RootDirectory= and other options already implicitly enable PrivateUsers=
since
6ef721cbc7dadee4ae878ecf0076d87e57233908 if they are set in user
units, so that they can work out of the box.
Now with mountfsd support we can do the same for the images settings,
so enable them and document them.
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE refsect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+
+<!--
+ SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+<refsect1>
+ <title/>
+
+ <para id="singular">When enabled for services running in per-user instances of the service manager
+ this option implicitly enables <varname>PrivateUsers=</varname> (requires unprivileged user namespaces
+ support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl)
+ and also relies on
+ <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+ <para id="plural">When enabled for services running in per-user instances of the service manager
+ these options implicitly enable <varname>PrivateUsers=</varname> (requires unprivileged user namespaces
+ support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl)
+ and also rely on
+ <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+</refsect1>
<xi:include href="vpick.xml" xpointer="image"/>
- <xi:include href="system-only.xml" xpointer="singular"/>
+ <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
<xi:include href="version-info.xml" xpointer="v233"/></listitem>
</varlistentry>
<constant>esp</constant>, <constant>xbootldr</constant>, <constant>tmp</constant>,
<constant>var</constant>.</para>
- <xi:include href="system-only.xml" xpointer="singular"/>
+ <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
<xi:include href="version-info.xml" xpointer="v247"/></listitem>
</varlistentry>
<varname>PrivateDevices=</varname> below, as it may change the setting of
<varname>DevicePolicy=</varname>.</para>
- <xi:include href="system-only.xml" xpointer="singular"/>
+ <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
<xi:include href="version-info.xml" xpointer="v247"/></listitem>
</varlistentry>
<xi:include href="vpick.xml" xpointer="image"/>
- <xi:include href="system-only.xml" xpointer="singular"/>
+ <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
context->n_temporary_filesystems > 0 ||
context->root_directory ||
!strv_isempty(context->extension_directories) ||
+ context->root_image ||
+ context->n_mount_images > 0 ||
+ context->n_extension_images > 0 ||
context->protect_system != PROTECT_SYSTEM_NO ||
context->protect_home != PROTECT_HOME_NO ||
exec_needs_pid_namespace(context, params) ||
# If the kernel support is present unprivileged user units should be able to use verity images too
if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
systemd-run -M testuser@ --user --pipe --wait \
- --property PrivateUsers=yes \
--property RootImage="$MINIMAL_IMAGE.gpt" \
test -e "/dev/mapper/${MINIMAL_IMAGE_ROOTHASH}-verity"
fi
projects / thirdparty / systemd.git / commitdiff
