core: make NotifyAccess= in combination with RootDirectory=/RootImage= work

Previously if people enabled RootDirectory=/RootImage= and NotifyAccess=
together, things wouldn't work, they'd have to explicitly add
BindReadOnlyPaths=/run/systemd/notify too.

Let's make this implicit. Since both options are opt-in, if people use
them together it would be pointless not also defining the
BindReadOnlyPaths= entry, in which case we can just do it automatically.

See: #18051

diff --git a/src/core/execute.c b/src/core/execute.c
index 38235ec77edf4a97954762a2ee6156537cb5e69d..c56a4ef03b59486fb444afd41fc93ee94a30ba8f 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3223,6 +3223,7 @@ static int apply_mount_namespace(
                             context->root_verity,
                             propagate_dir,
                             incoming_dir,
+                            root_dir || root_image ? params->notify_socket : NULL,
                             DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
                             error_path);
 

diff --git a/src/core/execute.h b/src/core/execute.h
index 2da4699df1869616b0d9054c576de0aab21f3363..f8231ba773618eb6c0be4d213713683e410076da 100644 (file)
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -384,6 +384,8 @@ struct ExecParameters {
 
         /* An fd that is closed by the execve(), and thus will result in EOF when the execve() is done */
         int exec_fd;
+
+        const char *notify_socket;
 };
 
 #include "unit.h"

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 4b5519e11b295de5b23a0d36def764e7d7ea1d29..12d9e4c867b0a7e57e7eeaabc95d0bb2e534d7c9 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1302,7 +1302,8 @@ static size_t namespace_calculate_mounts(
                 const char* var_tmp_dir,
                 const char *creds_path,
                 const char* log_namespace,
-                bool setup_propagate) {
+                bool setup_propagate,
+                const char* notify_socket) {
 
         size_t protect_home_cnt;
         size_t protect_system_cnt =
@@ -1329,7 +1330,6 @@ static size_t namespace_calculate_mounts(
                 n_bind_mounts +
                 n_mount_images +
                 n_temporary_filesystems +
-                (setup_propagate ? 1 : 0) + /* /run/systemd/incoming */
                 ns_info->private_dev +
                 (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
                 (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
@@ -1339,7 +1339,9 @@ static size_t namespace_calculate_mounts(
                 (ns_info->protect_hostname ? 2 : 0) +
                 (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0) +
                 (creds_path ? 2 : 1) +
-                !!log_namespace;
+                !!log_namespace +
+                setup_propagate + /* /run/systemd/incoming */
+                !!notify_socket;
 }
 
 static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
@@ -1491,6 +1493,7 @@ int setup_namespace(
                 const char *verity_data_path,
                 const char *propagate_dir,
                 const char *incoming_dir,
+                const char *notify_socket,
                 DissectImageFlags dissect_image_flags,
                 char **error_path) {
 
@@ -1593,7 +1596,8 @@ int setup_namespace(
                         tmp_dir, var_tmp_dir,
                         creds_path,
                         log_namespace,
-                        setup_propagate);
+                        setup_propagate,
+                        notify_socket);
 
         if (n_mounts > 0) {
                 m = mounts = new0(MountEntry, n_mounts);
@@ -1771,6 +1775,14 @@ int setup_namespace(
                                 .read_only = true,
                         };
 
+                if (notify_socket)
+                        *(m++) = (MountEntry) {
+                                .path_const = notify_socket,
+                                .source_const = notify_socket,
+                                .mode = BIND_MOUNT,
+                                .read_only = true,
+                        };
+
                 assert(mounts + n_mounts == m);
 
                 /* Prepend the root directory where that's necessary */

diff --git a/src/core/namespace.h b/src/core/namespace.h
index 91ee44cd517d6e36034a06b4b310c02a85cacdbd..8e07dd37bcd2cd1ec49dc0169e2dcf3964c4d80c 100644 (file)
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -129,6 +129,7 @@ int setup_namespace(
                 const char *root_verity,
                 const char *propagate_dir,
                 const char *incoming_dir,
+                const char *notify_socket,
                 DissectImageFlags dissected_image_flags,
                 char **error_path);
 

diff --git a/src/core/service.c b/src/core/service.c
index b1a4d0bf181da42bf65c8c8ac53dc2aee4e7ee29..dbb50a924071e8c1c690960a8e2441d82bd92262 100644 (file)
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1474,10 +1474,13 @@ static int service_spawn(
         if (!our_env)
                 return -ENOMEM;
 
-        if (service_exec_needs_notify_socket(s, flags))
+        if (service_exec_needs_notify_socket(s, flags)) {
                 if (asprintf(our_env + n_env++, "NOTIFY_SOCKET=%s", UNIT(s)->manager->notify_socket) < 0)
                         return -ENOMEM;
 
+                exec_params.notify_socket = UNIT(s)->manager->notify_socket;
+        }
+
         if (s->main_pid > 0)
                 if (asprintf(our_env + n_env++, "MAINPID="PID_FMT, s->main_pid) < 0)
                         return -ENOMEM;

diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c
index d92bcacfad304a9c604a87662bc2b40e113a58a7..461dde5fa9c3e9e89f55827db76950bd39a38e67 100644 (file)
--- a/src/test/test-namespace.c
+++ b/src/test/test-namespace.c
@@ -174,6 +174,7 @@ static void test_protect_kernel_logs(void) {
                                     NULL,
                                     NULL,
                                     NULL,
+                                    NULL,
                                     0,
                                     NULL);
                 assert_se(r == 0);

diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index 88bdb437debc1dfbe5be2202949d4a4772b6a999..3b5836e980ff5794bb652ecfe984f877e64a7004 100644 (file)
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -89,6 +89,7 @@ int main(int argc, char *argv[]) {
                             NULL,
                             NULL,
                             NULL,
+                            NULL,
                             0,
                             NULL);
         if (r < 0) {