From bcf982223cc5d051818dc88866a42f6a08f39a4a Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 4 Aug 2024 14:07:13 +0900
Subject: [PATCH 1/2] systemctl: refuse --capsule=foo with --system

Fixes the following assertion:
===
systemctl --capsule=hoge --system reboot
Assertion 'runtime_scope == RUNTIME_SCOPE_USER' failed at src/shared/bus-util.c:479, function bus_connect_transport(). Aborting.
Aborted (core dumped)
===

Follow-up for 56cb74c3cd1358d7d0b3f613feaf2eeab601a6bd.
---
 src/systemctl/systemctl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index 5bb6ccacf7..1e36455cf2 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -1075,6 +1075,10 @@ static int systemctl_parse_argv(int argc, char *argv[]) {
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                        "Cannot access user instance remotely.");
 
+        if (arg_transport == BUS_TRANSPORT_CAPSULE && arg_runtime_scope != RUNTIME_SCOPE_USER)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Cannot access system instance with --capsule=/-C.");
+
         if (arg_wait && arg_no_block)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                        "--wait may not be combined with --no-block.");

From 1056457d1132e78cbf914e8abfa661465b952412 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 4 Aug 2024 14:09:53 +0900
Subject: [PATCH 2/2] systemctl: gracefully adjust bus transport and runtime
 scope when --boot-loader-entry=help

This fixes the following assertion:
===
SYSTEMD_LOG_LEVEL=debug systemctl --user -H foo --boot-loader-entry=help
Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Ignoring.
Failed to connect to bus: Operation not supported
===

Fixes a bug introduced by 97af80c5a7029c3f92e982dcf9338b9e67ad9cde.
Fixes #33661.
Fixes oss-fuzz#70153.
---
 src/systemctl/systemctl-logind.c                   |   8 ++++++++
 test/fuzz/fuzz-systemctl-parse-argv/oss-fuzz-70153 | Bin 0 -> 67 bytes
 2 files changed, 8 insertions(+)
 create mode 100644 test/fuzz/fuzz-systemctl-parse-argv/oss-fuzz-70153

diff --git a/src/systemctl/systemctl-logind.c b/src/systemctl/systemctl-logind.c
index a727606eea..e4ef7cf915 100644
--- a/src/systemctl/systemctl-logind.c
+++ b/src/systemctl/systemctl-logind.c
@@ -432,6 +432,14 @@ int help_boot_loader_entry(void) {
         sd_bus *bus;
         int r;
 
+        /* This is called without checking runtime scope and bus transport like we do in parse_argv().
+         * Loading boot entries is only supported by system scope. Let's gracefully adjust them. */
+        arg_runtime_scope = RUNTIME_SCOPE_SYSTEM;
+        if (arg_transport == BUS_TRANSPORT_CAPSULE) {
+                arg_host = NULL;
+                arg_transport = BUS_TRANSPORT_LOCAL;
+        }
+
         r = acquire_bus(BUS_FULL, &bus);
         if (r < 0)
                 return r;
diff --git a/test/fuzz/fuzz-systemctl-parse-argv/oss-fuzz-70153 b/test/fuzz/fuzz-systemctl-parse-argv/oss-fuzz-70153
new file mode 100644
index 0000000000000000000000000000000000000000..cb874fa6c1f0c32c821b7fb08be0a5b974f58b85
GIT binary patch
literal 67
zcmZS3)h%TxD$UDDP0i8ujZR1aA`r+g&tuT_D9wZLKxA#LqXUDkZc=`JiEd7QVoGX}
LZYo1YYEA(F_s<r~

literal 0
HcmV?d00001