From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 23 Mar 2023 11:35:38 +0000 (+0100)
Subject: unit: add ordering dep relative to credentials dir
X-Git-Tag: v254-rc1~385^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce18c396231cb9090fec0c44707211c64685688e;p=thirdparty%2Fsystemd.git

unit: add ordering dep relative to credentials dir

See: #25527
---

diff --git a/src/core/execute.c b/src/core/execute.c
index ca89e3b0035..6595931809e 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1539,7 +1539,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) {
                 context_has_syscall_logs(c);
 }
 
-static bool exec_context_has_credentials(const ExecContext *context) {
+bool exec_context_has_credentials(const ExecContext *context) {
 
         assert(context);
 
diff --git a/src/core/execute.h b/src/core/execute.h
index c2c983d0c30..e46f31037e3 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -476,6 +476,7 @@ const char* exec_context_fdname(const ExecContext *c, int fd_index);
 bool exec_context_may_touch_console(const ExecContext *c);
 bool exec_context_maintains_privileges(const ExecContext *c);
 bool exec_context_has_encrypted_credentials(ExecContext *c);
+bool exec_context_has_credentials(const ExecContext *context);
 
 int exec_context_get_effective_ioprio(const ExecContext *c);
 bool exec_context_get_effective_mount_apivfs(const ExecContext *c);
diff --git a/src/core/unit.c b/src/core/unit.c
index 3393138bac1..fa1474db8d8 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1411,6 +1411,26 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
         if (r < 0)
                 return r;
 
+        if (exec_context_has_credentials(c) && u->manager->prefix[EXEC_DIRECTORY_RUNTIME]) {
+                _cleanup_free_ char *p = NULL, *m = NULL;
+
+                /* Let's make sure the credentials directory of this service is unmounted *after* the service
+                 * itself shuts down. This only matters if mount namespacing is not used for the service, and
+                 * hence the credentials mount appears on the host. */
+
+                p = path_join(u->manager->prefix[EXEC_DIRECTORY_RUNTIME], "credentials", u->id);
+                if (!p)
+                        return -ENOMEM;
+
+                r = unit_name_from_path(p, ".mount", &m);
+                if (r < 0)
+                        return r;
+
+                r = unit_add_dependency_by_name(u, UNIT_AFTER, m, /* add_reference= */ true, UNIT_DEPENDENCY_FILE);
+                if (r < 0)
+                        return r;
+        }
+
         return 0;
 }