[systemd-commits] 9 commits - configure.ac Makefile.am man/systemd.exec.xml man/systemd.service.xml man/systemd.special.xml.in man/systemd.unit.xml src/dbus-execute.c src/dbus-execute.h src/execute.c src/load-fragment.c src/manager.c src/manager.h src/service.c src/special.h src/unit.c src/util.c TODO units/dbus.target units/graphical.target.m4 units/multi-user.target.m4 units/poweroff.target units/reboot.target units/rescue.service.m4 units/rescue.target units/suse units/syslog.target.in

Lennart Poettering lennart at kemper.freedesktop.org
Thu Mar 17 20:55:25 PDT 2011


 Makefile.am                |   12 ++++-----
 TODO                       |   17 ++++++++-----
 configure.ac               |   39 ------------------------------
 man/systemd.exec.xml       |   57 +++++++++++++++++++++++++++++++--------------
 man/systemd.service.xml    |    2 -
 man/systemd.special.xml.in |   54 ------------------------------------------
 man/systemd.unit.xml       |   50 ++++++++++++++++++++++++++-------------
 src/dbus-execute.c         |   18 ++++++++++++++
 src/dbus-execute.h         |    3 +-
 src/execute.c              |   15 +++++++++--
 src/load-fragment.c        |   21 +++++++++++++++-
 src/manager.c              |   47 +++++++++++++++++++++++++++++++++++++
 src/manager.h              |    2 +
 src/service.c              |    2 -
 src/special.h              |   48 +++++++++++++++++++++----------------
 src/unit.c                 |   14 +----------
 src/util.c                 |    2 -
 units/dbus.target          |   11 --------
 units/graphical.target.m4  |   14 -----------
 units/multi-user.target.m4 |   20 ---------------
 units/poweroff.target      |    1 
 units/reboot.target        |    1 
 units/rescue.service.m4    |    3 --
 units/rescue.target        |    1 
 units/suse/Makefile        |    1 
 units/syslog.target.in     |    6 ----
 26 files changed, 224 insertions(+), 237 deletions(-)

New commits:
commit 28cf382a0afd10d0e2a71d152f0df4909e90d159
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 04:49:53 2011 +0100

    man: document pidns containers

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index ff199e4..d447c3a 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -618,6 +618,7 @@
                                 <varname>microsoft</varname>,
                                 <varname>oracle</varname>,
                                 <varname>xen</varname>,
+                                <varname>pidns</varname>,
                                 <varname>openvz</varname> to test
                                 against a specific implementation. The
                                 test may be negated by prepending an
diff --git a/src/util.c b/src/util.c
index c9c8892..1febd07 100644
--- a/src/util.c
+++ b/src/util.c
@@ -3991,7 +3991,7 @@ int detect_container(const char **id) {
                                 fclose(f);
 
                                 if (id)
-                                        *id = "ns";
+                                        *id = "pidns";
 
                                 return 1;
                         }

commit e2130f189a543c859b569985d8670132df40673e
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 04:49:38 2011 +0100

    units: deemphesize Names= settings, and explain why nobody whould use them

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 2ae986a..ff199e4 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -219,21 +219,6 @@
                 dependent on the type of unit:</para>
 
                 <variablelist>
-                        <varlistentry>
-                                <term><varname>Names=</varname></term>
-
-                                <listitem><para>Additional names for
-                                this unit. The names listed here must
-                                have the same suffix (i.e. type) as
-                                the unit file name. This option may be
-                                specified more than once, in which
-                                case all listed names are used. Note
-                                that this option is different from the
-                                <varname>Alias=</varname> option from
-                                the [Install] section mentioned
-                                below. See below for details.</para>
-                                </listitem>
-                        </varlistentry>
 
                         <varlistentry>
                                 <term><varname>Description=</varname></term>
@@ -660,6 +645,35 @@
                                 pipe symbol must be passed first, the
                                 exclamation second.</para></listitem>
                         </varlistentry>
+
+                        <varlistentry>
+                                <term><varname>Names=</varname></term>
+
+                                <listitem><para>Additional names for
+                                this unit. The names listed here must
+                                have the same suffix (i.e. type) as
+                                the unit file name. This option may be
+                                specified more than once, in which
+                                case all listed names are used. Note
+                                that this option is different from the
+                                <varname>Alias=</varname> option from
+                                the [Install] section mentioned
+                                below. See below for details. Note
+                                that in almost all cases this option
+                                is not what you want. A symlink alias
+                                in the file system is generally
+                                preferable since it can be used as
+                                lookup key. If a unit with a symlinked
+                                alias name is not loaded and needs to
+                                be it is easily found via the
+                                symlink. However, if a unit with an
+                                alias name configured with this
+                                setting is not loaded it will not be
+                                discovered. This settings' only use is
+                                in conjunction with service
+                                instances.</para>
+                                </listitem>
+                        </varlistentry>
                 </variablelist>
 
                 <para>Unit file may include a [Install] section, which

commit b1c66c44ef9e312805295395d728e47cdd08335c
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 04:41:47 2011 +0100

    units: on mandriva/fedora create single.service alias via symlink, not Names=

diff --git a/Makefile.am b/Makefile.am
index 93225aa..3120e78 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1411,8 +1411,9 @@ if TARGET_FEDORA
 		rm -f halt-local.service && \
 		$(LN_S) $(systemunitdir)/halt-local.service halt-local.service )
 	( cd $(DESTDIR)$(systemunitdir) && \
-		rm -f display-manager.service && \
-		$(LN_S) prefdm.service display-manager.service )
+		rm -f display-manager.service single.service && \
+		$(LN_S) prefdm.service display-manager.service && \
+                $(LN_S) rescue.service single.service )
 	( cd $(DESTDIR)$(systemunitdir)/graphical.target.wants && \
 		rm -f display-manager.service && \
 		$(LN_S) $(systemunitdir)/display-manager.service display-manager.service )
@@ -1427,8 +1428,9 @@ if TARGET_MANDRIVA
 		rm -f halt-local.service && \
 		$(LN_S) $(systemunitdir)/halt-local.service halt-local.service )
 	( cd $(DESTDIR)$(systemunitdir) && \
-		rm -f display-manager.service && \
-		$(LN_S) prefdm.service display-manager.service )
+		rm -f display-manager.service single.service && \
+		$(LN_S) prefdm.service display-manager.service && \
+                $(LN_S) rescue.service single.service )
 	( cd $(DESTDIR)$(systemunitdir)/graphical.target.wants && \
 		rm -f display-manager.service && \
 		$(LN_S) $(systemunitdir)/display-manager.service display-manager.service )
diff --git a/units/rescue.service.m4 b/units/rescue.service.m4
index 8b42e9f..969ac47 100644
--- a/units/rescue.service.m4
+++ b/units/rescue.service.m4
@@ -13,9 +13,6 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 After=basic.target
 Before=shutdown.target
-m4_ifdef(`TARGET_MANDRIVA',
-`# Hide SysV script
-Names=single.service')
 
 [Service]
 Environment=HOME=/root

commit 97df13c0ac43addbf2317e438d80aa78e90c3f92
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 04:37:31 2011 +0100

    units: get rid of runlevel Names=, the symlinks in /lib/systemd/system are much more useful

diff --git a/units/graphical.target.m4 b/units/graphical.target.m4
index 1931d7f..f2e3034 100644
--- a/units/graphical.target.m4
+++ b/units/graphical.target.m4
@@ -12,20 +12,6 @@ Description=Graphical Interface
 Requires=multi-user.target
 After=multi-user.target
 Conflicts=rescue.target
-m4_dnl
-m4_ifdef(`TARGET_FEDORA',
-# On Fedora Runlevel 5 is graphical login
-Names=runlevel5.target
-)m4_dnl
-m4_ifdef(`TARGET_SUSE',
-Names=runlevel5.target
-)m4_dnl
-m4_ifdef(`TARGET_ALTLINUX',
-Names=runlevel5.target
-)m4_dnl
-m4_ifdef(`TARGET_MANDRIVA',
-Names=runlevel5.target
-)m4_dnl
 AllowIsolate=yes
 
 [Install]
diff --git a/units/multi-user.target.m4 b/units/multi-user.target.m4
index 51e7b66..66f1a95 100644
--- a/units/multi-user.target.m4
+++ b/units/multi-user.target.m4
@@ -12,26 +12,6 @@ Description=Multi-User
 Requires=basic.target
 Conflicts=rescue.service rescue.target
 After=basic.target rescue.service rescue.target
-m4_dnl
-m4_ifdef(`TARGET_FEDORA',
-m4_dnl On Fedora Runlevel 3 is multi-user
-Names=runlevel3.target
-)m4_dnl
-m4_ifdef(`TARGET_SUSE',
-Names=runlevel3.target
-)m4_dnl
-m4_ifdef(`TARGET_ALTLINUX',
-Names=runlevel3.target
-)m4_dnl
-m4_ifdef(`TARGET_DEBIAN',
-m4_ifdef(`TARGET_UBUNTU',
-m4_dnl On Debian/Ubuntu Runlevel 2, 3, 4 and 5 are multi-user
-Names=runlevel2.target runlevel3.target runlevel4.target runlevel5.target
-)m4_dnl
-)m4_dnl
-m4_ifdef(`TARGET_MANDRIVA',
-Names=runlevel3.target
-)m4_dnl
 AllowIsolate=yes
 
 [Install]
diff --git a/units/poweroff.target b/units/poweroff.target
index 975b088..d2ccf4b 100644
--- a/units/poweroff.target
+++ b/units/poweroff.target
@@ -10,7 +10,6 @@
 [Unit]
 Description=Power-Off
 DefaultDependencies=no
-Names=runlevel0.target
 Requires=poweroff.service
 After=poweroff.service
 AllowIsolate=yes
diff --git a/units/reboot.target b/units/reboot.target
index 2cd46a0..41e133c 100644
--- a/units/reboot.target
+++ b/units/reboot.target
@@ -10,7 +10,6 @@
 [Unit]
 Description=Reboot
 DefaultDependencies=no
-Names=runlevel6.target
 Requires=reboot.service
 After=reboot.service
 AllowIsolate=yes
diff --git a/units/rescue.target b/units/rescue.target
index ff3aef0..5bf3f8e 100644
--- a/units/rescue.target
+++ b/units/rescue.target
@@ -11,7 +11,6 @@
 Description=Rescue Mode
 Requires=basic.target rescue.service
 After=basic.target rescue.service
-Names=runlevel1.target
 AllowIsolate=yes
 
 [Install]

commit 997a624029822ebdabf834605831bf87ce0b3085
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 04:32:58 2011 +0100

    units: get rid of empty units/suse/ subdir

diff --git a/units/suse/Makefile b/units/suse/Makefile
deleted file mode 120000
index 50be211..0000000
--- a/units/suse/Makefile
+++ /dev/null
@@ -1 +0,0 @@
-../../src/Makefile
\ No newline at end of file

commit f1dd0c3f9b4a257e81ff9c6a08070c702a0db45a
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 04:31:22 2011 +0100

    syslog: rework syslog detection so that we need no compile-time option what the name of the syslog implementation is

diff --git a/Makefile.am b/Makefile.am
index a94d2a7..93225aa 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1102,7 +1102,6 @@ SED_PROCESS = \
 	$(SED)  -e 's, at rootlibexecdir\@,$(rootlibexecdir),g' \
                 -e 's, at rootbindir\@,$(rootbindir),g' \
                 -e 's, at bindir\@,$(bindir),g' \
-		-e 's, at SPECIAL_SYSLOG_SERVICE\@,$(SPECIAL_SYSLOG_SERVICE),g' \
 		-e 's, at SYSTEMCTL\@,$(rootbindir)/systemctl,g' \
 		-e 's, at SYSTEMD_NOTIFY\@,$(rootbindir)/systemd-notify,g' \
 		-e 's, at pkgsysconfdir\@,$(pkgsysconfdir),g' \
diff --git a/TODO b/TODO
index 620cdff..4191e55 100644
--- a/TODO
+++ b/TODO
@@ -29,6 +29,8 @@ F15:
 
 * pull in .service from meta .targers AND vice versa too. i.e. syslog.target ←→ rsyslog.service, rpcbind similarly
 
+* document default dependencies
+
 Features:
 
 * hide passwords on TAB
diff --git a/configure.ac b/configure.ac
index 8a28c8e..e6daf03 100644
--- a/configure.ac
+++ b/configure.ac
@@ -297,30 +297,15 @@ fi
 with_distro=`echo ${with_distro} | tr '[[:upper:]]' '[[:lower:]]' `
 AC_DEFINE_UNQUOTED(DISTRIBUTION, ["${with_distro}"], [Target Distribution])
 
-# Default generic names
-SPECIAL_SYSLOG_SERVICE=syslog.service
-
 # Location of the init scripts as mandated by LSB
 SYSTEM_SYSVINIT_PATH=/etc/init.d
+SYSTEM_SYSVRCND_PATH=/etc/rc.d
 
 M4_DISTRO_FLAG=
 
 case $with_distro in
         fedora)
                 SYSTEM_SYSVINIT_PATH=/etc/rc.d/init.d
-                SYSTEM_SYSVRCND_PATH=/etc/rc.d
-
-                # A little background why we define this special unit
-                # names here in configure.ac: SysV services currently
-                # cannot have aliases. As long as syslog is started
-                # via a SysV init script we hence define this name to
-                # the actual SysV name here. Later on when SysV init
-                # scripts are not used anymore it is advisable to use
-                # the generic name instead and use symlinks in the
-                # unit directories to point to the right native unit
-                # file.
-
-                SPECIAL_SYSLOG_SERVICE=rsyslog.service
                 AC_DEFINE(TARGET_FEDORA, [], [Target is Fedora/RHEL])
                 M4_DISTRO_FLAG=-DTARGET_FEDORA=1
 		have_plymouth=true
@@ -333,61 +318,49 @@ case $with_distro in
                 ;;
         debian)
                 SYSTEM_SYSVRCND_PATH=/etc
-                SPECIAL_SYSLOG_SERVICE=rsyslog.service
                 AC_DEFINE(TARGET_DEBIAN, [], [Target is Debian])
                 M4_DISTRO_FLAG=-DTARGET_DEBIAN=1
                 ;;
         ubuntu)
                 SYSTEM_SYSVRCND_PATH=/etc
-                SPECIAL_SYSLOG_SERVICE=rsyslog.service
                 AC_DEFINE(TARGET_UBUNTU, [], [Target is Ubuntu])
                 M4_DISTRO_FLAG=-DTARGET_UBUNTU=1
                 ;;
         arch)
                 SYSTEM_SYSVINIT_PATH=/etc/rc.d
                 SYSTEM_SYSVRCND_PATH=/etc
-                SPECIAL_SYSLOG_SERVICE=syslog-ng.service
                 AC_DEFINE(TARGET_ARCH, [], [Target is ArchLinux])
                 M4_DISTRO_FLAG=-DTARGET_ARCH=1
                 ;;
         gentoo)
                 SYSTEM_SYSVINIT_PATH=
                 SYSTEM_SYSVRCND_PATH=
-                SPECIAL_SYSLOG_SERVICE=syslog-ng.service
                 AC_DEFINE(TARGET_GENTOO, [], [Target is Gentoo])
                 M4_DISTRO_FLAG=-DTARGET_GENTOO=1
                 ;;
         slackware)
                 SYSTEM_SYSVINIT_PATH=/etc/rc.d/init.d
-                SYSTEM_SYSVRCND_PATH=/etc/rc.d
                 AC_DEFINE(TARGET_SLACKWARE, [], [Target is Slackware])
                 M4_DISTRO_FLAG=-DTARGET_SLACKWARE=1
                 ;;
         frugalware)
                 SYSTEM_SYSVINIT_PATH=/etc/rc.d
-                SYSTEM_SYSVRCND_PATH=/etc/rc.d
                 AC_DEFINE(TARGET_FRUGALWARE, [], [Target is Frugalware])
                 M4_DISTRO_FLAG=-DTARGET_FRUGALWARE=1
                 ;;
         altlinux)
                 SYSTEM_SYSVINIT_PATH=/etc/rc.d/init.d
-                SYSTEM_SYSVRCND_PATH=/etc/rc.d
-                SPECIAL_SYSLOG_SERVICE=syslogd.service
                 AC_DEFINE(TARGET_ALTLINUX, [], [Target is ALTLinux])
                 M4_DISTRO_FLAG=-DTARGET_ALTLINUX=1
 		have_plymouth=true
                 ;;
         mandriva)
                 SYSTEM_SYSVINIT_PATH=/etc/rc.d/init.d
-                SYSTEM_SYSVRCND_PATH=/etc/rc.d
-                SPECIAL_SYSLOG_SERVICE=rsyslog.service
                 AC_DEFINE(TARGET_MANDRIVA, [], [Target is Mandriva])
                 M4_DISTRO_FLAG=-DTARGET_MANDRIVA=1
 		have_plymouth=true
                 ;;
         other)
-                AS_IF([test "x$with_syslog_service" = "x"],
-                        [AC_MSG_ERROR([With --distro=other, you must pass --with-syslog-service= to configure])])
                 ;;
         *)
                 AC_MSG_ERROR([Your distribution (${with_distro}) is not yet supported, SysV init scripts could not be found! (patches welcome); you can specify --with-distro=other to skip this check])
@@ -406,15 +379,8 @@ AC_ARG_WITH([sysvrcd-path],
         [SYSTEM_SYSVRCND_PATH="$withval"],
         [])
 
-AC_ARG_WITH([syslog-service],
-        [AS_HELP_STRING([--with-syslog-service=UNIT],
-                [Specify the name of the special syslog service @<:@default=based on distro@:>@])],
-        [SPECIAL_SYSLOG_SERVICE="$withval"],
-        [])
-
 AC_SUBST(SYSTEM_SYSVINIT_PATH)
 AC_SUBST(SYSTEM_SYSVRCND_PATH)
-AC_SUBST(SPECIAL_SYSLOG_SERVICE)
 AC_SUBST(M4_DISTRO_FLAG)
 
 if test "x${SYSTEM_SYSVINIT_PATH}" != "x" -a "x${SYSTEM_SYSVRCND_PATH}" != "x"; then
@@ -446,8 +412,6 @@ AM_CONDITIONAL(TARGET_MANDRIVA, test x"$with_distro" = xmandriva)
 
 AM_CONDITIONAL(HAVE_PLYMOUTH, test -n "$have_plymouth")
 
-AC_DEFINE_UNQUOTED(SPECIAL_SYSLOG_SERVICE, ["$SPECIAL_SYSLOG_SERVICE"], [Syslog service name])
-
 AC_ARG_WITH([dbuspolicydir],
         AS_HELP_STRING([--with-dbuspolicydir=DIR], [D-Bus policy directory]),
         [],
@@ -501,7 +465,6 @@ echo "
         SysV compatibility:      ${SYSTEM_SYSV_COMPAT}
         SysV init scripts:       ${SYSTEM_SYSVINIT_PATH}
         SysV rc?.d directories:  ${SYSTEM_SYSVRCND_PATH}
-        Syslog service:          ${SPECIAL_SYSLOG_SERVICE}
         Gtk:                     ${have_gtk}
         libcryptsetup:           ${have_libcryptsetup}
         tcpwrap:                 ${have_tcpwrap}
diff --git a/man/systemd.special.xml.in b/man/systemd.special.xml.in
index 1506f34..df62e9c 100644
--- a/man/systemd.special.xml.in
+++ b/man/systemd.special.xml.in
@@ -78,7 +78,6 @@
                 <filename>sockets.target</filename>,
                 <filename>swap.target</filename>,
                 <filename>sysinit.target</filename>,
-                <filename>@SPECIAL_SYSLOG_SERVICE@</filename>,
                 <filename>syslog.target</filename>,
                 <filename>systemd-initctl.service</filename>,
                 <filename>systemd-initctl.socket</filename>,
@@ -543,27 +542,6 @@
                                 </listitem>
                         </varlistentry>
                         <varlistentry>
-                                <term><filename>@SPECIAL_SYSLOG_SERVICE@</filename></term>
-                                <listitem>
-                                        <para>A special unit for the
-                                        syslog daemon. As soon as
-                                        this service is fully started
-                                        up systemd will connect to it
-                                        and use it for logging if it
-                                        has been configured for
-                                        that.</para>
-
-                                        <para>Units should generally
-                                        avoid depending on this unit
-                                        directly and instead refer to
-                                        the
-                                        <filename>syslog.target</filename>
-                                        unit instead, which pulls this
-                                        one in directly or indirectly
-                                        via socket-based activation.</para>
-                                </listitem>
-                        </varlistentry>
-                        <varlistentry>
                                 <term><filename>syslog.target</filename></term>
                                 <listitem>
                                         <para>systemd automatically
@@ -574,15 +552,6 @@
                                         referring to the
                                         <literal>$syslog</literal>
                                         facility.</para>
-
-                                        <para>Administrators should
-                                        ensure that this target pulls
-                                        in a service unit with the
-                                        name or alias of
-                                        <filename>@SPECIAL_SYSLOG_SERVICE@</filename>
-                                        (or a socket unit that
-                                        activates this
-                                        service).</para>
                                 </listitem>
                         </varlistentry>
                         <varlistentry>
diff --git a/src/manager.c b/src/manager.c
index 9edb8f0..a9aaee3 100644
--- a/src/manager.c
+++ b/src/manager.c
@@ -2451,6 +2451,12 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
         if (m->n_deserializing > 0)
                 return;
 
+        if (m->running_as != MANAGER_SYSTEM)
+                return;
+
+        if (u->meta.type != UNIT_SERVICE)
+                return;
+
         if (!(p = unit_name_to_prefix_and_instance(u->meta.id))) {
                 log_error("Failed to allocate unit name for audit message: %s", strerror(ENOMEM));
                 return;
@@ -2965,6 +2971,47 @@ int manager_set_default_controllers(Manager *m, char **controllers) {
         return 0;
 }
 
+void manager_recheck_syslog(Manager *m) {
+        Unit *u;
+
+        assert(m);
+
+        if (m->running_as != MANAGER_SYSTEM)
+                return;
+
+        if ((u = manager_get_unit(m, SPECIAL_SYSLOG_SOCKET))) {
+                SocketState state;
+
+                state = SOCKET(u)->state;
+
+                if (state != SOCKET_DEAD &&
+                    state != SOCKET_FAILED &&
+                    state != SOCKET_RUNNING) {
+
+                        /* Hmm, the socket is not set up, or is still
+                         * listening, let's better not try to use
+                         * it. Note that we have no problem if the
+                         * socket is completely down, since there
+                         * might be a foreign /dev/log socket around
+                         * and we want to make use of that.
+                         */
+
+                        log_close_syslog();
+                        return;
+                }
+        }
+
+        if ((u = manager_get_unit(m, SPECIAL_SYSLOG_TARGET)))
+                if (TARGET(u)->state != TARGET_ACTIVE) {
+                        log_close_syslog();
+                        return;
+                }
+
+        /* Hmm, OK, so the socket is either fully up, or fully down,
+         * and the target is up, then let's make use of the socket */
+        log_open();
+}
+
 static const char* const manager_running_as_table[_MANAGER_RUNNING_AS_MAX] = {
         [MANAGER_SYSTEM] = "system",
         [MANAGER_USER] = "user"
diff --git a/src/manager.h b/src/manager.h
index efca4ff..c183e10 100644
--- a/src/manager.h
+++ b/src/manager.h
@@ -285,6 +285,8 @@ void manager_check_finished(Manager *m);
 void manager_run_generators(Manager *m);
 void manager_undo_generators(Manager *m);
 
+void manager_recheck_syslog(Manager *m);
+
 const char *manager_running_as_to_string(ManagerRunningAs i);
 ManagerRunningAs manager_running_as_from_string(const char *s);
 
diff --git a/src/special.h b/src/special.h
index ba2bc14..6a75e2c 100644
--- a/src/special.h
+++ b/src/special.h
@@ -24,21 +24,24 @@
 
 #define SPECIAL_DEFAULT_TARGET "default.target"
 
+/* Shutdown targets */
+#define SPECIAL_UMOUNT_TARGET "umount.target"
 /* This is not really intended to be started by directly. This is
  * mostly so that other targets (reboot/halt/poweroff) can depend on
  * it to bring all services down that want to be brought down on
  * system shutdown. */
 #define SPECIAL_SHUTDOWN_TARGET "shutdown.target"
-#define SPECIAL_UMOUNT_TARGET "umount.target"
 #define SPECIAL_HALT_TARGET "halt.target"
 #define SPECIAL_POWEROFF_TARGET "poweroff.target"
 #define SPECIAL_REBOOT_TARGET "reboot.target"
 #define SPECIAL_KEXEC_TARGET "kexec.target"
 #define SPECIAL_EXIT_TARGET "exit.target"
 
+/* Special boot targets */
 #define SPECIAL_RESCUE_TARGET "rescue.target"
 #define SPECIAL_EMERGENCY_TARGET "emergency.target"
 
+/* Early boot targets */
 #define SPECIAL_SYSINIT_TARGET "sysinit.target"
 #define SPECIAL_SOCKETS_TARGET "sockets.target"
 #define SPECIAL_LOCAL_FS_TARGET "local-fs.target"         /* LSB's $local_fs */
@@ -46,8 +49,8 @@
 #define SPECIAL_SWAP_TARGET "swap.target"
 #define SPECIAL_BASIC_TARGET "basic.target"
 
+/* LSB compatibility */
 #define SPECIAL_NETWORK_TARGET "network.target"           /* LSB's $network */
-
 #define SPECIAL_NSS_LOOKUP_TARGET "nss-lookup.target"     /* LSB's $named */
 #define SPECIAL_RPCBIND_TARGET "rpcbind.target"           /* LSB's $portmap */
 #define SPECIAL_SYSLOG_TARGET "syslog.target"             /* LSB's $syslog; Should pull in syslog.socket or syslog.service */
@@ -56,22 +59,22 @@
 #define SPECIAL_MAIL_TRANSFER_AGENT_TARGET "mail-transfer-agent.target" /* Debian's $mail-{transport|transfer-agent */
 #define SPECIAL_HTTP_DAEMON_TARGET "http-daemon.target"
 
+/* Magic early boot services */
 #define SPECIAL_FSCK_SERVICE "fsck at .service"
 #define SPECIAL_QUOTACHECK_SERVICE "quotacheck.service"
 #define SPECIAL_REMOUNT_ROOTFS_SERVICE "remount-rootfs.service"
 
+/* Services systemd relies on */
 #define SPECIAL_DBUS_SERVICE "dbus.service"
 #define SPECIAL_DBUS_SOCKET "dbus.socket"
 #define SPECIAL_LOGGER_SOCKET "systemd-logger.socket"
+#define SPECIAL_SYSLOG_SOCKET "syslog.socket"
 
+/* Magic init signals */
 #define SPECIAL_KBREQUEST_TARGET "kbrequest.target"
 #define SPECIAL_SIGPWR_TARGET "sigpwr.target"
 #define SPECIAL_CTRL_ALT_DEL_TARGET "ctrl-alt-del.target"
 
-#ifndef SPECIAL_SYSLOG_SERVICE
-#define SPECIAL_SYSLOG_SERVICE "syslog.service"
-#endif
-
 /* For SysV compatibility. Usually an alias for a saner target. On
  * SysV-free systems this doesn't exist. */
 #define SPECIAL_RUNLEVEL2_TARGET "runlevel2.target"
diff --git a/src/unit.c b/src/unit.c
index 10de40a..6f10f51 100644
--- a/src/unit.c
+++ b/src/unit.c
@@ -1224,12 +1224,6 @@ void unit_notify(Unit *u, UnitActiveState os, UnitActiveState ns, bool reload_su
                          * yet connected. */
                         bus_init(u->meta.manager, true);
 
-                if (unit_has_name(u, SPECIAL_SYSLOG_SERVICE))
-                        /* The syslog daemon just might have become
-                         * available, hence try to connect to it, if
-                         * we aren't yet connected. */
-                        log_open();
-
                 if (u->meta.type == UNIT_SERVICE &&
                     !UNIT_IS_ACTIVE_OR_RELOADING(os)) {
                         /* Write audit record if we have just finished starting up */
@@ -1242,12 +1236,6 @@ void unit_notify(Unit *u, UnitActiveState os, UnitActiveState ns, bool reload_su
 
         } else {
 
-                if (unit_has_name(u, SPECIAL_SYSLOG_SERVICE))
-                        /* The syslog daemon might just have
-                         * terminated, hence try to disconnect from
-                         * it. */
-                        log_close_syslog();
-
                 /* We don't care about D-Bus here, since we'll get an
                  * asynchronous notification for it anyway. */
 
@@ -1277,6 +1265,8 @@ void unit_notify(Unit *u, UnitActiveState os, UnitActiveState ns, bool reload_su
 
         unit_add_to_dbus_queue(u);
         unit_add_to_gc_queue(u);
+
+        manager_recheck_syslog(u->meta.manager);
 }
 
 int unit_watch_fd(Unit *u, int fd, uint32_t events, Watch *w) {
diff --git a/units/syslog.target.in b/units/syslog.target.in
index 37d5de3..d5410cf 100644
--- a/units/syslog.target.in
+++ b/units/syslog.target.in
@@ -9,9 +9,3 @@
 
 [Unit]
 Description=Syslog
-
-# As soon as all syslog services have native unit files this explicit
-# dependency should be dropped, and replaced by alias symlinks in the
-# .wants/ directory, to either the .service or .socket unit of the
-# syslog service.
-After=@SPECIAL_SYSLOG_SERVICE@

commit 0732ec002ea941f32e8def518150d2b6423315e3
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 03:32:47 2011 +0100

    man: document .requires/ directories

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 54903fb..2ae986a 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -139,7 +139,10 @@
                 with the <command>enable</command> command of the
                 <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                 tool which reads information from the [Install]
-                section of unit files. (See below.)</para>
+                section of unit files. (See below.) A similar
+                functionality exists for <varname>Requires=</varname>
+                type dependencies as well, the directory suffix is
+                <filename>.requires/</filename> in this case.</para>
 
                 <para>Note that while systemd offers a flexible
                 dependency system between units it is recommended to

commit 177b3ffedbfc1aea839324edeb1f35a1a754ef5b
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 03:32:33 2011 +0100

    special: get rid of dbus.target

diff --git a/Makefile.am b/Makefile.am
index 8d23430..a94d2a7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -229,7 +229,6 @@ dist_systemunit_DATA = \
 	units/sigpwr.target \
 	units/sockets.target \
 	units/swap.target \
-	units/dbus.target \
 	units/systemd-initctl.socket \
 	units/systemd-logger.socket \
 	units/systemd-shutdownd.socket \
diff --git a/man/systemd.service.xml b/man/systemd.service.xml
index 7200525..e444efe 100644
--- a/man/systemd.service.xml
+++ b/man/systemd.service.xml
@@ -180,7 +180,7 @@
                                 acquired. Service units with this
                                 option configured implicitly gain
                                 dependencies on the
-                                <filename>dbus.target</filename>
+                                <filename>dbus.socket</filename>
                                 unit.</para>
 
                                 <para>Behaviour of
diff --git a/man/systemd.special.xml.in b/man/systemd.special.xml.in
index afe882e..1506f34 100644
--- a/man/systemd.special.xml.in
+++ b/man/systemd.special.xml.in
@@ -51,7 +51,6 @@
                 <para><filename>basic.target</filename>,
                 <filename>ctrl-alt-del.target</filename>,
                 <filename>dbus.service</filename>,
-                <filename>dbus.target</filename>,
                 <filename>default.target</filename>,
                 <filename>display-manager.service</filename>,
                 <filename>emergency.target</filename>,
@@ -143,28 +142,6 @@
                                         up systemd will connect to it
                                         and register its
                                         service.</para>
-
-                                        <para>Units should generally
-                                        avoid depending on this unit
-                                        directly and instead refer to
-                                        the
-                                        <filename>dbus.target</filename>
-                                        unit instead, which pulls this
-                                        one in directly or indirectly
-                                        via socket-based activation.</para>
-                                </listitem>
-                        </varlistentry>
-                        <varlistentry>
-                                <term><filename>dbus.target</filename></term>
-                                <listitem>
-                                        <para>Administrators should
-                                        ensure that this target pulls
-                                        in a service unit with the
-                                        name or alias of
-                                        <filename>dbus.service</filename>
-                                        (or a socket unit that
-                                        activates this
-                                        service).</para>
                                 </listitem>
                         </varlistentry>
                         <varlistentry>
diff --git a/src/service.c b/src/service.c
index 0f28312..f0c72f2 100644
--- a/src/service.c
+++ b/src/service.c
@@ -1129,7 +1129,7 @@ static int service_load(Unit *u) {
                         s->notify_access = NOTIFY_MAIN;
 
                 if (s->type == SERVICE_DBUS || s->bus_name)
-                        if ((r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_REQUIRES, SPECIAL_DBUS_TARGET, NULL, true)) < 0)
+                        if ((r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_REQUIRES, SPECIAL_DBUS_SOCKET, NULL, true)) < 0)
                                 return r;
 
                 if (s->meta.default_dependencies)
diff --git a/src/special.h b/src/special.h
index 2f2d9e7..ba2bc14 100644
--- a/src/special.h
+++ b/src/special.h
@@ -30,17 +30,24 @@
  * system shutdown. */
 #define SPECIAL_SHUTDOWN_TARGET "shutdown.target"
 #define SPECIAL_UMOUNT_TARGET "umount.target"
+#define SPECIAL_HALT_TARGET "halt.target"
+#define SPECIAL_POWEROFF_TARGET "poweroff.target"
+#define SPECIAL_REBOOT_TARGET "reboot.target"
+#define SPECIAL_KEXEC_TARGET "kexec.target"
+#define SPECIAL_EXIT_TARGET "exit.target"
 
-#define SPECIAL_LOGGER_SOCKET "systemd-logger.socket"
-
-#define SPECIAL_KBREQUEST_TARGET "kbrequest.target"
-#define SPECIAL_SIGPWR_TARGET "sigpwr.target"
-#define SPECIAL_CTRL_ALT_DEL_TARGET "ctrl-alt-del.target"
+#define SPECIAL_RESCUE_TARGET "rescue.target"
+#define SPECIAL_EMERGENCY_TARGET "emergency.target"
 
+#define SPECIAL_SYSINIT_TARGET "sysinit.target"
+#define SPECIAL_SOCKETS_TARGET "sockets.target"
 #define SPECIAL_LOCAL_FS_TARGET "local-fs.target"         /* LSB's $local_fs */
 #define SPECIAL_REMOTE_FS_TARGET "remote-fs.target"       /* LSB's $remote_fs */
 #define SPECIAL_SWAP_TARGET "swap.target"
+#define SPECIAL_BASIC_TARGET "basic.target"
+
 #define SPECIAL_NETWORK_TARGET "network.target"           /* LSB's $network */
+
 #define SPECIAL_NSS_LOOKUP_TARGET "nss-lookup.target"     /* LSB's $named */
 #define SPECIAL_RPCBIND_TARGET "rpcbind.target"           /* LSB's $portmap */
 #define SPECIAL_SYSLOG_TARGET "syslog.target"             /* LSB's $syslog; Should pull in syslog.socket or syslog.service */
@@ -48,22 +55,18 @@
 #define SPECIAL_DISPLAY_MANAGER_SERVICE "display-manager.service"       /* Debian's $x-display-manager */
 #define SPECIAL_MAIL_TRANSFER_AGENT_TARGET "mail-transfer-agent.target" /* Debian's $mail-{transport|transfer-agent */
 #define SPECIAL_HTTP_DAEMON_TARGET "http-daemon.target"
-#define SPECIAL_DBUS_TARGET "dbus.target"
-#define SPECIAL_BASIC_TARGET "basic.target"
-#define SPECIAL_SOCKETS_TARGET "sockets.target"
-#define SPECIAL_SYSINIT_TARGET "sysinit.target"
+
 #define SPECIAL_FSCK_SERVICE "fsck at .service"
 #define SPECIAL_QUOTACHECK_SERVICE "quotacheck.service"
-#define SPECIAL_RESCUE_TARGET "rescue.target"
-#define SPECIAL_EXIT_TARGET "exit.target"
-#define SPECIAL_EMERGENCY_TARGET "emergency.target"
-#define SPECIAL_HALT_TARGET "halt.target"
-#define SPECIAL_POWEROFF_TARGET "poweroff.target"
-#define SPECIAL_REBOOT_TARGET "reboot.target"
-#define SPECIAL_KEXEC_TARGET "kexec.target"
+#define SPECIAL_REMOUNT_ROOTFS_SERVICE "remount-rootfs.service"
+
 #define SPECIAL_DBUS_SERVICE "dbus.service"
 #define SPECIAL_DBUS_SOCKET "dbus.socket"
-#define SPECIAL_REMOUNT_ROOTFS_SERVICE "remount-rootfs.service"
+#define SPECIAL_LOGGER_SOCKET "systemd-logger.socket"
+
+#define SPECIAL_KBREQUEST_TARGET "kbrequest.target"
+#define SPECIAL_SIGPWR_TARGET "sigpwr.target"
+#define SPECIAL_CTRL_ALT_DEL_TARGET "ctrl-alt-del.target"
 
 #ifndef SPECIAL_SYSLOG_SERVICE
 #define SPECIAL_SYSLOG_SERVICE "syslog.service"
diff --git a/units/dbus.target b/units/dbus.target
deleted file mode 100644
index 6389768..0000000
--- a/units/dbus.target
+++ /dev/null
@@ -1,11 +0,0 @@
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU General Public License as published by
-#  the Free Software Foundation; either version 2 of the License, or
-#  (at your option) any later version.
-
-# See systemd.special(7) for details
-
-[Unit]
-Description=D-Bus

commit 260abb780a135e4cae8c10715c7e85675efc345a
Author: Lennart Poettering <lennart at poettering.net>
Date:   Fri Mar 18 03:13:15 2011 +0100

    exec: properly apply capability bounding set, add inverted bounding sets

diff --git a/TODO b/TODO
index d2614b7..620cdff 100644
--- a/TODO
+++ b/TODO
@@ -23,23 +23,26 @@ F15:
 * 0595f9a1c182a84581749823ef47c5f292e545f9 is borked, freezes shutdown
     (path: after installing inotify watches, recheck file again to fix race)
 
-* capability_bounding_set_drop not used
-
-* rework syslog.service being up logic in PID 1
-
 * rsyslog.service should hook itself into syslog.target?
 
 * syslog.target should be pulled in by multi-user.target?
 
 * pull in .service from meta .targers AND vice versa too. i.e. syslog.target ←→ rsyslog.service, rpcbind similarly
 
-* drop Names= option? Symlinks only should be used. We don't want to need to read all service files.
-
 Features:
+
+* hide passwords on TAB
+
+* add switch to systemctl to show enabled but not running services. Or
+  another switch that shows service that have been running since
+  booting but aren't running anymore.
+
+* reuse mkdtemp namespace dirs in /tmp?
+
 * don't strip facility from kmsg log messages as soon as that is possible.
     http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9d90c8d9cde929cbc575098e825d7c29d9f45054
 
-* recreate systemd'd D-Bus private socket file on SIGUSR2
+* recreate systemd's D-Bus private socket file on SIGUSR2
 
 * be more specific what failed:
     Unmounting file systems.
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index f96d181..fb8496f 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -597,16 +597,34 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>Capabilities=</varname></term>
-                                <listitem><para>Controls the
+                                <term><varname>CapabilityBoundingSet=</varname></term>
+
+                                <listitem><para>Controls which
+                                capabilities to include in the
+                                capability bounding set for the
+                                executed process. See
                                 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
-                                set for the executed process. Take a
-                                capability string as described in
-                                <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
-                                Note that this capability set is
-                                usually influenced by the capabilities
-                                attached to the executed
-                                file.</para></listitem>
+                                for details. Takes a whitespace
+                                seperated list of capability names as
+                                read by
+                                <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+                                Capabilities listed will be included
+                                in the bounding set, all others are
+                                removed. If the list of capabilities
+                                is prefixed with ~ all but the listed
+                                capabilities will be included, the
+                                effect of this assignment
+                                inverted. Note that this option does
+                                not actually set or unset any
+                                capabilities in the effective,
+                                permitted or inherited capability
+                                sets. That's what
+                                <varname>Capabilities=</varname> is
+                                for. If this option is not used the
+                                capability bounding set is not
+                                modified on process execution, hence
+                                no limits on the capabilities of the
+                                process are enforced.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
@@ -625,16 +643,21 @@
                         </varlistentry>
 
                         <varlistentry>
-                                <term><varname>CapabilityBoundingSetDrop=</varname></term>
-
+                                <term><varname>Capabilities=</varname></term>
                                 <listitem><para>Controls the
-                                capability bounding set drop set for
-                                the executed process. See
                                 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
-                                for details. Takes a list of
-                                capability names as read by
-                                <citerefentry><refentrytitle>cap_from_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
-                                </para></listitem>
+                                set for the executed process. Take a
+                                capability string describing the
+                                effective, permitted and inherited
+                                capability sets as documented in
+                                <citerefentry><refentrytitle>cap_from_text</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+                                Note that these capability sets are
+                                usually influenced by the capabilities
+                                attached to the executed file. Due to
+                                that
+                                <varname>CapabilityBoundingSet=</varname>
+                                is probably the much more useful
+                                setting.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
diff --git a/src/dbus-execute.c b/src/dbus-execute.c
index 504651f..35e6d37 100644
--- a/src/dbus-execute.c
+++ b/src/dbus-execute.c
@@ -234,6 +234,24 @@ int bus_execute_append_timer_slack_nsec(Manager *m, DBusMessageIter *i, const ch
         return 0;
 }
 
+int bus_execute_append_capability_bs(Manager *m, DBusMessageIter *i, const char *property, void *data) {
+        ExecContext *c = data;
+        uint64_t normal, inverted;
+
+        assert(m);
+        assert(i);
+        assert(property);
+        assert(c);
+
+        /* We store this negated internally, to match the kernel, bu
+         * we expose it normalized. */
+
+        normal = *(uint64_t*) data;
+        inverted = ~normal;
+
+        return bus_property_append_uint64(m, i, property, &inverted);
+}
+
 int bus_execute_append_capabilities(Manager *m, DBusMessageIter *i, const char *property, void *data) {
         ExecContext *c = data;
         char *t = NULL;
diff --git a/src/dbus-execute.h b/src/dbus-execute.h
index 082456a..8bfaaaf 100644
--- a/src/dbus-execute.h
+++ b/src/dbus-execute.h
@@ -131,7 +131,7 @@
         { interface, "SyslogLevelPrefix",             bus_property_append_bool,   "b",     &(context).syslog_level_prefix          }, \
         { interface, "Capabilities",                  bus_execute_append_capabilities, "s",&(context)                              }, \
         { interface, "SecureBits",                    bus_property_append_int,    "i",     &(context).secure_bits                  }, \
-        { interface, "CapabilityBoundingSetDrop",     bus_property_append_uint64, "t",     &(context).capability_bounding_set_drop }, \
+        { interface, "CapabilityBoundingSet",         bus_execute_append_capability_bs, "t", &(context).capability_bounding_set_drop }, \
         { interface, "User",                          bus_property_append_string, "s",     (context).user                          }, \
         { interface, "Group",                         bus_property_append_string, "s",     (context).group                         }, \
         { interface, "SupplementaryGroups",           bus_property_append_strv,   "as",    (context).supplementary_groups          }, \
@@ -167,6 +167,7 @@ int bus_execute_append_cpu_sched_priority(Manager *m, DBusMessageIter *i, const
 int bus_execute_append_affinity(Manager *m, DBusMessageIter *i, const char *property, void *data);
 int bus_execute_append_timer_slack_nsec(Manager *m, DBusMessageIter *i, const char *property, void *data);
 int bus_execute_append_capabilities(Manager *m, DBusMessageIter *i, const char *property, void *data);
+int bus_execute_append_capability_bs(Manager *m, DBusMessageIter *i, const char *property, void *data);
 int bus_execute_append_rlimits(Manager *m, DBusMessageIter *i, const char *property, void *data);
 int bus_execute_append_command(Manager *m, DBusMessageIter *u, const char *property, void *data);
 int bus_execute_append_kill_mode(Manager *m, DBusMessageIter *i, const char *property, void *data);
diff --git a/src/execute.c b/src/execute.c
index c1edf61..a467411 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -1249,6 +1249,15 @@ int exec_spawn(ExecCommand *command,
                                 }
                         }
 
+                        if (context->capability_bounding_set_drop)
+                                for (i = 0; i <= CAP_LAST_CAP; i++)
+                                        if (context->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i)) {
+                                                if (prctl(PR_CAPBSET_DROP, i) < 0) {
+                                                        r = EXIT_CAPABILITIES;
+                                                        goto fail_child;
+                                                }
+                                        }
+
                         if (context->user)
                                 if (enforce_user(context, uid) < 0) {
                                         r = EXIT_USER;
@@ -1664,15 +1673,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                         (c->secure_bits & SECURE_NOROOT_LOCKED) ? "noroot-locked" : "");
 
         if (c->capability_bounding_set_drop) {
-                fprintf(f, "%sCapabilityBoundingSetDrop:", prefix);
+                fprintf(f, "%sCapabilityBoundingSet:", prefix);
 
                 for (i = 0; i <= CAP_LAST_CAP; i++)
-                        if (c->capability_bounding_set_drop & (1 << i)) {
+                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i))) {
                                 char *t;
 
                                 if ((t = cap_to_name(i))) {
                                         fprintf(f, " %s", t);
-                                        free(t);
+                                        cap_free(t);
                                 }
                         }
 
diff --git a/src/load-fragment.c b/src/load-fragment.c
index 334bc71..ac22b94 100644
--- a/src/load-fragment.c
+++ b/src/load-fragment.c
@@ -852,12 +852,24 @@ static int config_parse_bounding_set(
         char *w;
         size_t l;
         char *state;
+        bool invert = false;
+        uint64_t sum = 0;
 
         assert(filename);
         assert(lvalue);
         assert(rvalue);
         assert(data);
 
+        if (rvalue[0] == '~') {
+                invert = true;
+                rvalue++;
+        }
+
+        /* Note that we store this inverted internally, since the
+         * kernel wants it like this. But we actually expose it
+         * non-inverted everywhere to have a fully normalized
+         * interface. */
+
         FOREACH_WORD_QUOTED(w, l, rvalue, state) {
                 char *t;
                 int r;
@@ -874,9 +886,14 @@ static int config_parse_bounding_set(
                         return 0;
                 }
 
-                c->capability_bounding_set_drop |= 1 << cap;
+                sum |= ((uint64_t) 1ULL) << (uint64_t) cap;
         }
 
+        if (invert)
+                c->capability_bounding_set_drop |= sum;
+        else
+                c->capability_bounding_set_drop |= ~sum;
+
         return 0;
 }
 
@@ -1772,7 +1789,7 @@ static int load_from_path(Unit *u, const char *path) {
                 { "SyslogLevelPrefix",      config_parse_bool,            &(context).syslog_level_prefix,                  section   }, \
                 { "Capabilities",           config_parse_capabilities,    &(context),                                      section   }, \
                 { "SecureBits",             config_parse_secure_bits,     &(context),                                      section   }, \
-                { "CapabilityBoundingSetDrop", config_parse_bounding_set, &(context),                                      section   }, \
+                { "CapabilityBoundingSet",  config_parse_bounding_set,    &(context),                                      section   }, \
                 { "TimerSlackNSec",         config_parse_timer_slack_nsec,&(context),                                      section   }, \
                 { "LimitCPU",               config_parse_limit,           &(context).rlimit[RLIMIT_CPU],                   section   }, \
                 { "LimitFSIZE",             config_parse_limit,           &(context).rlimit[RLIMIT_FSIZE],                 section   }, \



More information about the systemd-commits mailing list