From efaf5a763d6a06645dba8e88ebc15e887d59cbef Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 24 Nov 2025 09:55:03 +0100
Subject: [PATCH] execute: load a bunch of libs before we disable dlopen()

---
 src/core/exec-invoke.c | 8 ++++++++
 src/core/meson.build   | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index b8c4a92402f..6aa01dceaf9 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -32,6 +32,7 @@
 #include "constants.h"
 #include "copy.h"
 #include "coredump-util.h"
+#include "cryptsetup-util.h"
 #include "dissect-image.h"
 #include "dynamic-user.h"
 #include "env-util.h"
@@ -48,6 +49,7 @@
 #include "io-util.h"
 #include "iovec-util.h"
 #include "journal-send.h"
+#include "libmount-util.h"
 #include "manager.h"
 #include "memfd-util.h"
 #include "mkdir-label.h"
@@ -5818,6 +5820,12 @@ int exec_invoke(
                 }
         }
 
+        /* Load a bunch of libraries we'll possibly need later, before we turn off dlopen() */
+        (void) dlopen_bpf();
+        (void) dlopen_cryptsetup();
+        (void) dlopen_libmount();
+        (void) dlopen_libseccomp();
+
         /* Let's now disable further dlopen()ing of libraries, since we are about to do namespace
          * shenanigans, and do not want to mix resources from host and namespace */
         block_dlopen();
diff --git a/src/core/meson.build b/src/core/meson.build
index fbadd0f6a6f..10a7ae2f8cd 100644
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -212,6 +212,9 @@ executables += [
                 'link_with' : executor_libs,
                 'dependencies' : [
                         libapparmor_cflags,
+                        libbpf_cflags,
+                        libcryptsetup_cflags,
+                        libmount_cflags,
                         libpam_cflags,
                         libseccomp_cflags,
                         libselinux_cflags,
-- 
2.47.3