From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 13 Dec 2025 17:11:07 +0000 (+0100)
Subject: core/exec-credential: treat credentials dir as populated if it's mounted
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de65956bdb0f53a3fccb145d21358b0a53f5b0f8;p=thirdparty%2Fsystemd.git

core/exec-credential: treat credentials dir as populated if it's mounted

We should only fall back to the dir_is_empty() check if
it's a plain dir, where we can't reasonably differentiate
populated yet empty vs not set up. Otherwise let's stick
to the existing mount if we're told to reuse it.

Yes, this is a minor compat break, but with the to-be-introduced
credential reloading support it should fulfill the goal of
keeping the passed set of credentials stable better, while
still allowing things to be refreshed when requested.
---

diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
index 1971aafee88..79ec0da49d7 100644
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -1020,22 +1020,32 @@ static int setup_credentials_internal(
         assert(unit);
         assert(cred_dir);
 
+        r = path_is_mount_point(cred_dir);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to determine if '%s' is a mountpoint: %m", cred_dir);
+        dir_mounted = r > 0;
+
         if (!FLAGS_SET(params->flags, EXEC_SETUP_CREDENTIALS_FRESH)) {
-                /* We may reuse the previous credential dir */
-                r = dir_is_empty(cred_dir, /* ignore_hidden_or_backup= */ false);
-                if (r < 0)
-                        return r;
-                if (r == 0) {
+                bool populated;
+
+                /* If the cred dir is a mount, let's treat it as populated, and only look at the contents
+                 * if it's a plain dir, where we can't reasonably differentiate populated yet empty vs
+                 * not set up. */
+
+                if (dir_mounted)
+                        populated = true;
+                else {
+                        r = dir_is_empty(cred_dir, /* ignore_hidden_or_backup= */ false);
+                        if (r < 0)
+                                return r;
+                        populated = r == 0;
+                }
+                if (populated) {
                         log_debug("Credential dir for unit '%s' already set up, skipping.", unit);
                         return 0;
                 }
         }
 
-        r = path_is_mount_point(cred_dir);
-        if (r < 0)
-                return log_debug_errno(r, "Failed to determine if '%s' is a mountpoint: %m", cred_dir);
-        dir_mounted = r > 0;
-
         mfd = fsmount_credentials_fs(&fs_fd);
         if (ERRNO_IS_NEG_PRIVILEGE(mfd) && !dir_mounted) {
                 log_debug_errno(mfd, "Lacking privilege to mount credentials fs, falling back to plain directory.");