core: dlopen() libcryptsetup in extensions refreshing

Follow-up for a08f2ea02dc4fcbd7f2f73a5a24e0af32b34fe55

This fixes extensions refreshing + verity-protected DDIs.
TEST-50-DISSECT previously passed because confext refreshing
is tested after live mount, the latter of which used to
load libcryptsetup in pid1.

diff --git a/src/core/namespace.c b/src/core/namespace.c
index a772eea7d8a9ac151252b0259c86c876461961b3..19bf2903363505023df684af758c5661b51c6e1f 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -13,6 +13,7 @@
 #include "base-filesystem.h"
 #include "bitfield.h"
 #include "chase.h"
+#include "cryptsetup-util.h"
 #include "dev-setup.h"
 #include "devnum-util.h"
 #include "dissect-image.h"
@@ -3852,6 +3853,8 @@ int refresh_extensions_in_namespace(
         if (r > 0)
                 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Target namespace is not separate, cannot reload extensions");
 
+        (void) dlopen_cryptsetup();
+
         extension_dir = path_join(p->private_namespace_dir, "unit-extensions");
         if (!extension_dir)
                 return log_oom_debug();

diff --git a/src/core/service.c b/src/core/service.c
index 36df9c17ed07bdc6ec4a276d6a6fa3b3b6bf44d0..dcc4a992ccf4ace78d618d4ecd270132f6d4a3f4 100644 (file)
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -2881,7 +2881,9 @@ static void service_enter_refresh_extensions(Service *s) {
 
         /* Given we are running from PID1, avoid doing potentially heavy I/O operations like opening images
          * directly, and instead fork a worker process. */
-        r = unit_fork_helper_process(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false, &worker);
+        r = unit_fork_helper_process_full(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false,
+                                          FORK_ALLOW_DLOPEN, /* permit dlopen() to avoid load of libcryptsetup in pid1 */
+                                          &worker);
         if (r < 0) {
                 log_unit_error_errno(UNIT(s), r, "Failed to fork process to refresh extensions in unit's namespace: %m");
                 goto fail;