From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Thu, 12 Feb 2026 21:59:29 +0000 (+0000)
Subject: portable: do not apply extension image policy if not attaching image
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03f6a8b9d9ff863e8e35176aee47a1ff538c76d6;p=thirdparty%2Fsystemd.git

portable: do not apply extension image policy if not attaching image

Image policy is only for images, so skip for other types

Follow-up for d05961549277f15399a45cdf42d4d5f3e5ed8097
---

diff --git a/src/portable/portable.c b/src/portable/portable.c
index 5341fb60b67..403a05005ce 100644
--- a/src/portable/portable.c
+++ b/src/portable/portable.c
@@ -1475,7 +1475,7 @@ static int install_chroot_dropin(
                                                "LogExtraFields=PORTABLE_EXTENSION=", extension_base_name, "\n"))
                                         return -ENOMEM;
 
-                                if (pinned_ext_image_policy) {
+                                if (pinned_ext_image_policy && !IN_SET(ext->type, IMAGE_DIRECTORY, IMAGE_SUBVOLUME)) {
                                         _cleanup_free_ char *policy_str = NULL;
 
                                         r = image_policy_to_string(pinned_ext_image_policy, /* simplify= */ true, &policy_str);
diff --git a/test/units/TEST-29-PORTABLE.image.sh b/test/units/TEST-29-PORTABLE.image.sh
index cc83ebc5d63..36d187a7528 100755
--- a/test/units/TEST-29-PORTABLE.image.sh
+++ b/test/units/TEST-29-PORTABLE.image.sh
@@ -249,3 +249,19 @@ status="$(portablectl is-attached --extension app1 minimal_0)"
 [[ "${status}" == "attached-runtime" ]]
 
 portablectl detach --runtime --extension /tmp/app1.raw /usr/share/minimal_0.raw app
+
+# Ensure that when mixing directory and image extensions, ExtensionImagePolicy= is only
+# applied to image extensions and not to directory extensions
+mkdir -p /tmp/app1
+mount /tmp/app1.raw /tmp/app1
+portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime --extension /tmp/app1 --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
+
+systemctl is-active app0.service
+
+grep -q -F "ExtensionDirectories=/tmp/app1" /run/systemd/system.attached/app0.service.d/20-portable.conf
+grep -q -F "ExtensionImages=/tmp/app0.raw" /run/systemd/system.attached/app0.service.d/20-portable.conf
+# ExtensionImagePolicy= should appear exactly once (for the image, not the directory)
+[[ "$(grep -c -F "ExtensionImagePolicy=" /run/systemd/system.attached/app0.service.d/20-portable.conf)" == "1" ]]
+
+portablectl detach --now --runtime --extension /tmp/app1 --extension /tmp/app0.raw /usr/share/minimal_0.raw app0
+umount -l /tmp/app1