++++++++-------
+ 6 files changed, 40 insertions(+), 8 deletions(-)
+ create mode 100755 src/shared/generate-syscall-list.py
+
+diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
+index dc88cf9781..b04b4ba552 100644
+--- a/man/systemd.exec.xml
++++ b/man/systemd.exec.xml
+@@ -1556,6 +1556,10 @@ RestrictNamespaces=~cgroup net</programlisting>
+ <entry>@timer</entry>
+ <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
+ </row>
++ <row>
++ <entry>@known</entry>
++ <entry>All system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systmed version was released. It will become progressively more out-of-date as the kernel is updated.</entry>
++ </row>
+ </tbody>
+ </tgroup>
+ </table>
+diff --git a/src/shared/generate-syscall-list.py b/src/shared/generate-syscall-list.py
+new file mode 100755
+index 0000000000..13a6ae9241
+--- /dev/null
++++ b/src/shared/generate-syscall-list.py
+@@ -0,0 +1,5 @@
++#!/usr/bin/env python
++import sys
++
++for line in open(sys.argv[1]):
++ print('"{}\\0"'.format(line.strip()))
+diff --git a/src/shared/meson.build b/src/shared/meson.build
+index c9dd0a3a4e..fed08571d1 100644
+--- a/src/shared/meson.build
++++ b/src/shared/meson.build
+@@ -109,6 +109,16 @@ shared_sources = files('''
+ test_tables_h = files('test-tables.h')
+ shared_sources += [test_tables_h]
+
++generate_syscall_list = find_program('generate-syscall-list.py')
++fname = 'syscall-list.h'
++syscall_list_h = custom_target(
++ fname,
++ input : 'syscall-names.text',
++ output : fname,
++ command : [generate_syscall_list,
++ '@INPUT@'],
++ capture : true)
++
+ if conf.get('HAVE_ACL') == 1
+ shared_sources += files('acl-util.c')
+ endif
+@@ -119,6 +129,7 @@ endif
+
+ if conf.get('HAVE_SECCOMP') == 1
+ shared_sources += files('seccomp-util.c')
++ shared_sources += syscall_list_h
+ endif
+
+ if conf.get('HAVE_LIBIPTC') == 1
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index c57c409433..c2b2f2da92 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -855,6 +855,12 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
+ "timerfd_settime\0"
+ "times\0"
+ },
++ [SYSCALL_FILTER_SET_KNOWN] = {
++ .name = "@known",
++ .help = "All known syscalls declared in the kernel",
++ .value =
++#include "syscall-list.h"
++ },
+ };
+
+ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
+diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
+index 602f092255..541ba1e067 100644
+--- a/src/shared/seccomp-util.h
++++ b/src/shared/seccomp-util.h
+@@ -21,7 +21,7 @@ typedef struct SyscallFilterSet {
+ } SyscallFilterSet;
+
+ enum {
+- /* Please leave DEFAULT first, but sort the rest alphabetically */
++ /* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */
+ SYSCALL_FILTER_SET_DEFAULT,
+ SYSCALL_FILTER_SET_AIO,
+ SYSCALL_FILTER_SET_BASIC_IO,
+@@ -49,6 +49,7 @@ enum {
+ SYSCALL_FILTER_SET_SYNC,
+ SYSCALL_FILTER_SET_SYSTEM_SERVICE,
+ SYSCALL_FILTER_SET_TIMER,
++ SYSCALL_FILTER_SET_KNOWN,
+ _SYSCALL_FILTER_SET_MAX
+ };
+
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index 6ec04c4c55..286f01b5ce 100644
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -106,8 +106,10 @@ static void test_filter_sets(void) {
+ if (pid == 0) { /* Child? */
+ int fd;
+
+- /* If we look at the default set (or one that includes it), whitelist instead of blacklist */
+- if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE))
++ /* If we look at the default set (or one that includes it), allow-list instead of deny-list */
++ if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT,
++ SYSCALL_FILTER_SET_SYSTEM_SERVICE,
++ SYSCALL_FILTER_SET_KNOWN))
+ r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true);
+ else
+ r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true);
+@@ -639,20 +641,23 @@ static void test_lock_personality(void) {
+ }
+
+ static void test_filter_sets_ordered(void) {
+- size_t i;
+-
+ /* Ensure "@default" always remains at the beginning of the list */
+ assert_se(SYSCALL_FILTER_SET_DEFAULT == 0);
+ assert_se(streq(syscall_filter_sets[0].name, "@default"));
+
+- for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
++ /* Ensure "@known" always remains at the end of the list */
++ assert_se(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX - 1);
++ assert_se(streq(syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].name, "@known"));
++
++ for (size_t i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
+ const char *k, *p = NULL;
+
+ /* Make sure each group has a description */
+ assert_se(!isempty(syscall_filter_sets[0].help));
+
+- /* Make sure the groups are ordered alphabetically, except for the first entry */
+- assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
++ /* Make sure the groups are ordered alphabetically, except for the first and last entries */
++ assert_se(i < 2 || i == _SYSCALL_FILTER_SET_MAX - 1 ||
++ strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
+
+ NULSTR_FOREACH(k, syscall_filter_sets[i].value) {
+
diff --git a/SOURCES/0814-generate-syscall-list-require-python3.patch b/SOURCES/0814-generate-syscall-list-require-python3.patch
new file mode 100644
index 0000000..20891a6
--- /dev/null
+++ b/SOURCES/0814-generate-syscall-list-require-python3.patch
@@ -0,0 +1,24 @@
+From da722bc383c359b77fab671a0e7872fe4c0232ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Sat, 22 Aug 2020 16:07:05 +0200
+Subject: [PATCH] generate-syscall-list: require python3
+
+Python3.4 works, but 2.7 returns a tuple from os.uname().
+
+(cherry picked from commit 8694114b809f92f6a882134f3635aa42bfb41e11)
+
+Related: #2040247
+---
+ src/shared/generate-syscall-list.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/shared/generate-syscall-list.py b/src/shared/generate-syscall-list.py
+index 13a6ae9241..0b90d2d276 100755
+--- a/src/shared/generate-syscall-list.py
++++ b/src/shared/generate-syscall-list.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python3
+ import sys
+
+ for line in open(sys.argv[1]):
diff --git a/SOURCES/0815-shared-seccomp-reduce-scope-of-indexing-variables.patch b/SOURCES/0815-shared-seccomp-reduce-scope-of-indexing-variables.patch
new file mode 100644
index 0000000..afd8d57
--- /dev/null
+++ b/SOURCES/0815-shared-seccomp-reduce-scope-of-indexing-variables.patch
@@ -0,0 +1,82 @@
+From 64705366e134f06438e88f0b7fbef341d0a01431 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 19 Aug 2020 17:43:40 +0200
+Subject: [PATCH] shared/seccomp: reduce scope of indexing variables
+
+(cherry picked from commit 077e8fc0cad5a4532348d20a1eef8621295dd75a)
+
+Related: #2040247
+---
+ src/shared/seccomp-util.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index c2b2f2da92..4d2ba31d47 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -864,12 +864,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
+ };
+
+ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
+- unsigned i;
+-
+ if (isempty(name) || name[0] != '@')
+ return NULL;
+
+- for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
++ for (unsigned i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
+ if (streq(syscall_filter_sets[i].name, name))
+ return syscall_filter_sets + i;
+
+@@ -1105,7 +1103,6 @@ int seccomp_restrict_namespaces(unsigned long retain) {
+
+ SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
+- unsigned i;
+
+ log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
+
+@@ -1135,7 +1132,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
+ continue;
+ }
+
+- for (i = 0; namespace_flag_map[i].name; i++) {
++ for (unsigned i = 0; namespace_flag_map[i].name; i++) {
+ unsigned long f;
+
+ f = namespace_flag_map[i].flag;
+@@ -1288,7 +1285,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+ return r;
+
+ if (whitelist) {
+- int af, first = 0, last = 0;
++ int first = 0, last = 0;
+ void *afp;
+
+ /* If this is a whitelist, we first block the address families that are out of range and then
+@@ -1296,7 +1293,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+ * the set. */
+
+ SET_FOREACH(afp, address_families, i) {
+- af = PTR_TO_INT(afp);
++ int af = PTR_TO_INT(afp);
+
+ if (af <= 0 || af >= af_max())
+ continue;
+@@ -1350,7 +1347,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+ }
+
+ /* Block everything between the first and last entry */
+- for (af = 1; af < af_max(); af++) {
++ for (int af = 1; af < af_max(); af++) {
+
+ if (set_contains(address_families, INT_TO_PTR(af)))
+ continue;
+@@ -1378,7 +1375,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+ * checks. */
+
+ SET_FOREACH(af, address_families, i) {
+-
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EAFNOSUPPORT),
diff --git a/SOURCES/0816-shared-syscall-list-filter-out-some-obviously-platfo.patch b/SOURCES/0816-shared-syscall-list-filter-out-some-obviously-platfo.patch
new file mode 100644
index 0000000..e061a38
--- /dev/null
+++ b/SOURCES/0816-shared-syscall-list-filter-out-some-obviously-platfo.patch
@@ -0,0 +1,32 @@
+From 2e33a4ffdd54de1f88c3cd37ca5ace94a637b1dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 19 Aug 2020 17:46:30 +0200
+Subject: [PATCH] shared/syscall-list: filter out some obviously
+ platform-specific syscalls
+
+(cherry picked from commit 752fedbea7c02c82287c7ff2a4139f528b3f7ba8)
+
+Related: #2040247
+---
+ src/shared/generate-syscall-list.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/shared/generate-syscall-list.py b/src/shared/generate-syscall-list.py
+index 0b90d2d276..030c3feec4 100755
+--- a/src/shared/generate-syscall-list.py
++++ b/src/shared/generate-syscall-list.py
+@@ -1,5 +1,14 @@
+ #!/usr/bin/env python3
+ import sys
++import os
++
++s390 = 's390' in os.uname().machine
++arm = 'arm' in os.uname().machine
+
+ for line in open(sys.argv[1]):
++ if line.startswith('s390_') and not s390:
++ continue
++ if line.startswith('arm_') and not arm:
++ continue
++
+ print('"{}\\0"'.format(line.strip()))
diff --git a/SOURCES/0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch b/SOURCES/0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch
new file mode 100644
index 0000000..8e297c6
--- /dev/null
+++ b/SOURCES/0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch
@@ -0,0 +1,123 @@
+From 42ed3377b5817f2c1f84e1bdca301ea51ecc3299 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 20 Sep 2018 14:19:41 +0200
+Subject: [PATCH] seccomp: tighten checking of seccomp filter creation
+
+In seccomp code, the code is changed to propagate errors which are about
+anything other than unknown/unimplemented syscalls. I *think* such errors
+should not happen in normal usage, but so far we would summarilly ignore all
+errors, so that part is uncertain. If it turns out that other errors occur and
+should be ignored, this should be added later.
+
+In nspawn, we would count the number of added filters, but didn't use this for
+anything. Drop that part.
+
+The comments suggested that seccomp_add_syscall_filter_item() returned negative
+if the syscall is unknown, but this wasn't true: it returns 0.
+
+The error at this point can only be if the syscall was known but couldn't be
+added. If the error comes from our internal whitelist in nspawn, treat this as
+error, because it means that our internal table is wrong. If the error comes
+from user arguments, warn and ignore. (If some syscall is not known at current
+architecture, it is still silently ignored.)
+
+(cherry picked from commit 7e86bd73a47f2b8dd3d9a743e69fb0117f450ad8)
+
+Related: #2040247
+---
+ src/nspawn/nspawn-seccomp.c | 14 +++++---------
+ src/shared/seccomp-util.c | 26 ++++++++++++++++----------
+ 2 files changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
+index fba22644da..17abfcec26 100644
+--- a/src/nspawn/nspawn-seccomp.c
++++ b/src/nspawn/nspawn-seccomp.c
+@@ -140,7 +140,7 @@ static int seccomp_add_default_syscall_filter(
+ */
+ };
+
+- int r, c = 0;
++ int r;
+ size_t i;
+ char **p;
+
+@@ -150,21 +150,17 @@ static int seccomp_add_default_syscall_filter(
+
+ r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
+ if (r < 0)
+- /* If the system call is not known on this architecture, then that's fine, let's ignore it */
+- log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch));
+- else
+- c++;
++ return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
+ }
+
+ STRV_FOREACH(p, syscall_whitelist) {
+ r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
+ if (r < 0)
+- log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch));
+- else
+- c++;
++ log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
++ *p, seccomp_arch_to_string(arch));
+ }
+
+- return c;
++ return 0;
+ }
+
+ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) {
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index 4d2ba31d47..710a734715 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -907,9 +907,13 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
+ r = seccomp_rule_add_exact(seccomp, action, id, 0);
+ if (r < 0) {
+ /* If the system call is not known on this architecture, then that's fine, let's ignore it */
+- if (log_missing)
+- log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m",
+- name, id);
++ bool ignore = r == -EDOM;
++
++ if (!ignore || log_missing)
++ log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m",
++ name, id, ignore ? ", ignoring" : "");
++ if (!ignore)
++ return r;
+ }
+
+ return 0;
+@@ -957,10 +961,8 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
+ return r;
+
+ r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
+- if (r < 0) {
+- log_debug_errno(r, "Failed to add filter set, ignoring: %m");
+- continue;
+- }
++ if (r < 0)
++ return log_debug_errno(r, "Failed to add filter set: %m");
+
+ r = seccomp_load(seccomp);
+ if (IN_SET(r, -EPERM, -EACCES))
+@@ -1005,11 +1007,15 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
+ if (r < 0) {
+ /* If the system call is not known on this architecture, then that's fine, let's ignore it */
+ _cleanup_free_ char *n = NULL;
++ bool ignore;
+
+ n = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, id);
+- if (log_missing)
+- log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m",
+- strna(n), id);
++ ignore = r == -EDOM;
++ if (!ignore || log_missing)
++ log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m",
++ strna(n), id, ignore ? ", ignoring" : "");
++ if (!ignore)
++ return r;
+ }
+ }
+
diff --git a/SOURCES/0818-shared-seccomp-util-added-functionality-to-make-list.patch b/SOURCES/0818-shared-seccomp-util-added-functionality-to-make-list.patch
new file mode 100644
index 0000000..6dcde52
--- /dev/null
+++ b/SOURCES/0818-shared-seccomp-util-added-functionality-to-make-list.patch
@@ -0,0 +1,156 @@
+From eaad892c513806801e3d2055788fa202372b3f15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 21 Aug 2020 17:21:04 +0200
+Subject: [PATCH] shared/seccomp-util: added functionality to make list of
+ filtred syscalls
+
+While at it, start removing the "seccomp_" prefix from our
+own functions. It is used by libseccomp.
+
+(cherry picked from commit 000c05207d68658b76af9e1caf9aa3a4e3fa697b)
+
+Related: #2040247
+---
+ src/nspawn/nspawn-seccomp.c | 9 +++++++--
+ src/shared/seccomp-util.c | 39 ++++++++++++++++++++++++++++++-------
+ src/shared/seccomp-util.h | 8 +++++++-
+ 3 files changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
+index 17abfcec26..2b4a65e875 100644
+--- a/src/nspawn/nspawn-seccomp.c
++++ b/src/nspawn/nspawn-seccomp.c
+@@ -148,13 +148,18 @@ static int seccomp_add_default_syscall_filter(
+ if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0)
+ continue;
+
+- r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false);
++ r = seccomp_add_syscall_filter_item(ctx,
++ whitelist[i].name,
++ SCMP_ACT_ALLOW,
++ syscall_blacklist,
++ false,
++ NULL);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
+ }
+
+ STRV_FOREACH(p, syscall_whitelist) {
+- r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false);
++ r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false, NULL);
+ if (r < 0)
+ log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
+ *p, seccomp_arch_to_string(arch));
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index 710a734715..56075d92e0 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -874,15 +874,31 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) {
+ return NULL;
+ }
+
+-static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing);
++static int add_syscall_filter_set(
++ scmp_filter_ctx seccomp,
++ const SyscallFilterSet *set,
++ uint32_t action,
++ char **exclude,
++ bool log_missing,
++ char ***added);
++
++int seccomp_add_syscall_filter_item(
++ scmp_filter_ctx *seccomp,
++ const char *name,
++ uint32_t action,
++ char **exclude,
++ bool log_missing,
++ char ***added) {
+
+-int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
+ assert(seccomp);
+ assert(name);
+
+ if (strv_contains(exclude, name))
+ return 0;
+
++ /* Any syscalls that are handled are added to the *added strv. The pointer
++ * must be either NULL or point to a valid pre-initialized possibly-empty strv. */
++
+ if (name[0] == '@') {
+ const SyscallFilterSet *other;
+
+@@ -892,7 +908,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
+ return -EINVAL;
+ }
+
+- return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing);
++ return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added);
+
+ } else {
+ int id, r;
+@@ -916,25 +932,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
+ return r;
+ }
+
++ if (added) {
++ r = strv_extend(added, name);
++ if (r < 0)
++ return r;
++ }
++
+ return 0;
+ }
+ }
+
+-static int seccomp_add_syscall_filter_set(
++static int add_syscall_filter_set(
+ scmp_filter_ctx seccomp,
+ const SyscallFilterSet *set,
+ uint32_t action,
+ char **exclude,
+- bool log_missing) {
++ bool log_missing,
++ char ***added) {
+
+ const char *sys;
+ int r;
+
++ /* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
++
+ assert(seccomp);
+ assert(set);
+
+ NULSTR_FOREACH(sys, set->value) {
+- r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing);
++ r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added);
+ if (r < 0)
+ return r;
+ }
+@@ -960,7 +985,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
+ if (r < 0)
+ return r;
+
+- r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing);
++ r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to add filter set: %m");
+
+diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
+index 541ba1e067..291b2bffe0 100644
+--- a/src/shared/seccomp-util.h
++++ b/src/shared/seccomp-util.h
+@@ -59,7 +59,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
+
+ int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
+
+-int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
++int seccomp_add_syscall_filter_item(
++ scmp_filter_ctx *ctx,
++ const char *name,
++ uint32_t action,
++ char **exclude,
++ bool log_missing,
++ char ***added);
+
+ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
+ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);
diff --git a/SOURCES/0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch b/SOURCES/0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch
new file mode 100644
index 0000000..7b29f41
--- /dev/null
+++ b/SOURCES/0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch
@@ -0,0 +1,77 @@
+From 65d64ba146c30a5f205b650381f331fd8db2eb22 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 21 Aug 2020 17:23:48 +0200
+Subject: [PATCH] nspawn: return ENOSYS by default, EPERM for "known" calls
+
+(cherry picked from commit 3573e032f26724949e86626eace058d006b8bf70)
+
+Resolves: #2040247
+---
+ src/nspawn/nspawn-seccomp.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
+index 2b4a65e875..563cda140e 100644
+--- a/src/nspawn/nspawn-seccomp.c
++++ b/src/nspawn/nspawn-seccomp.c
+@@ -20,7 +20,7 @@
+
+ #if HAVE_SECCOMP
+
+-static int seccomp_add_default_syscall_filter(
++static int add_syscall_filters(
+ scmp_filter_ctx ctx,
+ uint32_t arch,
+ uint64_t cap_list_retain,
+@@ -140,6 +140,7 @@ static int seccomp_add_default_syscall_filter(
+ */
+ };
+
++ _cleanup_strv_free_ char **added = NULL;
+ int r;
+ size_t i;
+ char **p;
+@@ -153,18 +154,25 @@ static int seccomp_add_default_syscall_filter(
+ SCMP_ACT_ALLOW,
+ syscall_blacklist,
+ false,
+- NULL);
++ &added);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name);
+ }
+
+ STRV_FOREACH(p, syscall_whitelist) {
+- r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false, NULL);
++ r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, true, &added);
+ if (r < 0)
+ log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
+ *p, seccomp_arch_to_string(arch));
+ }
+
++ /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
++ * syscalls. */
++ r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);
++ if (r < 0)
++ log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",
++ seccomp_arch_to_string(arch));
++
+ return 0;
+ }
+
+@@ -182,11 +190,13 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
+
+ log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch));
+
+- r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM));
++ /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
++ * in the @known set, see above. */
++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
+ if (r < 0)
+ return log_error_errno(r, "Failed to allocate seccomp object: %m");
+
+- r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
++ r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist);
+ if (r < 0)
+ return r;
+
diff --git a/SOURCES/0820-test-procfs-util-skip-test-on-certain-errors.patch b/SOURCES/0820-test-procfs-util-skip-test-on-certain-errors.patch
new file mode 100644
index 0000000..55ece1d
--- /dev/null
+++ b/SOURCES/0820-test-procfs-util-skip-test-on-certain-errors.patch
@@ -0,0 +1,75 @@
+From 33305c6801c10b741b11a3f329dc339d2e8c5514 Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Thu, 18 Aug 2022 16:35:23 +0200
+Subject: [PATCH] test-procfs-util: skip test on certain errors
+
+Inspired by upstream bf47f71c1c
+
+RHEL-only
+Related: #2087152
+---
+ src/shared/tests.c | 12 ++++++++++++
+ src/shared/tests.h | 2 ++
+ src/test/test-procfs-util.c | 6 ++++--
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/tests.c b/src/shared/tests.c
+index 1da80d653f..b1c71b992f 100644
+--- a/src/shared/tests.c
++++ b/src/shared/tests.c
+@@ -78,6 +78,18 @@ void test_setup_logging(int level) {
+ log_open();
+ }
+
++int log_tests_skipped(const char *message) {
++ log_notice("%s: %s, skipping tests.",
++ program_invocation_short_name, message);
++ return EXIT_TEST_SKIP;
++}
++
++int log_tests_skipped_errno(int r, const char *message) {
++ log_notice_errno(r, "%s: %s, skipping tests: %m",
++ program_invocation_short_name, message);
++ return EXIT_TEST_SKIP;
++}
++
+ const char *ci_environment(void) {
+ /* We return a string because we might want to provide multiple bits of information later on: not
+ * just the general CI environment type, but also whether we're sanitizing or not, etc. The caller is
+diff --git a/src/shared/tests.h b/src/shared/tests.h
+index 4f8f349097..d50711338c 100644
+--- a/src/shared/tests.h
++++ b/src/shared/tests.h
+@@ -5,6 +5,8 @@ char* setup_fake_runtime_dir(void);
+ bool test_is_running_from_builddir(char **exedir);
+ const char* get_testdata_dir(void);
+ void test_setup_logging(int level);
++int log_tests_skipped(const char *message);
++int log_tests_skipped_errno(int r, const char *message);
+
+ /* Provide a convenient way to check if we're running in CI. */
+ const char *ci_environment(void);
+diff --git a/src/test/test-procfs-util.c b/src/test/test-procfs-util.c
+index d656c4df4f..aba5692e54 100644
+--- a/src/test/test-procfs-util.c
++++ b/src/test/test-procfs-util.c
+@@ -7,6 +7,7 @@
+ #include "procfs-util.h"
+ #include "process-util.h"
+ #include "util.h"
++#include "tests.h"
+
+ int main(int argc, char *argv[]) {
+ char buf[CONST_MAX(FORMAT_TIMESPAN_MAX, FORMAT_BYTES_MAX)];
+@@ -52,8 +53,9 @@ int main(int argc, char *argv[]) {
+ log_info("Reducing limit by one to %"PRIu64"…", v-1);
+
+ r = procfs_tasks_set_limit(v-1);
+- log_info_errno(r, "procfs_tasks_set_limit: %m");
+- assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r) || r == -EROFS);
++ if (IN_SET(r, -ENOENT, -EROFS) || ERRNO_IS_PRIVILEGE(r))
++ return log_tests_skipped_errno(r, "can't set tasks limit");
++ assert_se(r >= 0);
+
+ assert_se(procfs_get_threads_max(&w) >= 0);
+ assert_se(r >= 0 ? w == v - 1 : w == v);
diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
index 61646ee..a3255fa 100644
--- a/SPECS/systemd.spec
+++ b/SPECS/systemd.spec
@@ -13,7 +13,7 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 239
-Release: 62%{?dist}
+Release: 65%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@@ -841,7 +841,35 @@ Patch0788: 0788-test-replace-swear-words-by-hoge.patch
Patch0789: 0789-core-add-new-environment-variable-RUNTIME_DIRECTORY-.patch
Patch0790: 0790-test-execute-add-tests-for-RUNTIME_DIRECTORY-or-frie.patch
Patch0791: 0791-man-document-RUNTIME_DIRECTORY-or-friends.patch
-
+Patch0792: 0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch
+Patch0793: 0793-test-make-test-execute-pass-on-Linux-5.15.patch
+Patch0794: 0794-ci-install-iputils.patch
+Patch0795: 0795-ci-Mergify-Add-ci-waived-logic.patch
+Patch0796: 0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch
+Patch0797: 0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch
+Patch0798: 0798-core-drop-references-to-StandardOutputFileToCreate.patch
+Patch0799: 0799-dbus-execute-fix-indentation.patch
+Patch0800: 0800-dbus-execute-generate-the-correct-transient-unit-set.patch
+Patch0801: 0801-bus-unit-util-properly-accept-StandardOutput-append-.patch
+Patch0802: 0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch
+Patch0803: 0803-test-add-a-test-for-StandardError-file.patch
+Patch0804: 0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch
+Patch0805: 0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch
+Patch0806: 0806-core-allow-to-set-default-timeout-for-devices.patch
+Patch0807: 0807-man-document-DefaultDeviceTimeoutSec.patch
+Patch0808: 0808-Revert-core-Propagate-condition-failed-state-to-trig.patch
+Patch0809: 0809-core-Check-unit-start-rate-limiting-earlier.patch
+Patch0810: 0810-core-Add-trigger-limit-for-path-units.patch
+Patch0811: 0811-meson-add-syscall-names-update-target.patch
+Patch0812: 0812-syscall-names-add-process_madvise-which-is-planned-f.patch
+Patch0813: 0813-shared-add-known-syscall-list.patch
+Patch0814: 0814-generate-syscall-list-require-python3.patch
+Patch0815: 0815-shared-seccomp-reduce-scope-of-indexing-variables.patch
+Patch0816: 0816-shared-syscall-list-filter-out-some-obviously-platfo.patch
+Patch0817: 0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch
+Patch0818: 0818-shared-seccomp-util-added-functionality-to-make-list.patch
+Patch0819: 0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch
+Patch0820: 0820-test-procfs-util-skip-test-on-certain-errors.patch
%ifarch %{ix86} x86_64 aarch64
%global have_gnu_efi 1
@@ -1471,6 +1499,43 @@ fi
%files tests -f .file-list-tests
%changelog
+* Fri Aug 19 2022 systemd maintenance team <systemd-maint@redhat.com> - 239-65
+- test-procfs-util: skip test on certain errors (#2087152)
+
+* Thu Aug 18 2022 systemd maintenance team <systemd-maint@redhat.com> - 239-64
+- ci: bump the worker Ubuntu version to Jammy (#2087152)
+- test: make test-execute pass on Linux 5.15 (#2087152)
+- ci: install iputils (#2087152)
+- ci(Mergify): Add `ci-waived` logic (#2087152)
+- sd-event: don't invalidate source type on disconnect (#2115396)
+- tests: make sure we delay running mount start jobs when /p/s/mountinfo is rate limited (#2095744)
+- core: drop references to 'StandardOutputFileToCreate' (#2093479)
+- dbus-execute: fix indentation (#2093479)
+- dbus-execute: generate the correct transient unit setting (#2093479)
+- bus-unit-util: properly accept StandardOutput=append:… settings (#2093479)
+- core: be more careful when inheriting stdout fds to stderr (#2093479)
+- test: add a test for StandardError=file:… (#2093479)
+- tree-wide: allow ASCII fallback for → in logs (#2093479)
+- tree-wide: allow ASCII fallback for … in logs (#2093479)
+- core: allow to set default timeout for devices (#1967245)
+- man: document DefaultDeviceTimeoutSec= (#1967245)
+- Revert "core: Propagate condition failed state to triggering units." (#2114005)
+- core: Check unit start rate limiting earlier (#2114005)
+- core: Add trigger limit for path units (#2114005)
+- meson: add syscall-names-update target (#2040247)
+- syscall-names: add process_madvise which is planned for 5.10 (#2040247)
+- shared: add @known syscall list (#2040247)
+- generate-syscall-list: require python3 (#2040247)
+- shared/seccomp: reduce scope of indexing variables (#2040247)
+- shared/syscall-list: filter out some obviously platform-specific syscalls (#2040247)
+- seccomp: tighten checking of seccomp filter creation (#2040247)
+- shared/seccomp-util: added functionality to make list of filtred syscalls (#2040247)
+- nspawn: return ENOSYS by default, EPERM for "known" calls (#2040247)
+- revert: resolved: pin stream while calling callbacks for it (#2110549)
+
+* Wed Aug 03 2022 systemd maintenance team <systemd-maint@redhat.com> - 239-63
+- resolved: pin stream while calling callbacks for it (#2110549)
+
* Mon Jul 18 2022 systemd maintenance team <systemd-maint@redhat.com> - 239-62
- spec: Remove dependency on timedatex (#2066946)