nspawn: fix --link-journal=host with --private-users=pick and friends

author Yu Watanabe <watanabe.yu+github@gmail.com>

Mon, 18 Aug 2025 15:13:48 +0000 (00:13 +0900)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Wed, 3 Sep 2025 10:10:48 +0000 (12:10 +0200)
author Yu Watanabe <watanabe.yu+github@gmail.com>
Mon, 18 Aug 2025 15:13:48 +0000 (00:13 +0900)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 3 Sep 2025 10:10:48 +0000 (12:10 +0200)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c

index 6f90f2f418d2954ce784ab9de213275631260a50..05facd4d37b2d1ed5ec4441bd6d6ab2dfe761d27 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2659,7 +2659,7 @@ static int setup_hostname(void) {
          return 0;
  }
  
-static int setup_journal(const char *directory) {
+static int setup_journal(const char *directory, uid_t uid_shift, uid_t uid_range) {
          _cleanup_free_ char *d = NULL;
          const char *p, *q;
          sd_id128_t this_id;
@@ -2782,11 +2782,19 @@ static int setup_journal(const char *directory) {
          if (r < 0)
                  return log_error_errno(r, "Failed to create %s: %m", q);
  
-        r = mount_nofollow_verbose(LOG_DEBUG, p, q, NULL, MS_BIND, NULL);
-        if (r < 0)
-                return log_error_errno(r, "Failed to bind mount journal from host into guest: %m");
-
-        return 0;
+        return mount_custom(
+                        directory,
+                        &(CustomMount) {
+                                .type = CUSTOM_MOUNT_BIND,
+                                .options = (char*) (uid_is_valid(uid_shift) ? "rootidmap" : NULL),
+                                .source = (char *)p,
+                                .destination = (char *)p,
+                        },
+                        /* n = */ 1,
+                        uid_shift,
+                        uid_range,
+                        arg_selinux_apifs_context,
+                        MOUNT_NON_ROOT_ONLY);
  }
  
  static int drop_capabilities(uid_t uid) {
@@ -4292,7 +4300,7 @@ static int outer_child(
          if (r < 0)
                  return r;
  
-        r = setup_journal(directory);
+        r = setup_journal(directory, arg_uid_shift, arg_uid_range);
          if (r < 0)
                  return r;
  
diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh

index a0e72dd1d0dbc97584cd8ad1037ff3d7ecd91471..aa13e3b4bad73da80e1c214c6890056cf047461a 100755 (executable)
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1269,4 +1269,28 @@ testcase_dev_net_tun() {
      rm -fr "$root"
  }
  
+testcase_link_journa_hostl() {
+    local root hoge i
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.link-journal.XXX)"
+    create_dummy_container "$root"
+
+    systemd-id128 new > "$root"/etc/machine-id
+
+    mkdir -p /var/log/journal
+
+    hoge="/var/log/journal/$(cat "$root"/etc/machine-id)/hoge"
+
+    for i in no yes pick; do
+        systemd-nspawn \
+            --directory="$root" --private-users="$i" --link-journal=host \
+            bash -xec 'p="/var/log/journal/$(cat /etc/machine-id)"; mountpoint "$p"; [[ "$(stat "$p" --format=%u)" == 0 ]]; touch "$p/hoge"'
+
+        [[ "$(stat "$hoge" --format=%u)" == 0 ]]
+        rm "$hoge"
+    done
+
+    rm -fr "$root"
+}
+
  run_testcases
author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Mon, 18 Aug 2025 15:13:48 +0000 (00:13 +0900)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 3 Sep 2025 10:10:48 +0000 (12:10 +0200)
src/nspawn/nspawn.c		patch \| blob \| blame \| history
test/units/TEST-13-NSPAWN.nspawn.sh		patch \| blob \| blame \| history