From 68b476a29838c73c17af7eac7866704bba3da3f0 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 15 Oct 2025 20:05:03 +0100
Subject: [PATCH] core: also enable PrivateUsers= for user services when using
 images via mountfsd

RootDirectory= and other options already implicitly enable PrivateUsers=
since 6ef721cbc7dadee4ae878ecf0076d87e57233908 if they are set in user
units, so that they can work out of the box.
Now with mountfsd support we can do the same for the images settings,
so enable them and document them.
---
 man/system-or-user-ns-mountfsd.xml     | 23 +++++++++++++++++++++++
 man/systemd.exec.xml                   |  8 ++++----
 src/core/exec-invoke.c                 |  3 +++
 test/units/TEST-50-DISSECT.mountfsd.sh |  1 -
 4 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 man/system-or-user-ns-mountfsd.xml

diff --git a/man/system-or-user-ns-mountfsd.xml b/man/system-or-user-ns-mountfsd.xml
new file mode 100644
index 00000000000..192090f3962
--- /dev/null
+++ b/man/system-or-user-ns-mountfsd.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<!DOCTYPE refsect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+
+<!--
+  SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+<refsect1>
+  <title/>
+
+  <para id="singular">When enabled for services running in per-user instances of the service manager
+  this option implicitly enables <varname>PrivateUsers=</varname> (requires unprivileged user namespaces
+  support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl)
+  and also relies on
+  <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+  <para id="plural">When enabled for services running in per-user instances of the service manager
+  these options implicitly enable <varname>PrivateUsers=</varname> (requires unprivileged user namespaces
+  support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl)
+  and also rely on
+  <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+</refsect1>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c0c147045e2..6ffe3b99891 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -201,7 +201,7 @@
 
         <xi:include href="vpick.xml" xpointer="image"/>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v233"/></listitem>
       </varlistentry>
@@ -225,7 +225,7 @@
         <constant>esp</constant>, <constant>xbootldr</constant>, <constant>tmp</constant>,
         <constant>var</constant>.</para>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v247"/></listitem>
       </varlistentry>
@@ -523,7 +523,7 @@
         <varname>PrivateDevices=</varname> below, as it may change the setting of
         <varname>DevicePolicy=</varname>.</para>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v247"/></listitem>
       </varlistentry>
@@ -590,7 +590,7 @@
 
         <xi:include href="vpick.xml" xpointer="image"/>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v248"/></listitem>
       </varlistentry>
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index e02d2ddee69..93b5080ff68 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -4486,6 +4486,9 @@ static bool exec_needs_cap_sys_admin(const ExecContext *context, const ExecParam
                context->n_temporary_filesystems > 0 ||
                context->root_directory ||
                !strv_isempty(context->extension_directories) ||
+               context->root_image ||
+               context->n_mount_images > 0 ||
+               context->n_extension_images > 0 ||
                context->protect_system != PROTECT_SYSTEM_NO ||
                context->protect_home != PROTECT_HOME_NO ||
                exec_needs_pid_namespace(context, params) ||
diff --git a/test/units/TEST-50-DISSECT.mountfsd.sh b/test/units/TEST-50-DISSECT.mountfsd.sh
index 52fa94ecc5b..b6ff5012bf0 100755
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@@ -70,7 +70,6 @@ systemd-dissect --image-policy='root=verity+signed:=absent+unused' --mtree /var/
 # If the kernel support is present unprivileged user units should be able to use verity images too
 if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
     systemd-run -M testuser@ --user --pipe --wait \
-        --property PrivateUsers=yes \
         --property RootImage="$MINIMAL_IMAGE.gpt" \
         test -e "/dev/mapper/${MINIMAL_IMAGE_ROOTHASH}-verity"
 fi
-- 
2.47.3