unblock: systemd/231-18

Martin Pitt mpitt at debian.org
Thu Feb 16 21:12:21 GMT 2017


Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock

Hello release team,

The current systemd in unstable (232-18) fixes an RC bug on architectures that
don't support seccomp (https://bugs.debian.org/852811), some more seccomp bugs
that also affect x86, and a couple of non-RC bugs; plus some autopkgtest
improvements which increase coverage and tighten upstream CI. -18 has been in
unstable for 3 days now without regression reports, built everywhere, and I am
very confident that it doesn't break things compared to -15.

debdiff between -15 (in testing) and current -18 attached. I also put the
changelog and some annotations to it below.

| systemd (232-18) unstable; urgency=medium
| 
|   * udev autopkgtest: Adjust to script-based test /sys creation.
|     PR #5250 changes from the static sys.tar.xz to creating the test /sys
|     directory with a script. Get along with both cases until 233 gets
|     released and packaged.

Improved disto/upstream CI, no runtime effect.

|   * systemd-resolved.service.d/resolvconf.conf: Don't fail if resolvconf is
|     not installed. ReadWritePaths= fails by default if the referenced
|     directory does not exist. This happens if resolvconf is not installed, so
|     use '-' to ignore the absence. (Closes: #854814)

Fallout from the change in -17. Now it's really a no-op in Debian (as the
stricter privilege restrictions of resolved are not yet, and will not be in
stretch).

|   * Fix two more seccomp issues.
|   * Permit seeing process list of units whose unit files are missing.
|   * Fix systemctl --user enable/disable without $XDG_RUNTIME_DIR being set.
|     (Closes: #855050)

Non-RC bug fixes. The patches are relatively small and straightforward, and
people asked for them.
 
|  -- Martin Pitt <mpitt at debian.org>  Mon, 13 Feb 2017 17:36:12 +0100
| 
| systemd (232-17) unstable; urgency=medium
| 
|   * Add libcap2-bin build dependency for tests. This will make
|     test_exec_capabilityboundingset() actually run. (Closes: #854394)
|   * Add iproute2 build dependency for tests. This will make
|     test_exec_privatenetwork() actually run; it skips if "ip" is not present.
|     (Closes: #854396)
|   * autopkgtest: Run all upstream unit tests as root.
|     Ship all upstream unit tests in libsystemd-dev, and run them all as root
|     in autopkgtest. (Closes: #854392) This also fixes the FTBFS on non-seccomp
|     architectures.

Improved disto/upstream CI, no runtime effect.

|   * systemd-resolved.service.d/resolvconf.conf: Allow writing to
|     /run/resolvconf. Upstream PR #5283 will introduce permission restrictions
|     for systemd-resolved.service, including the lockdown to writing
|     /run/systemd/. This will then cause the resolvconf call in our drop-in to
|     fail as that needs to write to /run/resolvconf/. Add this to
|     ReadWritePaths=. (This is a no-op with the current unrestricted unit).

As said above, no-op in stretch (except that this first declaration had a bug,
fixed now).

|  -- Martin Pitt <mpitt at debian.org>  Fri, 10 Feb 2017 11:52:46 +0100
| 
| systemd (232-16) unstable; urgency=medium
| 
|   [ Martin Pitt ]
|   * Add autopkgtest for test-seccomp

Improved disto/upstream CI, no runtime effect.

|   * udev: Fix by-id symlinks for devices whose IDs contain whitespace
|     (Closes: #851164, LP: #1647485)

In terms of intrusiveness this is the change with the biggest regression
potential. However, it's rather academic to expect that something relies on the
broken symlinks. This change has been tested widely already though, as it
already landed in an Ubuntu stable update for all releases, and unbreaks stable
device symlinks for NVMe devices.

|   * Add lintian overrides for binary-or-shlib-defines-rpath on shipped test
|     programs. This is apparently a new lintian warning on which uploads get
|     rejected.  These are only test programs, not in $PATH, and they need to
|     link against systemd's internal library.

No runtime effect, just lintian cleanup.

| 
|   [ Michael Biebl ]
|   * Fix seccomp filtering. (Closes: #852811)

That's the RC bug which really needs to go in.

|   * Do not crash on daemon-reexec when /run is full (Closes: #850074)

The patches are a bit large-ish, but this avoids completely ruining your
system when /run is out of space.

Please let me know if you have any question.

Thanks for considering!

Martin
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index a5acc0c..2e4d6da 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,57 @@
+systemd (232-18) unstable; urgency=medium
+
+  * udev autopkgtest: Adjust to script-based test /sys creation.
+    PR #5250 changes from the static sys.tar.xz to creating the test /sys
+    directory with a script. Get along with both cases until 233 gets
+    released and packaged.
+  * systemd-resolved.service.d/resolvconf.conf: Don't fail if resolvconf is
+    not installed. ReadWritePaths= fails by default if the referenced
+    directory does not exist. This happens if resolvconf is not installed, so
+    use '-' to ignore the absence. (Closes: #854814)
+  * Fix two more seccomp issues.
+  * Permit seeing process list of units whose unit files are missing.
+  * Fix systemctl --user enable/disable without $XDG_RUNTIME_DIR being set.
+    (Closes: #855050)
+
+ -- Martin Pitt <mpitt at debian.org>  Mon, 13 Feb 2017 17:36:12 +0100
+
+systemd (232-17) unstable; urgency=medium
+
+  * Add libcap2-bin build dependency for tests. This will make
+    test_exec_capabilityboundingset() actually run. (Closes: #854394)
+  * Add iproute2 build dependency for tests. This will make
+    test_exec_privatenetwork() actually run; it skips if "ip" is not present.
+    (Closes: #854396)
+  * autopkgtest: Run all upstream unit tests as root.
+    Ship all upstream unit tests in libsystemd-dev, and run them all as root
+    in autopkgtest. (Closes: #854392) This also fixes the FTBFS on non-seccomp
+    architectures.
+  * systemd-resolved.service.d/resolvconf.conf: Allow writing to
+    /run/resolvconf. Upstream PR #5283 will introduce permission restrictions
+    for systemd-resolved.service, including the lockdown to writing
+    /run/systemd/. This will then cause the resolvconf call in our drop-in to
+    fail as that needs to write to /run/resolvconf/. Add this to
+    ReadWritePaths=. (This is a no-op with the current unrestricted unit).
+
+ -- Martin Pitt <mpitt at debian.org>  Fri, 10 Feb 2017 11:52:46 +0100
+
+systemd (232-16) unstable; urgency=medium
+
+  [ Martin Pitt ]
+  * Add autopkgtest for test-seccomp
+  * udev: Fix by-id symlinks for devices whose IDs contain whitespace
+    (Closes: #851164, LP: #1647485)
+  * Add lintian overrides for binary-or-shlib-defines-rpath on shipped test
+    programs. This is apparently a new lintian warning on which uploads get
+    rejected.  These are only test programs, not in $PATH, and they need to
+    link against systemd's internal library.
+
+  [ Michael Biebl ]
+  * Fix seccomp filtering. (Closes: #852811)
+  * Do not crash on daemon-reexec when /run is full (Closes: #850074)
+
+ -- Martin Pitt <mpitt at debian.org>  Thu, 09 Feb 2017 16:22:43 +0100
+
 systemd (232-15) unstable; urgency=medium
 
   * Add missing Build-Depends on tzdata.
diff --git a/debian/control b/debian/control
index 8b57c84..65365e9 100644
--- a/debian/control
+++ b/debian/control
@@ -53,6 +53,8 @@ Build-Depends: debhelper (>= 9.20160114),
                python3-lxml:native,
                python3-pyparsing <!nocheck>,
                tzdata <!nocheck>,
+               libcap2-bin <!nocheck>,
+               iproute2 <!nocheck>,
 
 Package: systemd
 Architecture: linux-any
diff --git a/debian/extra/units/systemd-resolved.service.d/resolvconf.conf b/debian/extra/units/systemd-resolved.service.d/resolvconf.conf
index 439dd80..98a7017 100644
--- a/debian/extra/units/systemd-resolved.service.d/resolvconf.conf
+++ b/debian/extra/units/systemd-resolved.service.d/resolvconf.conf
@@ -5,3 +5,4 @@
 # timeouts on shutdown via the resolvconf hooks (see LP: #1648068)
 [Service]
 ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved'
+ReadWritePaths=-/run/resolvconf
diff --git a/debian/libsystemd-dev.lintian-overrides b/debian/libsystemd-dev.lintian-overrides
new file mode 100644
index 0000000..22b917a
--- /dev/null
+++ b/debian/libsystemd-dev.lintian-overrides
@@ -0,0 +1,2 @@
+# test programs only, need to link against internal library
+libsystemd-dev: binary-or-shlib-defines-rpath usr/lib/*/systemd-tests/test-*
diff --git a/debian/patches/core-use-a-memfd-for-serialization.patch b/debian/patches/core-use-a-memfd-for-serialization.patch
new file mode 100644
index 0000000..be5e5dc
--- /dev/null
+++ b/debian/patches/core-use-a-memfd-for-serialization.patch
@@ -0,0 +1,47 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 3 Feb 2017 16:30:00 +0100
+Subject: core: use a memfd for serialization
+
+If we can, use a memfd for serializing state during a daemon reload or
+reexec. Fall back to a file in /run/systemd or /tmp only if memfds are
+not available.
+
+See: #5016
+(cherry picked from commit d53333d4b106423d4c281ad15aefe00e17a57893)
+---
+ src/core/manager.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 61d3c48..af401bd 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -2409,18 +2409,22 @@ void manager_send_unit_plymouth(Manager *m, Unit *u) {
+ }
+ 
+ int manager_open_serialization(Manager *m, FILE **_f) {
+-        const char *path;
+         int fd = -1;
+         FILE *f;
+ 
+         assert(_f);
+ 
+-        path = MANAGER_IS_SYSTEM(m) ? "/run/systemd" : "/tmp";
+-        fd = open_tmpfile_unlinkable(path, O_RDWR|O_CLOEXEC);
+-        if (fd < 0)
+-                return -errno;
++        fd = memfd_create("systemd-serialization", MFD_CLOEXEC);
++        if (fd < 0) {
++                const char *path;
+ 
+-        log_debug("Serializing state to %s", path);
++                path = MANAGER_IS_SYSTEM(m) ? "/run/systemd" : "/tmp";
++                fd = open_tmpfile_unlinkable(path, O_RDWR|O_CLOEXEC);
++                if (fd < 0)
++                        return -errno;
++                log_debug("Serializing state to %s.", path);
++        } else
++                log_debug("Serializing state to memfd.");
+ 
+         f = fdopen(fd, "w+");
+         if (!f) {
diff --git a/debian/patches/dbus-permit-seeing-process-list-of-units-whose-unit-files.patch b/debian/patches/dbus-permit-seeing-process-list-of-units-whose-unit-files.patch
new file mode 100644
index 0000000..10f2a3e
--- /dev/null
+++ b/debian/patches/dbus-permit-seeing-process-list-of-units-whose-unit-files.patch
@@ -0,0 +1,45 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Thu, 9 Feb 2017 21:01:28 +0100
+Subject: dbus: permit seeing process list of units whose unit files are
+ missing
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Previously, we'd refuse the GetUnitProcesses() bus call if the unit file
+couldn't be loaded. Which is wrong, as admins should be able to inspect
+services whose unit files was deleted. Change this logic, so that we
+permit introspecting the processes of any unit that is loaded,
+regardless if it has a unit file or not.
+
+(Note that we won't load unit files in GetUnitProcess(), but only
+operate on already loaded ones. That's because only loaded units can
+have processes ? as that's how our GC logic works ? and hence loading
+the unit just for the process tree is pointless, as it would be empty).
+
+See: #4995
+---
+ src/core/dbus-manager.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
+index 73cba4b..87bfa39 100644
+--- a/src/core/dbus-manager.c
++++ b/src/core/dbus-manager.c
+@@ -847,13 +847,9 @@ static int method_get_unit_processes(sd_bus_message *message, void *userdata, sd
+         if (r < 0)
+                 return r;
+ 
+-        r = manager_load_unit(m, name, NULL, error, &u);
+-        if (r < 0)
+-                return r;
+-
+-        r = bus_unit_check_load_state(u, error);
+-        if (r < 0)
+-                return r;
++        u = manager_get_unit(m, name);
++        if (!u)
++                return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name);
+ 
+         return bus_unit_method_get_processes(message, u, error);
+ }
diff --git a/debian/patches/debian/Revert-udev-network-device-renaming-immediately-give.patch b/debian/patches/debian/Revert-udev-network-device-renaming-immediately-give.patch
index 90866d0..af78c40 100644
--- a/debian/patches/debian/Revert-udev-network-device-renaming-immediately-give.patch
+++ b/debian/patches/debian/Revert-udev-network-device-renaming-immediately-give.patch
@@ -13,10 +13,10 @@ hack to make the renaming less likely to fail.
  1 file changed, 38 insertions(+), 3 deletions(-)
 
 diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
-index 54cd741..5a5a041 100644
+index cb00850..96451d0 100644
 --- a/src/udev/udev-event.c
 +++ b/src/udev/udev-event.c
-@@ -805,18 +805,53 @@ static int rename_netif(struct udev_event *event) {
+@@ -836,18 +836,53 @@ static int rename_netif(struct udev_event *event) {
          char name[IFNAMSIZ];
          const char *oldname;
          int r;
diff --git a/debian/patches/install-never-hit-assert-when-we-can-t-figure-out-where-t.patch b/debian/patches/install-never-hit-assert-when-we-can-t-figure-out-where-t.patch
new file mode 100644
index 0000000..31ccf4e
--- /dev/null
+++ b/debian/patches/install-never-hit-assert-when-we-can-t-figure-out-where-t.patch
@@ -0,0 +1,93 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 10 Feb 2017 15:14:18 +0100
+Subject: install: never hit assert() when we can't figure out where to write
+ configuration symlinks
+
+Under specific circumstances it might happen that we can't figure out
+where to place our symlinks, for example because we are supposed to
+create them in the runtime directory but $XDG_RUNTIME_DIR is not set. In
+this case, return -ENXIO instead of hitting an assert().
+
+(Yeah, the error isn't very descriptive, but for now this should at
+least be good enough to remove the assert() being hit.)
+---
+ src/shared/install.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/shared/install.c b/src/shared/install.c
+index 474426d..8b330e5 100644
+--- a/src/shared/install.c
++++ b/src/shared/install.c
+@@ -1828,6 +1828,8 @@ int unit_file_mask(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
+ 
+         STRV_FOREACH(i, files) {
+                 _cleanup_free_ char *path = NULL;
+@@ -1876,6 +1878,9 @@ int unit_file_unmask(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
++
+         dry_run = !!(flags & UNIT_FILE_DRY_RUN);
+ 
+         STRV_FOREACH(i, files) {
+@@ -1961,6 +1966,8 @@ int unit_file_link(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
+ 
+         STRV_FOREACH(i, files) {
+                 _cleanup_free_ char *full = NULL;
+@@ -2224,6 +2231,8 @@ int unit_file_add_dependency(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
+ 
+         r = install_info_discover(scope, &c, &paths, target, SEARCH_FOLLOW_CONFIG_SYMLINKS,
+                                   &target_info, changes, n_changes);
+@@ -2289,6 +2298,8 @@ int unit_file_enable(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
+ 
+         STRV_FOREACH(f, files) {
+                 r = install_info_discover(scope, &c, &paths, *f, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS,
+@@ -2333,6 +2344,8 @@ int unit_file_disable(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
+ 
+         STRV_FOREACH(i, files) {
+                 if (!unit_name_is_valid(*i, UNIT_NAME_ANY))
+@@ -2827,6 +2840,8 @@ int unit_file_preset(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
+ 
+         r = read_presets(scope, root_dir, &presets);
+         if (r < 0)
+@@ -2865,6 +2880,8 @@ int unit_file_preset_all(
+                 return r;
+ 
+         config_path = (flags & UNIT_FILE_RUNTIME) ? paths.runtime_config : paths.persistent_config;
++        if (!config_path)
++                return -ENXIO;
+ 
+         r = read_presets(scope, root_dir, &presets);
+         if (r < 0)
diff --git a/debian/patches/libudev-util-change-util_replace_whitespace-to-return-num.patch b/debian/patches/libudev-util-change-util_replace_whitespace-to-return-num.patch
new file mode 100644
index 0000000..fc2dd46
--- /dev/null
+++ b/debian/patches/libudev-util-change-util_replace_whitespace-to-return-num.patch
@@ -0,0 +1,28 @@
+From: Dan Streetman <ddstreet at ieee.org>
+Date: Tue, 3 Jan 2017 14:31:45 -0500
+Subject: libudev-util: change util_replace_whitespace to return number of
+ chars in dest
+
+Instead of returning 0, which is unhelpful, return the number of chars
+copied into the dest string.  This allows callers that care about that
+to easily use it, instead of having to calculate the strlen.
+
+No current users of the function check the return value, so this does not
+break any existing code; it is used in the following patch.
+---
+ src/libudev/libudev-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libudev/libudev-util.c b/src/libudev/libudev-util.c
+index 574cfea..a9819b9 100644
+--- a/src/libudev/libudev-util.c
++++ b/src/libudev/libudev-util.c
+@@ -186,7 +186,7 @@ int util_replace_whitespace(const char *str, char *to, size_t len)
+                 to[j++] = str[i++];
+         }
+         to[j] = '\0';
+-        return 0;
++        return j;
+ }
+ 
+ /* allow chars in whitelist, plain ascii, hex-escaping and valid utf8 */
diff --git a/debian/patches/man-Document-that-RestrictAddressFamilies-doesn-t-work-on.patch b/debian/patches/man-Document-that-RestrictAddressFamilies-doesn-t-work-on.patch
new file mode 100644
index 0000000..3589122
--- /dev/null
+++ b/debian/patches/man-Document-that-RestrictAddressFamilies-doesn-t-work-on.patch
@@ -0,0 +1,80 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 3 Feb 2017 18:33:04 +0100
+Subject: man: Document that RestrictAddressFamilies= doesn't work on
+ s390/s390x/...
+
+We already say that it doesn't work on i386, but there are more archs
+like that apparently.
+
+(cherry-picked from commit 142bd808a1a1a4a7dc4e75b7a9d1bda6c1530dfd)
+---
+ man/systemd.exec.xml | 55 +++++++++++++++++++++-------------------------------
+ 1 file changed, 22 insertions(+), 33 deletions(-)
+
+diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
+index 33bca1b..9527103 100644
+--- a/man/systemd.exec.xml
++++ b/man/systemd.exec.xml
+@@ -1420,40 +1420,29 @@
+       <varlistentry>
+         <term><varname>RestrictAddressFamilies=</varname></term>
+ 
+-        <listitem><para>Restricts the set of socket address families
+-        accessible to the processes of this unit. Takes a
+-        space-separated list of address family names to whitelist,
+-        such as
+-        <constant>AF_UNIX</constant>,
+-        <constant>AF_INET</constant> or
+-        <constant>AF_INET6</constant>. When
+-        prefixed with <constant>~</constant> the listed address
+-        families will be applied as blacklist, otherwise as whitelist.
+-        Note that this restricts access to the
+-        <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+-        system call only. Sockets passed into the process by other
+-        means (for example, by using socket activation with socket
+-        units, see
+-        <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
+-        are unaffected. Also, sockets created with
+-        <function>socketpair()</function> (which creates connected
+-        AF_UNIX sockets only) are unaffected. Note that this option
+-        has no effect on 32-bit x86 and is ignored (but works
+-        correctly on x86-64). If running in user mode, or in system
+-        mode, but without the <constant>CAP_SYS_ADMIN</constant>
+-        capability (e.g. setting <varname>User=nobody</varname>),
+-        <varname>NoNewPrivileges=yes</varname> is implied. By
+-        default, no restriction applies, all address families are
+-        accessible to processes. If assigned the empty string, any
+-        previous list changes are undone.</para>
+-
+-        <para>Use this option to limit exposure of processes to remote
+-        systems, in particular via exotic network protocols. Note that
+-        in most cases, the local <constant>AF_UNIX</constant> address
+-        family should be included in the configured whitelist as it is
+-        frequently used for local communication, including for
++        <listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a
++        space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>,
++        <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the
++        listed address families will be applied as blacklist, otherwise as whitelist.  Note that this restricts access
++        to the <citerefentry
++        project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call
++        only. Sockets passed into the process by other means (for example, by using socket activation with socket
++        units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>)
++        are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX
++        sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le,
++        ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If
++        running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability
++        (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default,
++        no restrictions apply, all address families are accessible to processes. If assigned the empty string, any
++        previous address familiy restriction changes are undone. This setting does not affect commands prefixed with
++        <literal>+</literal>.</para>
++
++        <para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
++        network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local
++        <constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently
++        used for local communication, including for
+         <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+-        logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
++        logging.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
diff --git a/debian/patches/manager-refuse-reloading-reexecing-when-run-is-overly-ful.patch b/debian/patches/manager-refuse-reloading-reexecing-when-run-is-overly-ful.patch
new file mode 100644
index 0000000..f10b42d
--- /dev/null
+++ b/debian/patches/manager-refuse-reloading-reexecing-when-run-is-overly-ful.patch
@@ -0,0 +1,198 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 3 Feb 2017 12:12:54 +0100
+Subject: manager: refuse reloading/reexecing when /run is overly full
+
+Let's add an extra safety check: before entering a reload/reexec, let's
+verify that there's enough room in /run for it.
+
+Fixes: #5016
+(cherry picked from commit ae57dad3f92d116c66c4ca0223b7e07b44041436)
+---
+ src/core/dbus-manager.c                   | 63 +++++++++++++++++++++++++++++++
+ src/core/dbus-manager.h                   |  2 +
+ src/core/manager.c                        |  8 +++-
+ src/libsystemd/sd-bus/bus-common-errors.c |  1 +
+ src/libsystemd/sd-bus/bus-common-errors.h |  1 +
+ 5 files changed, 73 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
+index d7d3d3c..73cba4b 100644
+--- a/src/core/dbus-manager.c
++++ b/src/core/dbus-manager.c
+@@ -19,6 +19,7 @@
+ 
+ #include <errno.h>
+ #include <sys/prctl.h>
++#include <sys/statvfs.h>
+ #include <unistd.h>
+ 
+ #include "alloc-util.h"
+@@ -37,6 +38,7 @@
+ #include "formats-util.h"
+ #include "install.h"
+ #include "log.h"
++#include "parse-util.h"
+ #include "path-util.h"
+ #include "selinux-access.h"
+ #include "stat-util.h"
+@@ -47,6 +49,10 @@
+ #include "virt.h"
+ #include "watchdog.h"
+ 
++/* Require 16MiB free in /run/systemd for reloading/reexecing. After all we need to serialize our state there, and if
++ * we can't we'll fail badly. */
++#define RELOAD_DISK_SPACE_MIN (UINT64_C(16) * UINT64_C(1024) * UINT64_C(1024))
++
+ static UnitFileFlags unit_file_bools_to_flags(bool runtime, bool force) {
+         return (runtime ? UNIT_FILE_RUNTIME : 0) |
+                (force   ? UNIT_FILE_FORCE   : 0);
+@@ -1311,6 +1317,40 @@ static int method_refuse_snapshot(sd_bus_message *message, void *userdata, sd_bu
+         return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Support for snapshots has been removed.");
+ }
+ 
++static int verify_run_space(const char *message, sd_bus_error *error) {
++        struct statvfs svfs;
++        uint64_t available;
++
++        if (statvfs("/run/systemd", &svfs) < 0)
++                return sd_bus_error_set_errnof(error, errno, "Failed to statvfs(/run/systemd): %m");
++
++        available = (uint64_t) svfs.f_bfree * (uint64_t) svfs.f_bsize;
++
++        if (available < RELOAD_DISK_SPACE_MIN) {
++                char fb_available[FORMAT_BYTES_MAX], fb_need[FORMAT_BYTES_MAX];
++                return sd_bus_error_setf(error,
++                                         BUS_ERROR_DISK_FULL,
++                                         "%s, not enough space available on /run/systemd. "
++                                         "Currently, %s are free, but a safety buffer of %s is enforced.",
++                                         message,
++                                         format_bytes(fb_available, sizeof(fb_available), available),
++                                         format_bytes(fb_need, sizeof(fb_need), RELOAD_DISK_SPACE_MIN));
++        }
++
++        return 0;
++}
++
++int verify_run_space_and_log(const char *message) {
++        sd_bus_error error = SD_BUS_ERROR_NULL;
++        int r;
++
++        r = verify_run_space(message, &error);
++        if (r < 0)
++                log_error_errno(r, "%s", bus_error_message(&error, r));
++
++        return r;
++}
++
+ static int method_reload(sd_bus_message *message, void *userdata, sd_bus_error *error) {
+         Manager *m = userdata;
+         int r;
+@@ -1318,6 +1358,10 @@ static int method_reload(sd_bus_message *message, void *userdata, sd_bus_error *
+         assert(message);
+         assert(m);
+ 
++        r = verify_run_space("Refusing to reload", error);
++        if (r < 0)
++                return r;
++
+         r = mac_selinux_access_check(message, "reload", error);
+         if (r < 0)
+                 return r;
+@@ -1350,6 +1394,10 @@ static int method_reexecute(sd_bus_message *message, void *userdata, sd_bus_erro
+         assert(message);
+         assert(m);
+ 
++        r = verify_run_space("Refusing to reexecute", error);
++        if (r < 0)
++                return r;
++
+         r = mac_selinux_access_check(message, "reload", error);
+         if (r < 0)
+                 return r;
+@@ -1468,11 +1516,26 @@ static int method_switch_root(sd_bus_message *message, void *userdata, sd_bus_er
+         char *ri = NULL, *rt = NULL;
+         const char *root, *init;
+         Manager *m = userdata;
++        struct statvfs svfs;
++        uint64_t available;
+         int r;
+ 
+         assert(message);
+         assert(m);
+ 
++        if (statvfs("/run/systemd", &svfs) < 0)
++                return sd_bus_error_set_errnof(error, errno, "Failed to statvfs(/run/systemd): %m");
++
++        available = (uint64_t) svfs.f_bfree * (uint64_t) svfs.f_bsize;
++
++        if (available < RELOAD_DISK_SPACE_MIN) {
++                char fb_available[FORMAT_BYTES_MAX], fb_need[FORMAT_BYTES_MAX];
++                log_warning("Dangerously low amount of free space on /run/systemd, root switching operation might not complete successfuly. "
++                            "Currently, %s are free, but %s are suggested. Proceeding anyway.",
++                            format_bytes(fb_available, sizeof(fb_available), available),
++                            format_bytes(fb_need, sizeof(fb_need), RELOAD_DISK_SPACE_MIN));
++        }
++
+         r = mac_selinux_access_check(message, "reboot", error);
+         if (r < 0)
+                 return r;
+diff --git a/src/core/dbus-manager.h b/src/core/dbus-manager.h
+index 36a2e94..9f3222d 100644
+--- a/src/core/dbus-manager.h
++++ b/src/core/dbus-manager.h
+@@ -26,3 +26,5 @@ extern const sd_bus_vtable bus_manager_vtable[];
+ void bus_manager_send_finished(Manager *m, usec_t firmware_usec, usec_t loader_usec, usec_t kernel_usec, usec_t initrd_usec, usec_t userspace_usec, usec_t total_usec);
+ void bus_manager_send_reloading(Manager *m, bool active);
+ void bus_manager_send_change_signal(Manager *m);
++
++int verify_run_space_and_log(const char *message);
+diff --git a/src/core/manager.c b/src/core/manager.c
+index af401bd..190019c 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -1964,7 +1964,9 @@ static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t
+                         if (MANAGER_IS_SYSTEM(m)) {
+                                 /* This is for compatibility with the
+                                  * original sysvinit */
+-                                m->exit_code = MANAGER_REEXECUTE;
++                                r = verify_run_space_and_log("Refusing to reexecute");
++                                if (r >= 0)
++                                        m->exit_code = MANAGER_REEXECUTE;
+                                 break;
+                         }
+ 
+@@ -2041,7 +2043,9 @@ static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t
+                 }
+ 
+                 case SIGHUP:
+-                        m->exit_code = MANAGER_RELOAD;
++                        r = verify_run_space_and_log("Refusing to reload");
++                        if (r >= 0)
++                                m->exit_code = MANAGER_RELOAD;
+                         break;
+ 
+                 default: {
+diff --git a/src/libsystemd/sd-bus/bus-common-errors.c b/src/libsystemd/sd-bus/bus-common-errors.c
+index d2a826b..1bba746 100644
+--- a/src/libsystemd/sd-bus/bus-common-errors.c
++++ b/src/libsystemd/sd-bus/bus-common-errors.c
+@@ -47,6 +47,7 @@ BUS_ERROR_MAP_ELF_REGISTER const sd_bus_error_map bus_common_errors[] = {
+         SD_BUS_ERROR_MAP(BUS_ERROR_SCOPE_NOT_RUNNING,            EHOSTDOWN),
+         SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_DYNAMIC_USER,         ESRCH),
+         SD_BUS_ERROR_MAP(BUS_ERROR_NOT_REFERENCED,               EUNATCH),
++        SD_BUS_ERROR_MAP(BUS_ERROR_DISK_FULL,                    ENOSPC),
+ 
+         SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_MACHINE,              ENXIO),
+         SD_BUS_ERROR_MAP(BUS_ERROR_NO_SUCH_IMAGE,                ENOENT),
+diff --git a/src/libsystemd/sd-bus/bus-common-errors.h b/src/libsystemd/sd-bus/bus-common-errors.h
+index 525b79f..4523be0 100644
+--- a/src/libsystemd/sd-bus/bus-common-errors.h
++++ b/src/libsystemd/sd-bus/bus-common-errors.h
+@@ -43,6 +43,7 @@
+ #define BUS_ERROR_SCOPE_NOT_RUNNING "org.freedesktop.systemd1.ScopeNotRunning"
+ #define BUS_ERROR_NO_SUCH_DYNAMIC_USER "org.freedesktop.systemd1.NoSuchDynamicUser"
+ #define BUS_ERROR_NOT_REFERENCED "org.freedesktop.systemd1.NotReferenced"
++#define BUS_ERROR_DISK_FULL "org.freedesktop.systemd1.DiskFull"
+ 
+ #define BUS_ERROR_NO_SUCH_MACHINE "org.freedesktop.machine1.NoSuchMachine"
+ #define BUS_ERROR_NO_SUCH_IMAGE "org.freedesktop.machine1.NoSuchImage"
diff --git a/debian/patches/path-lookup-if-HOME-can-be-determined-but-XDG_RUNTIME_DIR.patch b/debian/patches/path-lookup-if-HOME-can-be-determined-but-XDG_RUNTIME_DIR.patch
new file mode 100644
index 0000000..7591af1
--- /dev/null
+++ b/debian/patches/path-lookup-if-HOME-can-be-determined-but-XDG_RUNTIME_DIR.patch
@@ -0,0 +1,95 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 10 Feb 2017 15:18:23 +0100
+Subject: path-lookup: if $HOME can be determined but $XDG_RUNTIME_DIR can't,
+ is it
+
+So far, if either $HOME or $XDG_RUNTIME_DIR is not set we wouldn't use
+either, and fail acquire_config_dirs() and acquire_control_dirs() in
+their entireties. With this change, let's make use of the variables we
+can acquire, and don't bother with the other.
+
+Specifically this means: in both acquire_config_dirs() and
+acquire_control_dirs() handle ENXIO from user_config_dir() and
+user_runtime_dir() directly, instead of propagating it up and handling
+it in the caller.
+---
+ src/shared/path-lookup.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/src/shared/path-lookup.c b/src/shared/path-lookup.c
+index 43c1748..baa3118 100644
+--- a/src/shared/path-lookup.c
++++ b/src/shared/path-lookup.c
+@@ -330,12 +330,18 @@ static int acquire_config_dirs(UnitFileScope scope, char **persistent, char **ru
+ 
+         case UNIT_FILE_USER:
+                 r = user_config_dir(&a, "/systemd/user");
+-                if (r < 0)
++                if (r < 0 && r != -ENXIO)
+                         return r;
+ 
+                 r = user_runtime_dir(runtime, "/systemd/user");
+-                if (r < 0)
+-                        return r;
++                if (r < 0) {
++                        if (r != -ENXIO)
++                                return r;
++
++                        /* If XDG_RUNTIME_DIR is not set, don't consider that fatal, simply initialize the runtime
++                         * directory to NULL */
++                        *runtime = NULL;
++                }
+ 
+                 *persistent = a;
+                 a = NULL;
+@@ -384,12 +390,18 @@ static int acquire_control_dirs(UnitFileScope scope, char **persistent, char **r
+ 
+         case UNIT_FILE_USER:
+                 r = user_config_dir(&a, "/systemd/system.control");
+-                if (r < 0)
++                if (r < 0 && r != -ENXIO)
+                         return r;
+ 
+                 r = user_runtime_dir(runtime, "/systemd/system.control");
+-                if (r < 0)
+-                        return r;
++                if (r < 0) {
++                        if (r != -ENXIO)
++                                return r;
++
++                        /* If XDG_RUNTIME_DIR is not set, don't consider this fatal, simply initialize the directory to
++                         * NULL */
++                        *runtime = NULL;
++                }
+ 
+                 break;
+ 
+@@ -476,22 +488,26 @@ int lookup_paths_init(
+                         return -ENOMEM;
+         }
+ 
++        /* Note: when XDG_RUNTIME_DIR is not set this will not return -ENXIO, but simply set runtime_config to NULL */
+         r = acquire_config_dirs(scope, &persistent_config, &runtime_config);
+-        if (r < 0 && r != -ENXIO)
++        if (r < 0)
+                 return r;
+ 
+         if ((flags & LOOKUP_PATHS_EXCLUDE_GENERATED) == 0) {
++                /* Note: if XDG_RUNTIME_DIR is not set, this will fail completely with ENXIO */
+                 r = acquire_generator_dirs(scope, &generator, &generator_early, &generator_late);
+                 if (r < 0 && r != -EOPNOTSUPP && r != -ENXIO)
+                         return r;
+         }
+ 
++        /* Note: if XDG_RUNTIME_DIR is not set, this will fail completely with ENXIO */
+         r = acquire_transient_dir(scope, &transient);
+         if (r < 0 && r != -EOPNOTSUPP && r != -ENXIO)
+                 return r;
+ 
++        /* Note: when XDG_RUNTIME_DIR is not set this will not return -ENXIO, but simply set runtime_control to NULL */
+         r = acquire_control_dirs(scope, &persistent_control, &runtime_control);
+-        if (r < 0 && r != -EOPNOTSUPP && r != -ENXIO)
++        if (r < 0 && r != -EOPNOTSUPP)
+                 return r;
+ 
+         /* First priority is whatever has been passed to us via env vars */
diff --git a/debian/patches/path-lookup-try-harder-acquiring-them-HOME-of-a-user.patch b/debian/patches/path-lookup-try-harder-acquiring-them-HOME-of-a-user.patch
new file mode 100644
index 0000000..55e922e
--- /dev/null
+++ b/debian/patches/path-lookup-try-harder-acquiring-them-HOME-of-a-user.patch
@@ -0,0 +1,74 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 10 Feb 2017 15:16:11 +0100
+Subject: path-lookup: try harder acquiring them $HOME of a user
+
+Let's use get_home_dir() for figuring out the home directory, so that
+there's a good chance we succeed figuring out unit locations even if
+$HOME isn't set.
+
+Fixes: #5260
+---
+ src/shared/path-lookup.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/shared/path-lookup.c b/src/shared/path-lookup.c
+index a23d099..43c1748 100644
+--- a/src/shared/path-lookup.c
++++ b/src/shared/path-lookup.c
+@@ -33,6 +33,7 @@
+ #include "stat-util.h"
+ #include "string-util.h"
+ #include "strv.h"
++#include "user-util.h"
+ #include "util.h"
+ 
+ static int user_runtime_dir(char **ret, const char *suffix) {
+@@ -57,6 +58,7 @@ static int user_runtime_dir(char **ret, const char *suffix) {
+ static int user_config_dir(char **ret, const char *suffix) {
+         const char *e;
+         char *j;
++        int r;
+ 
+         assert(ret);
+ 
+@@ -64,11 +66,11 @@ static int user_config_dir(char **ret, const char *suffix) {
+         if (e)
+                 j = strappend(e, suffix);
+         else {
+-                const char *home;
++                _cleanup_free_ char *home = NULL;
+ 
+-                home = getenv("HOME");
+-                if (!home)
+-                        return -ENXIO;
++                r = get_home_dir(&home);
++                if (r < 0)
++                        return r;
+ 
+                 j = strjoin(home, "/.config", suffix);
+         }
+@@ -83,6 +85,7 @@ static int user_config_dir(char **ret, const char *suffix) {
+ static int user_data_dir(char **ret, const char *suffix) {
+         const char *e;
+         char *j;
++        int r;
+ 
+         assert(ret);
+         assert(suffix);
+@@ -95,12 +98,11 @@ static int user_data_dir(char **ret, const char *suffix) {
+         if (e)
+                 j = strappend(e, suffix);
+         else {
+-                const char *home;
+-
+-                home = getenv("HOME");
+-                if (!home)
+-                        return -ENXIO;
++                _cleanup_free_ char *home = NULL;
+ 
++                r = get_home_dir(&home);
++                if (r < 0)
++                        return r;
+ 
+                 j = strjoin(home, "/.local/share", suffix);
+         }
diff --git a/debian/patches/seccomp-MemoryDenyWriteExecute-should-affect-both-mmap-an.patch b/debian/patches/seccomp-MemoryDenyWriteExecute-should-affect-both-mmap-an.patch
new file mode 100644
index 0000000..5077641
--- /dev/null
+++ b/debian/patches/seccomp-MemoryDenyWriteExecute-should-affect-both-mmap-an.patch
@@ -0,0 +1,224 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Wed, 8 Feb 2017 15:14:02 +0100
+Subject: seccomp: MemoryDenyWriteExecute= should affect both mmap() and
+ mmap2() (#5254)
+
+On i386 we block the old mmap() call entirely, since we cannot properly
+filter it. Thankfully it hasn't been used by glibc since quite some
+time.
+
+Fixes: #5240
+
+(cherry-picked from commit 8a50cf6957f12dbb1f90411659da9b959a1983ff)
+---
+ man/systemd.exec.xml      | 27 +++++++-------
+ src/shared/seccomp-util.c | 92 +++++++++++++++++++++++++++++++++++++----------
+ src/shared/seccomp-util.h |  7 ++++
+ src/test/test-seccomp.c   | 12 ++++++-
+ 4 files changed, 106 insertions(+), 32 deletions(-)
+
+diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
+index 9527103..3b42b55 100644
+--- a/man/systemd.exec.xml
++++ b/man/systemd.exec.xml
+@@ -1535,19 +1535,20 @@
+         <term><varname>MemoryDenyWriteExecute=</varname></term>
+ 
+         <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
+-        executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory
+-        segments as executable are prohibited.
+-        Specifically, a system call filter is added that rejects
+-        <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+-        system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set,
+-        <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+-        system calls with <constant>PROT_EXEC</constant> set and
+-        <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+-        system calls with <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs
+-        that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
+-        use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
+-        harder for software exploits to change running code dynamically.
+-        </para></listitem>
++        executable at the same time, or to change existing memory mappings to become executable, or mapping shared
++        memory segments as executable are prohibited.  Specifically, a system call filter is added that rejects
++        <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with both
++        <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set,
++        <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
++        <constant>PROT_EXEC</constant> set and
++        <citerefentry><refentrytitle>shmat</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls with
++        <constant>SHM_EXEC</constant> set. Note that this option is incompatible with programs that generate program
++        code dynamically at runtime, such as JIT execution engines, or programs compiled making use of the code
++        "trampoline" feature of various C compilers. This option improves service security, as it makes harder for
++        software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and
++        partially on x86. Specifically, the <function>shmat()</function> protection is not available on x86. If running
++        in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
++        <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.  </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index 1e6ff5b..64c21c8 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -996,27 +996,81 @@ int seccomp_restrict_realtime(void) {
+ }
+ 
+ int seccomp_memory_deny_write_execute(void) {
++
+         uint32_t arch;
+         int r;
+ 
+         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
++                int filter_syscall = 0, block_syscall = 0, shmat_syscall = 0;
+ 
+                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
+ 
++                switch (arch) {
++
++                case SCMP_ARCH_X86:
++                        filter_syscall = SCMP_SYS(mmap2);
++                        block_syscall = SCMP_SYS(mmap);
++
++                        /* Note that shmat() isn't available on i386, where the call is multiplexed through ipc(). We
++                         * ignore that here, which means there's still a way to get writable/executable memory, if an
++                         * IPC key is mapped like this on i386. That's a pity, but no total loss. */
++                        break;
++
++                case SCMP_ARCH_X86_64:
++                case SCMP_ARCH_X32:
++                        filter_syscall = SCMP_SYS(mmap);
++                        shmat_syscall = SCMP_SYS(shmat);
++                        break;
++
++                /* Please add more definitions here, if you port systemd to other architectures! */
++
++#if !defined(__i386__) && !defined(__x86_64__)
++#warning "Consider adding the right mmap() syscall definitions here!"
++#endif
++                }
++
++                /* Can't filter mmap() on this arch, then skip it */
++                if (filter_syscall == 0)
++                        continue;
++
+                 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
+                 if (r < 0)
+                         return r;
+ 
+-                r = seccomp_rule_add_exact(
+-                                seccomp,
+-                                SCMP_ACT_ERRNO(EPERM),
+-                                SCMP_SYS(mmap),
+-                                1,
+-                                SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
+-                if (r < 0) {
+-                        log_debug_errno(r, "Failed to add mmap() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+-                        continue;
++                if (filter_syscall != 0)  {
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        filter_syscall,
++                                        1,
++                                        SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC|PROT_WRITE, PROT_EXEC|PROT_WRITE));
++                        if (r < 0) {
++                                _cleanup_free_ char *n = NULL;
++
++                                n = seccomp_syscall_resolve_num_arch(arch, filter_syscall);
++                                log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
++                                                strna(n),
++                                                seccomp_arch_to_string(arch));
++                                continue;
++                        }
++                }
++
++                if (block_syscall != 0) {
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        block_syscall,
++                                        0);
++                        if (r < 0) {
++                                _cleanup_free_ char *n = NULL;
++
++                                n = seccomp_syscall_resolve_num_arch(arch, block_syscall);
++                                log_debug_errno(r, "Failed to add %s() rule for architecture %s, skipping: %m",
++                                                strna(n),
++                                                seccomp_arch_to_string(arch));
++                                continue;
++                        }
+                 }
+ 
+                 r = seccomp_rule_add_exact(
+@@ -1030,15 +1084,17 @@ int seccomp_memory_deny_write_execute(void) {
+                         continue;
+                 }
+ 
+-                r = seccomp_rule_add_exact(
+-                                seccomp,
+-                                SCMP_ACT_ERRNO(EPERM),
+-                                SCMP_SYS(shmat),
+-                                1,
+-                                SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
+-                if (r < 0) {
+-                        log_debug_errno(r, "Failed to add shmat() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+-                        continue;
++                if (shmat_syscall != 0) {
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(shmat),
++                                        1,
++                                        SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC));
++                        if (r < 0) {
++                                log_debug_errno(r, "Failed to add shmat() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
++                                continue;
++                        }
+                 }
+ 
+                 r = seccomp_load(seccomp);
+diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
+index ba106eb..e89e0d9 100644
+--- a/src/shared/seccomp-util.h
++++ b/src/shared/seccomp-util.h
+@@ -79,6 +79,13 @@ int seccomp_memory_deny_write_execute(void);
+ #define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
+ #endif
+ 
++/* mmap() blocking is only available on some archs for now */
++#if defined(__x86_64__) || defined(__i386__)
++#define SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN 0
++#else
++#define SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN 1
++#endif
++
+ extern const uint32_t seccomp_local_archs[];
+ 
+ #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index 54e7947..3659238 100644
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -384,11 +384,21 @@ static void test_memory_deny_write_execute(void) {
+                 assert_se(p != MAP_FAILED);
+                 assert_se(munmap(p, page_size()) >= 0);
+ 
+-                seccomp_memory_deny_write_execute();
++                p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
++                assert_se(p != MAP_FAILED);
++                assert_se(munmap(p, page_size()) >= 0);
+ 
++                assert_se(seccomp_memory_deny_write_execute() >= 0);
++
++#if SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN
++                p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
++                assert_se(p != MAP_FAILED);
++                assert_se(munmap(p, page_size()) >= 0);
++#else
+                 p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
+                 assert_se(p == MAP_FAILED);
+                 assert_se(errno == EPERM);
++#endif
+ 
+                 p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
+                 assert_se(p != MAP_FAILED);
diff --git a/debian/patches/seccomp-RestrictAddressFamilies-is-not-supported-on-i386-.patch b/debian/patches/seccomp-RestrictAddressFamilies-is-not-supported-on-i386-.patch
new file mode 100644
index 0000000..a72ff8a
--- /dev/null
+++ b/debian/patches/seccomp-RestrictAddressFamilies-is-not-supported-on-i386-.patch
@@ -0,0 +1,95 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 3 Feb 2017 18:31:05 +0100
+Subject: seccomp: RestrictAddressFamilies= is not supported on
+ i386/s390/s390x, make it a NOP
+
+See: #5215
+
+(cherry-picked from commit ad8f1479b46c72d103b7f4f7b8ff4f59f7455285)
+---
+ src/shared/seccomp-util.c |  3 +++
+ src/shared/seccomp-util.h |  8 ++++++++
+ src/test/test-seccomp.c   | 16 ++++++++++++++++
+ 3 files changed, 27 insertions(+)
+
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index a3b59d0..1e6ff5b 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -783,6 +783,8 @@ int seccomp_protect_sysctl(void) {
+ }
+ 
+ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
++
++#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
+         uint32_t arch;
+         int r;
+ 
+@@ -911,6 +913,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+                 if (r < 0)
+                         log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+         }
++#endif
+ 
+         return 0;
+ }
+diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
+index 50e4f43..ba106eb 100644
+--- a/src/shared/seccomp-util.h
++++ b/src/shared/seccomp-util.h
+@@ -71,6 +71,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist);
+ int seccomp_restrict_realtime(void);
+ int seccomp_memory_deny_write_execute(void);
+ 
++#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__)
++/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via
++ * seccomp */
++#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
++#else
++#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
++#endif
++
+ extern const uint32_t seccomp_local_archs[];
+ 
+ #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index 6f15879..54e7947 100644
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -283,8 +283,14 @@ static void test_restrict_address_families(void) {
+                 assert_se(fd >= 0);
+                 safe_close(fd);
+ 
++#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
++                fd = socket(AF_UNIX, SOCK_DGRAM, 0);
++                assert_se(fd >= 0);
++                safe_close(fd);
++#else
+                 assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
+                 assert_se(errno == EAFNOSUPPORT);
++#endif
+ 
+                 fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
+                 assert_se(fd >= 0);
+@@ -300,11 +306,21 @@ static void test_restrict_address_families(void) {
+                 assert_se(fd >= 0);
+                 safe_close(fd);
+ 
++#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
++                fd = socket(AF_UNIX, SOCK_DGRAM, 0);
++                assert_se(fd >= 0);
++                safe_close(fd);
++
++                fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
++                assert_se(fd >= 0);
++                safe_close(fd);
++#else
+                 assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
+                 assert_se(errno == EAFNOSUPPORT);
+ 
+                 assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0);
+                 assert_se(errno == EAFNOSUPPORT);
++#endif
+ 
+                 _exit(EXIT_SUCCESS);
+         }
diff --git a/debian/patches/seccomp-disable-RestrictAddressFamilies-for-the-ABI-we-sh.patch b/debian/patches/seccomp-disable-RestrictAddressFamilies-for-the-ABI-we-sh.patch
new file mode 100644
index 0000000..aeb6177
--- /dev/null
+++ b/debian/patches/seccomp-disable-RestrictAddressFamilies-for-the-ABI-we-sh.patch
@@ -0,0 +1,67 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Sun, 12 Feb 2017 21:25:40 +0100
+Subject: seccomp: disable RestrictAddressFamilies= for the ABI we shall block,
+ not the one we are compiled for (#5272)
+
+It's a difference. Not a big one, but let's be correct here.
+---
+ src/shared/seccomp-util.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index aa3fe7a..bb68ae5 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -816,17 +816,42 @@ int seccomp_protect_sysctl(void) {
+ }
+ 
+ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+-
+-#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
+         uint32_t arch;
+         int r;
+ 
+         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
++                bool supported;
+                 Iterator i;
+ 
+                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
+ 
++                switch (arch) {
++
++                case SCMP_ARCH_X86_64:
++                case SCMP_ARCH_X32:
++                case SCMP_ARCH_ARM:
++                case SCMP_ARCH_AARCH64:
++                        /* These we know we support (i.e. are the ones that do not use socketcall()) */
++                        supported = true;
++                        break;
++
++                case SCMP_ARCH_X86:
++                case SCMP_ARCH_S390:
++                case SCMP_ARCH_S390X:
++                case SCMP_ARCH_PPC:
++                case SCMP_ARCH_PPC64:
++                case SCMP_ARCH_PPC64LE:
++                default:
++                        /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
++                         * don't know */
++                        supported = false;
++                        break;
++                }
++
++                if (!supported)
++                        continue;
++
+                 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
+                 if (r < 0)
+                         return r;
+@@ -946,7 +971,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+                 if (r < 0)
+                         log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+         }
+-#endif
+ 
+         return 0;
+ }
diff --git a/debian/patches/seccomp-don-t-ever-try-to-add-an-ABI-before-removing-the-.patch b/debian/patches/seccomp-don-t-ever-try-to-add-an-ABI-before-removing-the-.patch
new file mode 100644
index 0000000..c42909c
--- /dev/null
+++ b/debian/patches/seccomp-don-t-ever-try-to-add-an-ABI-before-removing-the-.patch
@@ -0,0 +1,42 @@
+From: Evgeny Vereshchagin <evvers at ya.ru>
+Date: Sun, 5 Feb 2017 19:58:19 +0300
+Subject: seccomp: don't ever try to add an ABI before removing the default
+ native ABI (#5230)
+
+https://github.com/systemd/systemd/issues/5215#issuecomment-277156262
+
+libseccomp does not allow you to add architectures to a filter that
+doesn't match the byte ordering of the architectures already added to
+the filter (it would be a mess, not to mention largely pointless) and
+since systemd attempts to add an ABI before removing the default native
+ABI, you will always fail on Power (either due to ppc or ppc64le). The
+fix is to remove the native ABI before adding a new ABI so you don't run
+into problems with byte ordering.
+
+You would likely see the same failure on a MIPS system.
+
+Thanks @pcmoore!
+
+(cherry-picked from commit 1b52793d5d597e62c8e35009baca165f1408687e)
+---
+ src/shared/seccomp-util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index aa37e12..a3b59d0 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -171,11 +171,11 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
+         if (arch != SCMP_ARCH_NATIVE &&
+             arch != seccomp_arch_native()) {
+ 
+-                r = seccomp_arch_add(seccomp, arch);
++                r = seccomp_arch_remove(seccomp, seccomp_arch_native());
+                 if (r < 0)
+                         goto finish;
+ 
+-                r = seccomp_arch_remove(seccomp, seccomp_arch_native());
++                r = seccomp_arch_add(seccomp, arch);
+                 if (r < 0)
+                         goto finish;
+ 
diff --git a/debian/patches/seccomp-on-s390-the-clone-parameters-are-reversed.patch b/debian/patches/seccomp-on-s390-the-clone-parameters-are-reversed.patch
new file mode 100644
index 0000000..7a5e0b0
--- /dev/null
+++ b/debian/patches/seccomp-on-s390-the-clone-parameters-are-reversed.patch
@@ -0,0 +1,163 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Wed, 8 Feb 2017 16:21:11 +0100
+Subject: seccomp: on s390 the clone() parameters are reversed
+
+Add a bit of code that tries to get the right parameter order in place
+for some of the better known architectures, and skips
+restrict_namespaces for other archs.
+
+This also bypasses the test on archs where we don't know the right
+order.
+
+In this case I didn't bother with testing the case where no filter is
+applied, since that is hopefully just an issue for now, as there's
+nothing stopping us from supporting more archs, we just need to know
+which order is right.
+
+Fixes: #5241
+(cherry picked from commit ae9d60ce4eb116eefb7c4102074ae1cc13fd3216)
+---
+ man/systemd.exec.xml      |  5 ++++-
+ src/basic/raw-clone.h     |  4 ++--
+ src/shared/seccomp-util.c | 45 +++++++++++++++++++++++++++++++++++++++------
+ src/shared/seccomp-util.h |  7 +++++++
+ src/test/test-seccomp.c   |  3 +++
+ 5 files changed, 55 insertions(+), 9 deletions(-)
+
+diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
+index 3b42b55..ea219ce 100644
+--- a/man/systemd.exec.xml
++++ b/man/systemd.exec.xml
+@@ -1466,7 +1466,10 @@
+         <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
+         the specified flags parameters into account. Note that ? if this option is used ? in addition to restricting
+         creation and switching of the specified types of namespaces (or all of them, if true) access to the
+-        <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem>
++        <function>setns()</function> system call with a zero flags parameter is prohibited.  This setting is only
++        supported on x86, x86-64, s390 and s390x, and enforces no restrictions on other architectures. If running in user
++        mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
++        <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.  </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+diff --git a/src/basic/raw-clone.h b/src/basic/raw-clone.h
+index d473828..c6e531a 100644
+--- a/src/basic/raw-clone.h
++++ b/src/basic/raw-clone.h
+@@ -47,8 +47,8 @@
+ static inline int raw_clone(unsigned long flags) {
+         assert((flags & (CLONE_VM|CLONE_PARENT_SETTID|CLONE_CHILD_SETTID|
+                          CLONE_CHILD_CLEARTID|CLONE_SETTLS)) == 0);
+-#if defined(__s390__) || defined(__CRIS__)
+-        /* On s390 and cris the order of the first and second arguments
++#if defined(__s390x__) || defined(__s390__) || defined(__CRIS__)
++        /* On s390/s390x and cris the order of the first and second arguments
+          * of the raw clone() system call is reversed. */
+         return (int) syscall(__NR_clone, NULL, flags);
+ #elif defined(__sparc__) && defined(__arch64__)
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index 64c21c8..aa3fe7a 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -660,10 +660,35 @@ int seccomp_restrict_namespaces(unsigned long retain) {
+ 
+         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
++                int clone_reversed_order = -1;
+                 unsigned i;
+ 
+                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
+ 
++                switch (arch) {
++
++                case SCMP_ARCH_X86_64:
++                case SCMP_ARCH_X86:
++                case SCMP_ARCH_X32:
++                        clone_reversed_order = 0;
++                        break;
++
++                case SCMP_ARCH_S390:
++                case SCMP_ARCH_S390X:
++                        /* On s390/s390x the first two parameters to clone are switched */
++                        clone_reversed_order = 1;
++                        break;
++
++                /* Please add more definitions here, if you port systemd to other architectures! */
++
++#if !defined(__i386__) && !defined(__x86_64__) && !defined(__s390__) && !defined(__s390x__)
++#warning "Consider adding the right clone() syscall definitions here!"
++#endif
++                }
++
++                if (clone_reversed_order < 0) /* we don't know the right order, let's ignore this arch... */
++                        continue;
++
+                 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
+                 if (r < 0)
+                         return r;
+@@ -712,12 +737,20 @@ int seccomp_restrict_namespaces(unsigned long retain) {
+                                 break;
+                         }
+ 
+-                        r = seccomp_rule_add_exact(
+-                                        seccomp,
+-                                        SCMP_ACT_ERRNO(EPERM),
+-                                        SCMP_SYS(clone),
+-                                        1,
+-                                        SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
++                        if (clone_reversed_order == 0)
++                                r = seccomp_rule_add_exact(
++                                                seccomp,
++                                                SCMP_ACT_ERRNO(EPERM),
++                                                SCMP_SYS(clone),
++                                                1,
++                                                SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
++                        else
++                                r = seccomp_rule_add_exact(
++                                                seccomp,
++                                                SCMP_ACT_ERRNO(EPERM),
++                                                SCMP_SYS(clone),
++                                                1,
++                                                SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
+                         if (r < 0) {
+                                 log_debug_errno(r, "Failed to add clone() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+                                 break;
+diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
+index e89e0d9..0a4ab9d 100644
+--- a/src/shared/seccomp-util.h
++++ b/src/shared/seccomp-util.h
+@@ -86,6 +86,13 @@ int seccomp_memory_deny_write_execute(void);
+ #define SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN 1
+ #endif
+ 
++/* we don't know the right order of the clone() parameters except for these archs, for now */
++#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__)
++#define SECCOMP_RESTRICT_NAMESPACES_BROKEN 0
++#else
++#define SECCOMP_RESTRICT_NAMESPACES_BROKEN 1
++#endif
++
+ extern const uint32_t seccomp_local_archs[];
+ 
+ #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index 3659238..34a1275 100644
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -158,6 +158,8 @@ static void test_restrict_namespace(void) {
+         assert_se(streq(s, "cgroup ipc net mnt pid user uts"));
+         assert_se(namespace_flag_from_string_many(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
+ 
++#if SECCOMP_RESTRICT_NAMESPACES_BROKEN == 0
++
+         if (!is_seccomp_available())
+                 return;
+         if (geteuid() != 0)
+@@ -216,6 +218,7 @@ static void test_restrict_namespace(void) {
+         }
+ 
+         assert_se(wait_for_terminate_and_warn("nsseccomp", pid, true) == EXIT_SUCCESS);
++#endif
+ }
+ 
+ static void test_protect_sysctl(void) {
diff --git a/debian/patches/seccomp-order-seccomp-ABI-list-so-that-our-native-ABI-com.patch b/debian/patches/seccomp-order-seccomp-ABI-list-so-that-our-native-ABI-com.patch
new file mode 100644
index 0000000..faab3d1
--- /dev/null
+++ b/debian/patches/seccomp-order-seccomp-ABI-list-so-that-our-native-ABI-com.patch
@@ -0,0 +1,103 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Fri, 10 Feb 2017 23:47:50 +0100
+Subject: seccomp: order seccomp ABI list,
+ so that our native ABI comes last (#5306)
+
+this way, we can still call seccomp ourselves, even if seccomp() is
+blocked by the filter we are installing.
+
+Fixes: #5300
+---
+ src/shared/seccomp-util.c | 67 ++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 54 insertions(+), 13 deletions(-)
+
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index bb68ae5..aa43a7a 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -36,31 +36,72 @@
+ 
+ const uint32_t seccomp_local_archs[] = {
+ 
+-#if defined(__i386__) || defined(__x86_64__)
++        /* Note: always list the native arch we are compiled as last, so that users can blacklist seccomp(), but our own calls to it still succeed */
++
++#if defined(__x86_64__) && defined(__ILP32__)
+                 SCMP_ARCH_X86,
+                 SCMP_ARCH_X86_64,
++                SCMP_ARCH_X32,         /* native */
++#elif defined(__x86_64__) && !defined(__ILP32__)
++                SCMP_ARCH_X86,
+                 SCMP_ARCH_X32,
+-
+-#elif defined(__arm__) || defined(__aarch64__)
++                SCMP_ARCH_X86_64,      /* native */
++#elif defined(__i386__)
++                SCMP_ARCH_X86,
++#elif defined(__aarch64__)
+                 SCMP_ARCH_ARM,
+-                SCMP_ARCH_AARCH64,
+-
+-#elif defined(__mips__) || defined(__mips64__)
++                SCMP_ARCH_AARCH64,     /* native */
++#elif defined(__arm__)
++                SCMP_ARCH_ARM,
++#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
++                SCMP_ARCH_MIPSEL,
++                SCMP_ARCH_MIPS,        /* native */
++#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
+                 SCMP_ARCH_MIPS,
+-                SCMP_ARCH_MIPS64,
++                SCMP_ARCH_MIPSEL,      /* native */
++#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
++                SCMP_ARCH_MIPSEL,
++                SCMP_ARCH_MIPS,
++                SCMP_ARCH_MIPSEL64N32,
+                 SCMP_ARCH_MIPS64N32,
++                SCMP_ARCH_MIPSEL64,
++                SCMP_ARCH_MIPS64,      /* native */
++#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
++                SCMP_ARCH_MIPS,
+                 SCMP_ARCH_MIPSEL,
++                SCMP_ARCH_MIPS64N32,
++                SCMP_ARCH_MIPSEL64N32,
++                SCMP_ARCH_MIPS64,
++                SCMP_ARCH_MIPSEL64,    /* native */
++#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
++                SCMP_ARCH_MIPSEL,
++                SCMP_ARCH_MIPS,
+                 SCMP_ARCH_MIPSEL64,
++                SCMP_ARCH_MIPS64,
+                 SCMP_ARCH_MIPSEL64N32,
+-
+-#elif defined(__powerpc__) || defined(__powerpc64__)
++                SCMP_ARCH_MIPS64N32,   /* native */
++#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
++                SCMP_ARCH_MIPS,
++                SCMP_ARCH_MIPSEL,
++                SCMP_ARCH_MIPS64,
++                SCMP_ARCH_MIPSEL64,
++                SCMP_ARCH_MIPS64N32,
++                SCMP_ARCH_MIPSEL64N32, /* native */
++#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
+                 SCMP_ARCH_PPC,
+-                SCMP_ARCH_PPC64,
+                 SCMP_ARCH_PPC64LE,
+-
+-#elif defined(__s390__) || defined(__s390x__)
++                SCMP_ARCH_PPC64,       /* native */
++#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
++                SCMP_ARCH_PPC,
++                SCMP_ARCH_PPC64,
++                SCMP_ARCH_PPC64LE,     /* native */
++#elif defined(__powerpc__)
++                SCMP_ARCH_PPC,
++#elif defined(__s390x__)
++                SCMP_ARCH_S390,
++                SCMP_ARCH_S390X,      /* native */
++#elif defined(__s390__)
+                 SCMP_ARCH_S390,
+-                SCMP_ARCH_S390X,
+ #endif
+                 (uint32_t) -1
+         };
diff --git a/debian/patches/series b/debian/patches/series
index 7697835..561c282 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,6 +28,22 @@ device-Avoid-calling-unit_free-NULL-in-device-setup-logic.patch
 core-make-unit_free-accept-NULL-pointers.patch
 journal-make-sure-to-initially-populate-the-space-info-ca.patch
 journald-don-t-flush-to-var-log-journal-before-we-get-ask.patch
+seccomp-don-t-ever-try-to-add-an-ABI-before-removing-the-.patch
+seccomp-RestrictAddressFamilies-is-not-supported-on-i386-.patch
+man-Document-that-RestrictAddressFamilies-doesn-t-work-on.patch
+seccomp-MemoryDenyWriteExecute-should-affect-both-mmap-an.patch
+seccomp-on-s390-the-clone-parameters-are-reversed.patch
+seccomp-disable-RestrictAddressFamilies-for-the-ABI-we-sh.patch
+seccomp-order-seccomp-ABI-list-so-that-our-native-ABI-com.patch
+libudev-util-change-util_replace_whitespace-to-return-num.patch
+udev-event-add-replace_whitespace-param-to-udev_event_app.patch
+udev-rules-perform-whitespace-replacement-for-symlink-sub.patch
+core-use-a-memfd-for-serialization.patch
+manager-refuse-reloading-reexecing-when-run-is-overly-ful.patch
+dbus-permit-seeing-process-list-of-units-whose-unit-files.patch
+install-never-hit-assert-when-we-can-t-figure-out-where-t.patch
+path-lookup-try-harder-acquiring-them-HOME-of-a-user.patch
+path-lookup-if-HOME-can-be-determined-but-XDG_RUNTIME_DIR.patch
 debian/Use-Debian-specific-config-files.patch
 debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch
 debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch
diff --git a/debian/patches/udev-event-add-replace_whitespace-param-to-udev_event_app.patch b/debian/patches/udev-event-add-replace_whitespace-param-to-udev_event_app.patch
new file mode 100644
index 0000000..9bc47b1
--- /dev/null
+++ b/debian/patches/udev-event-add-replace_whitespace-param-to-udev_event_app.patch
@@ -0,0 +1,304 @@
+From: Dan Streetman <ddstreet at ieee.org>
+Date: Tue, 3 Jan 2017 14:37:59 -0500
+Subject: udev-event: add replace_whitespace param to udev_event_apply_format
+
+If replace_whitespace is true, each substitution value has all its
+whitespace removed/replaced by util_replace_whitespace (except the
+SUBST_RESULT substitution - $result{} or %c{} - which handles spaces
+itself as field separators).  All existing callers are updated to
+pass false, so no functional change is made by this patch.
+
+This is needed so the SYMLINK assignment can replace any spaces
+introduced through variable substitution, becuase the SYMLINK value is
+a space-separated list of symlinks to create.  Any variables that
+contain spaces will thus unexpectedly change the symlink value from
+a single symlink to multiple incorrectly-named symlinks.
+
+This is used in the next patch, which enables the whitespace
+replacement for SYMLINK variable substitution.
+---
+ src/udev/udev-event.c   | 39 +++++++++++++++++++++++++++++++++++----
+ src/udev/udev-rules.c   | 40 ++++++++++++++++++++--------------------
+ src/udev/udev.h         |  4 +++-
+ src/udev/udevadm-test.c |  2 +-
+ 4 files changed, 59 insertions(+), 26 deletions(-)
+
+diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
+index 54cd741..cb00850 100644
+--- a/src/udev/udev-event.c
++++ b/src/udev/udev-event.c
+@@ -73,7 +73,9 @@ void udev_event_unref(struct udev_event *event) {
+         free(event);
+ }
+ 
+-size_t udev_event_apply_format(struct udev_event *event, const char *src, char *dest, size_t size) {
++size_t udev_event_apply_format(struct udev_event *event,
++                               const char *src, char *dest, size_t size,
++                               bool replace_whitespace) {
+         struct udev_device *dev = event->dev;
+         enum subst_type {
+                 SUBST_UNKNOWN,
+@@ -130,8 +132,10 @@ size_t udev_event_apply_format(struct udev_event *event, const char *src, char *
+ 
+         for (;;) {
+                 enum subst_type type = SUBST_UNKNOWN;
+-                char attrbuf[UTIL_PATH_SIZE];
+-                char *attr = NULL;
++                char attrbuf[UTIL_PATH_SIZE], sbuf[UTIL_PATH_SIZE];
++                char *attr = NULL, *_s;
++                size_t _l;
++                bool replws = replace_whitespace;
+ 
+                 while (from[0] != '\0') {
+                         if (from[0] == '$') {
+@@ -200,6 +204,19 @@ subst:
+                         attr = NULL;
+                 }
+ 
++                /* result subst handles space as field separator */
++                if (type == SUBST_RESULT)
++                        replws = false;
++
++                if (replws) {
++                        /* store dest string ptr and remaining len */
++                        _s = s;
++                        _l = l;
++                        /* temporarily use sbuf */
++                        s = &sbuf;
++                        l = UTIL_PATH_SIZE;
++                }
++
+                 switch (type) {
+                 case SUBST_DEVPATH:
+                         l = strpcpy(&s, l, udev_device_get_devpath(dev));
+@@ -380,6 +397,20 @@ subst:
+                         log_error("unknown substitution type=%i", type);
+                         break;
+                 }
++
++                /* replace whitespace in sbuf and copy to dest */
++                if (replws) {
++                        size_t tmplen = UTIL_PATH_SIZE - l;
++
++                        /* restore s and l to dest string values */
++                        s = _s;
++                        l = _l;
++
++                        /* copy ws-replaced value to s */
++                        tmplen = util_replace_whitespace(sbuf, s, MIN(tmplen, l));
++                        l -= tmplen;
++                        s += tmplen;
++                }
+         }
+ 
+ out:
+@@ -927,7 +958,7 @@ void udev_event_execute_run(struct udev_event *event, usec_t timeout_usec, usec_
+                 const char *cmd = udev_list_entry_get_name(list_entry);
+                 enum udev_builtin_cmd builtin_cmd = udev_list_entry_get_num(list_entry);
+ 
+-                udev_event_apply_format(event, cmd, command, sizeof(command));
++                udev_event_apply_format(event, cmd, command, sizeof(command), false);
+ 
+                 if (builtin_cmd < UDEV_BUILTIN_MAX)
+                         udev_builtin_run(event->dev, builtin_cmd, command, false);
+diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
+index f6c416b..f48b71d 100644
+--- a/src/udev/udev-rules.c
++++ b/src/udev/udev-rules.c
+@@ -1676,7 +1676,7 @@ static int match_attr(struct udev_rules *rules, struct udev_device *dev, struct
+         name = rules_str(rules, cur->key.attr_off);
+         switch (cur->key.attrsubst) {
+         case SB_FORMAT:
+-                udev_event_apply_format(event, name, nbuf, sizeof(nbuf));
++                udev_event_apply_format(event, name, nbuf, sizeof(nbuf), false);
+                 name = nbuf;
+                 /* fall through */
+         case SB_NONE:
+@@ -1838,7 +1838,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                         _cleanup_free_ char *value = NULL;
+                         size_t len;
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.attr_off), filename, sizeof(filename));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.attr_off), filename, sizeof(filename), false);
+                         sysctl_normalize(filename);
+                         if (sysctl_read(filename, &value) < 0)
+                                 goto nomatch;
+@@ -1916,7 +1916,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                         struct stat statbuf;
+                         int match;
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), filename, sizeof(filename));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), filename, sizeof(filename), false);
+                         if (util_resolve_subsys_kernel(event->udev, filename, filename, sizeof(filename), 0) != 0) {
+                                 if (filename[0] != '/') {
+                                         char tmp[UTIL_PATH_SIZE];
+@@ -1942,7 +1942,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                         char result[UTIL_LINE_SIZE];
+ 
+                         event->program_result = mfree(event->program_result);
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), program, sizeof(program));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), program, sizeof(program), false);
+                         log_debug("PROGRAM '%s' %s:%u",
+                                   program,
+                                   rules_str(rules, rule->rule.filename_off),
+@@ -1969,7 +1969,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                 case TK_M_IMPORT_FILE: {
+                         char import[UTIL_PATH_SIZE];
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), import, sizeof(import));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), import, sizeof(import), false);
+                         if (import_file_into_properties(event->dev, import) != 0)
+                                 if (cur->key.op != OP_NOMATCH)
+                                         goto nomatch;
+@@ -1978,7 +1978,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                 case TK_M_IMPORT_PROG: {
+                         char import[UTIL_PATH_SIZE];
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), import, sizeof(import));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), import, sizeof(import), false);
+                         log_debug("IMPORT '%s' %s:%u",
+                                   import,
+                                   rules_str(rules, rule->rule.filename_off),
+@@ -2009,7 +2009,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 event->builtin_run |= (1 << cur->key.builtin_cmd);
+                         }
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), command, sizeof(command));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), command, sizeof(command), false);
+                         log_debug("IMPORT builtin '%s' %s:%u",
+                                   udev_builtin_name(cur->key.builtin_cmd),
+                                   rules_str(rules, rule->rule.filename_off),
+@@ -2077,7 +2077,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                 case TK_M_IMPORT_PARENT: {
+                         char import[UTIL_PATH_SIZE];
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), import, sizeof(import));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), import, sizeof(import), false);
+                         if (import_parent_into_properties(event->dev, import) != 0)
+                                 if (cur->key.op != OP_NOMATCH)
+                                         goto nomatch;
+@@ -2115,7 +2115,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 break;
+                         if (cur->key.op == OP_ASSIGN_FINAL)
+                                 event->owner_final = true;
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), owner, sizeof(owner));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), owner, sizeof(owner), false);
+                         event->owner_set = true;
+                         r = get_user_creds(&ow, &event->uid, NULL, NULL, NULL);
+                         if (r < 0) {
+@@ -2141,7 +2141,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 break;
+                         if (cur->key.op == OP_ASSIGN_FINAL)
+                                 event->group_final = true;
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), group, sizeof(group));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), group, sizeof(group), false);
+                         event->group_set = true;
+                         r = get_group_creds(&gr, &event->gid);
+                         if (r < 0) {
+@@ -2165,7 +2165,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+ 
+                         if (event->mode_final)
+                                 break;
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), mode_str, sizeof(mode_str));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), mode_str, sizeof(mode_str), false);
+                         mode = strtol(mode_str, &endptr, 8);
+                         if (endptr[0] != '\0') {
+                                 log_error("ignoring invalid mode '%s'", mode_str);
+@@ -2222,7 +2222,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                         const char *name, *label;
+ 
+                         name = rules_str(rules, cur->key.attr_off);
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), label_str, sizeof(label_str));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), label_str, sizeof(label_str), false);
+                         if (label_str[0] != '\0')
+                                 label = label_str;
+                         else
+@@ -2256,10 +2256,10 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 char temp[UTIL_NAME_SIZE];
+ 
+                                 /* append value separated by space */
+-                                udev_event_apply_format(event, value, temp, sizeof(temp));
++                                udev_event_apply_format(event, value, temp, sizeof(temp), false);
+                                 strscpyl(value_new, sizeof(value_new), value_old, " ", temp, NULL);
+                         } else
+-                                udev_event_apply_format(event, value, value_new, sizeof(value_new));
++                                udev_event_apply_format(event, value, value_new, sizeof(value_new), false);
+ 
+                         udev_device_add_property(event->dev, name, value_new);
+                         break;
+@@ -2268,7 +2268,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                         char tag[UTIL_PATH_SIZE];
+                         const char *p;
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), tag, sizeof(tag));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), tag, sizeof(tag), false);
+                         if (cur->key.op == OP_ASSIGN || cur->key.op == OP_ASSIGN_FINAL)
+                                 udev_device_cleanup_tags_list(event->dev);
+                         for (p = tag; *p != '\0'; p++) {
+@@ -2296,7 +2296,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 break;
+                         if (cur->key.op == OP_ASSIGN_FINAL)
+                                 event->name_final = true;
+-                        udev_event_apply_format(event, name, name_str, sizeof(name_str));
++                        udev_event_apply_format(event, name, name_str, sizeof(name_str), false);
+                         if (esc == ESCAPE_UNSET || esc == ESCAPE_REPLACE) {
+                                 count = util_replace_chars(name_str, "/");
+                                 if (count > 0)
+@@ -2336,7 +2336,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 udev_device_cleanup_devlinks_list(event->dev);
+ 
+                         /* allow  multiple symlinks separated by spaces */
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), temp, sizeof(temp));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), temp, sizeof(temp), false);
+                         if (esc == ESCAPE_UNSET)
+                                 count = util_replace_chars(temp, "/ ");
+                         else if (esc == ESCAPE_REPLACE)
+@@ -2376,7 +2376,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 strscpyl(attr, sizeof(attr), udev_device_get_syspath(event->dev), "/", key_name, NULL);
+                         attr_subst_subdir(attr, sizeof(attr));
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), value, sizeof(value));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), value, sizeof(value), false);
+                         log_debug("ATTR '%s' writing '%s' %s:%u", attr, value,
+                                   rules_str(rules, rule->rule.filename_off),
+                                   rule->rule.filename_line);
+@@ -2392,9 +2392,9 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                         char value[UTIL_NAME_SIZE];
+                         int r;
+ 
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.attr_off), filename, sizeof(filename));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.attr_off), filename, sizeof(filename), false);
+                         sysctl_normalize(filename);
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), value, sizeof(value));
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), value, sizeof(value), false);
+                         log_debug("SYSCTL '%s' writing '%s' %s:%u", filename, value,
+                                   rules_str(rules, rule->rule.filename_off), rule->rule.filename_line);
+                         r = sysctl_write(filename, value);
+diff --git a/src/udev/udev.h b/src/udev/udev.h
+index 8433e8d..c0cb7ea 100644
+--- a/src/udev/udev.h
++++ b/src/udev/udev.h
+@@ -80,7 +80,9 @@ int udev_rules_apply_static_dev_perms(struct udev_rules *rules);
+ /* udev-event.c */
+ struct udev_event *udev_event_new(struct udev_device *dev);
+ void udev_event_unref(struct udev_event *event);
+-size_t udev_event_apply_format(struct udev_event *event, const char *src, char *dest, size_t size);
++size_t udev_event_apply_format(struct udev_event *event,
++                               const char *src, char *dest, size_t size,
++                               bool replace_whitespace);
+ int udev_event_apply_subsys_kernel(struct udev_event *event, const char *string,
+                                    char *result, size_t maxsize, int read_value);
+ int udev_event_spawn(struct udev_event *event,
+diff --git a/src/udev/udevadm-test.c b/src/udev/udevadm-test.c
+index 702dbe5..07b667f 100644
+--- a/src/udev/udevadm-test.c
++++ b/src/udev/udevadm-test.c
+@@ -144,7 +144,7 @@ static int adm_test(struct udev *udev, int argc, char *argv[]) {
+         udev_list_entry_foreach(entry, udev_list_get_entry(&event->run_list)) {
+                 char program[UTIL_PATH_SIZE];
+ 
+-                udev_event_apply_format(event, udev_list_entry_get_name(entry), program, sizeof(program));
++                udev_event_apply_format(event, udev_list_entry_get_name(entry), program, sizeof(program), false);
+                 printf("run: '%s'\n", program);
+         }
+ out:
diff --git a/debian/patches/udev-rules-perform-whitespace-replacement-for-symlink-sub.patch b/debian/patches/udev-rules-perform-whitespace-replacement-for-symlink-sub.patch
new file mode 100644
index 0000000..36416b3
--- /dev/null
+++ b/debian/patches/udev-rules-perform-whitespace-replacement-for-symlink-sub.patch
@@ -0,0 +1,30 @@
+From: Dan Streetman <ddstreet at ieee.org>
+Date: Tue, 3 Jan 2017 14:39:50 -0500
+Subject: udev-rules: perform whitespace replacement for symlink subst values
+
+If the string_escape option is either unset or 'replace' (i.e. if it is
+not 'none'), then enable whitespace replacement in SYMLINK variable
+substitution values, as added in the last patch.
+
+This will keep any whitespace that is directly contained in a SYMLINK
+value, but will replace any whitespace that is added to the SYMLINK
+value as a result of variable substitution (except $result/%c).
+
+This fixes bug 4833.
+---
+ src/udev/udev-rules.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
+index f48b71d..0b8363a 100644
+--- a/src/udev/udev-rules.c
++++ b/src/udev/udev-rules.c
+@@ -2336,7 +2336,7 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
+                                 udev_device_cleanup_devlinks_list(event->dev);
+ 
+                         /* allow  multiple symlinks separated by spaces */
+-                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), temp, sizeof(temp), false);
++                        udev_event_apply_format(event, rules_str(rules, cur->key.value_off), temp, sizeof(temp), esc != ESCAPE_NONE);
+                         if (esc == ESCAPE_UNSET)
+                                 count = util_replace_chars(temp, "/ ");
+                         else if (esc == ESCAPE_REPLACE)
diff --git a/debian/rules b/debian/rules
index 582b1f8..21108ae 100755
--- a/debian/rules
+++ b/debian/rules
@@ -305,8 +305,12 @@ endif
 		(cd debian/$$pkg; find -mindepth 1 -type d) | (cd debian/systemd; xargs rmdir --ignore-fail-on-non-empty --verbose || true); \
 	done
 
-	# ship test-udev, so that we have it for autopkgtests
-	install -D build-deb/.libs/test-udev debian/libudev-dev/usr/lib/$(DEB_HOST_MULTIARCH)/udev/test-udev
+	# ship unit tests for autopkgtests and manual tests
+	install -d debian/libsystemd-dev/usr/lib/$(DEB_HOST_MULTIARCH)/systemd-tests
+	install build-deb/.libs/test-* build-deb/test-copy build-deb/test-bus-error debian/libsystemd-dev/usr/lib/$(DEB_HOST_MULTIARCH)/systemd-tests/
+	# put a list of automatic tests into our package for the autopkgtest
+	printf 'print-tests:\n\t at echo $$(TESTS)\n' | make -f build-deb/Makefile -f - print-tests | xargs -n1 | grep ^test- > debian/libsystemd-dev/usr/lib/$(DEB_HOST_MULTIARCH)/systemd-tests/unittests.txt
+
 
 	# Ubuntu specific files
 ifeq ($(DEB_VENDOR),Ubuntu)
diff --git a/debian/tests/control b/debian/tests/control
index ddf45ec..fede694 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -83,17 +83,32 @@ Depends: systemd-sysv,
 Restrictions: needs-root, isolation-machine, needs-recommends, breaks-testbed
 
 Tests: udev
-Depends: tree,
-  libudev-dev,
+Depends: libsystemd-dev,
+  tree,
   perl,
   xz-utils,
 Restrictions: needs-root, allow-stderr, isolation-machine
 
+Tests: root-unittests
+Depends: libsystemd-dev,
+  tree,
+  perl,
+  xz-utils,
+  libcap2-bin,
+  iproute2,
+  liblz4-tool,
+  acl,
+Restrictions: needs-root, allow-stderr, isolation-container
+
 Tests: upstream
-Depends: tree,
-  libudev-dev,
+Depends: libsystemd-dev,
+  tree,
   perl,
   xz-utils,
+  libcap2-bin,
+  iproute2,
+  liblz4-tool,
+  acl,
   kbd,
   cryptsetup-bin,
   net-tools,
@@ -111,15 +126,14 @@ Depends: tree,
 Restrictions: needs-root, allow-stderr, isolation-machine
 
 Tests: boot-smoke
-Depends: systemd-sysv,
-  network-manager,
-  policykit-1,
-  lightdm,
-  xserver-xorg-video-dummy,
+Depends: libsystemd-dev,
   tree,
-  libudev-dev,
   perl,
   xz-utils,
+  libcap2-bin,
+  iproute2,
+  liblz4-tool,
+  acl,
   kbd,
   cryptsetup-bin,
   net-tools,
@@ -134,6 +148,11 @@ Depends: systemd-sysv,
   make,
   systemd-journal-remote,
   systemd-container,
+  systemd-sysv,
+  network-manager,
+  policykit-1,
+  lightdm,
+  xserver-xorg-video-dummy,
 Restrictions: needs-recommends, needs-root, isolation-machine, allow-stderr, breaks-testbed
 
 # NOUPSTREAM: Do not run these tests for upstream builds
diff --git a/debian/tests/root-unittests b/debian/tests/root-unittests
new file mode 100644
index 0000000..11d7a31
--- /dev/null
+++ b/debian/tests/root-unittests
@@ -0,0 +1,36 @@
+#!/bin/sh
+set -eu
+
+# these tests fail because of the hardcoded TESTS_DIR; make overridable with env var
+EXFAIL="test-dns-packet
+test-cgroup-mask
+test-engine
+test-execute
+test-path
+test-sched-prio
+"
+
+# No items in catalog.
+# Assertion 'r >= 0' failed at ../src/journal/test-catalog.c:252, function main(). Aborting.
+EXFAIL="$EXFAIL
+test-catalog
+"
+
+res=0
+for t in $(cat /usr/lib/*/systemd-tests/unittests.txt); do
+    echo "====== $t ======="
+    # exit code 77 means "skip"
+    rc=0
+    /usr/lib/*/systemd-tests/$t || rc=$?
+    if [ "$rc" = 0 ]; then
+        echo "PASS: $t"
+    elif [ "$rc" = 77 ]; then
+        echo "SKIP: $t"
+    elif [ "${EXFAIL%$t*}" != "$EXFAIL" ]; then
+        echo "EXFAIL: $t"
+    else
+        echo "FAIL: $t (code: $rc)"
+        res=$rc
+    fi
+done
+exit $res
diff --git a/debian/tests/udev b/debian/tests/udev
index 29a4b32..a480ff6 100755
--- a/debian/tests/udev
+++ b/debian/tests/udev
@@ -6,8 +6,12 @@ set -euC
 
 TEST_DIR=${ADTTMP:=$(mktemp -d)}
 mkdir -p $TEST_DIR/test
-tar -C $TEST_DIR/test -xf test/sys.tar.xz
+if [ -x test/sys-script.py ]; then
+    test/sys-script.py $TEST_DIR/test
+else
+    tar -C $TEST_DIR/test -xf test/sys.tar.xz
+fi
 cp test/udev-test.pl $TEST_DIR
-cp /usr/lib/*/udev/test-udev $TEST_DIR
+cp /usr/lib/*/systemd-tests/test-udev $TEST_DIR
 cd $TEST_DIR
 ./udev-test.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20170216/d1c05fbd/attachment-0001.sig>


More information about the Pkg-systemd-maintainers mailing list