From: Mike Yuan <me@yhndnzj.com>
Date: Tue, 16 Dec 2025 20:09:15 +0000 (+0100)
Subject: core: dlopen() libcryptsetup in extensions refreshing
X-Git-Tag: v259~7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d136f14626b269fa829f0c9f6860a93894f4a7d;p=thirdparty%2Fsystemd.git

core: dlopen() libcryptsetup in extensions refreshing

Follow-up for a08f2ea02dc4fcbd7f2f73a5a24e0af32b34fe55

This fixes extensions refreshing + verity-protected DDIs.
TEST-50-DISSECT previously passed because confext refreshing
is tested after live mount, the latter of which used to
load libcryptsetup in pid1.
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index a772eea7d8a..19bf2903363 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -13,6 +13,7 @@
 #include "base-filesystem.h"
 #include "bitfield.h"
 #include "chase.h"
+#include "cryptsetup-util.h"
 #include "dev-setup.h"
 #include "devnum-util.h"
 #include "dissect-image.h"
@@ -3852,6 +3853,8 @@ int refresh_extensions_in_namespace(
         if (r > 0)
                 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Target namespace is not separate, cannot reload extensions");
 
+        (void) dlopen_cryptsetup();
+
         extension_dir = path_join(p->private_namespace_dir, "unit-extensions");
         if (!extension_dir)
                 return log_oom_debug();
diff --git a/src/core/service.c b/src/core/service.c
index 36df9c17ed0..dcc4a992ccf 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -2881,7 +2881,9 @@ static void service_enter_refresh_extensions(Service *s) {
 
         /* Given we are running from PID1, avoid doing potentially heavy I/O operations like opening images
          * directly, and instead fork a worker process. */
-        r = unit_fork_helper_process(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false, &worker);
+        r = unit_fork_helper_process_full(UNIT(s), "(sd-refresh-extensions)", /* into_cgroup= */ false,
+                                          FORK_ALLOW_DLOPEN, /* permit dlopen() to avoid load of libcryptsetup in pid1 */
+                                          &worker);
         if (r < 0) {
                 log_unit_error_errno(UNIT(s), r, "Failed to fork process to refresh extensions in unit's namespace: %m");
                 goto fail;