https-github-com-bit
diff --git a/‎NEWS‎
Lines changed: 10 additions & 0 deletions b/‎NEWS‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎man/org.freedesktop.systemd1.xml‎
Lines changed: 27 additions & 0 deletions b/‎man/org.freedesktop.systemd1.xml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎man/systemctl.xml‎
Lines changed: 32 additions & 0 deletions b/‎man/systemctl.xml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎man/systemd.exec.xml‎
Lines changed: 9 additions & 4 deletions b/‎man/systemd.exec.xml‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎meson.build‎
Lines changed: 2 additions & 0 deletions b/‎meson.build‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎shell-completion/bash/systemctl.in‎
Lines changed: 1 addition & 1 deletion b/‎shell-completion/bash/systemctl.in‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎shell-completion/zsh/_systemctl.in‎
Lines changed: 5 additions & 0 deletions b/‎shell-completion/zsh/_systemctl.in‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/core/dbus-manager.c‎
Lines changed: 16 additions & 0 deletions b/‎src/core/dbus-manager.c‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/core/dbus-service.c‎
Lines changed: 87 additions & 0 deletions b/‎src/core/dbus-service.c‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎src/core/dbus-service.h‎
Lines changed: 1 addition & 0 deletions b/‎src/core/dbus-service.h‎
Lines changed: 1 addition & 0 deletions
@@ -1,5 +1,15 @@
 systemd System and Service Manager
 
+CHANGES WITH 248:
+
+        * The MountAPIVFS= service file setting now additionally mounts a tmpfs
+          on /run/ if it is not already a mount point. A writable /run/ has always
+          been a requirement for a functioning system, but this was not
+          guaranteed when using a read-only image.
+          Users can always specify BindPaths= or InaccessiblePaths= as overrides,
+          and they will take precedence. If the host's root mount point is used,
+          there is no change in behaviour.
+
 CHANGES WITH 247:
 
         * KERNEL API INCOMPATIBILITY: Linux 4.14 introduced two new uevents
 
@@ -116,6 +116,11 @@ node /org/freedesktop/systemd1 {
       SetUnitProperties(in  s name,
                         in  b runtime,
                         in  a(sv) properties);
+      BindMountUnit(in  s name,
+                    in  s source,
+                    in  s destination,
+                    in  b read_only,
+                    in  b mkdir);
       RefUnit(in  s name);
       UnrefUnit(in  s name);
       StartTransientUnit(in  s name,
@@ -767,6 +772,8 @@ node /org/freedesktop/systemd1 {
 
     <variablelist class="dbus-method" generated="True" extra-ref="SetUnitProperties()"/>
 
+    <variablelist class="dbus-method" generated="True" extra-ref="BindMountUnit()"/>
+
     <variablelist class="dbus-method" generated="True" extra-ref="RefUnit()"/>
 
     <variablelist class="dbus-method" generated="True" extra-ref="UnrefUnit()"/>
@@ -1156,6 +1163,9 @@ node /org/freedesktop/systemd1 {
       the "Try" flavor is used in which case a service that isn't running is not affected by the restart. The
       "ReloadOrRestart" flavors attempt a reload if the unit supports it and use a restart otherwise.</para>
 
+      <para><function>BindMountUnit()</function> can be used to bind mount new files or directories into
+      a running service mount namespace.</para>
+
       <para><function>KillUnit()</function> may be used to kill (i.e. send a signal to) all processes of a
       unit. It takes the unit <varname>name</varname>, an enum <varname>who</varname> and a UNIX
       <varname>signal</varname> number to send. The <varname>who</varname> enum is one of
@@ -2193,6 +2203,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
   interface org.freedesktop.systemd1.Service {
     methods:
+      BindMount(in  s source,
+                in  s destination,
+                in  b read_only,
+                in  b mkdir);
       GetProcesses(out a(sus) processes);
       AttachProcesses(in  s subcgroup,
                       in  au pids);
@@ -3252,6 +3266,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.systemd1.Service"/>
 
+    <variablelist class="dbus-method" generated="True" extra-ref="BindMount()"/>
+
     <variablelist class="dbus-method" generated="True" extra-ref="GetProcesses()"/>
 
     <variablelist class="dbus-method" generated="True" extra-ref="AttachProcesses()"/>
@@ -3810,6 +3826,17 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--End of Autogenerated section-->
 
+    <refsect2>
+      <title>Methods</title>
+
+      <para><function>BindMount()</function> implements the same operation as the respective method on the
+      <interfacename>Manager</interfacename> object (see above). However, this method operates on the service
+      object and hence does not take a unit name parameter. Invoking the methods directly on the Manager
+      object has the advantage of not requiring a <function>GetUnit()</function> call to get the unit object
+      for a specific unit name. Calling the methods on the Manager object is hence a round trip
+      optimization.</para>
+    </refsect2>
+
     <refsect2>
       <title>Properties</title>
 
 
@@ -550,6 +550,23 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term><command>bind</command> <replaceable>UNIT</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
+
+          <listitem><para>Bind mounts a file or directory from the host into the specified unit's view. The first path
+          argument is the source file or directory on the host, the second path argument is the destination file or
+          directory in the unit's view. When the latter is omitted, the destination path in the unit's view is the same as
+          the source path on the host. When combined with the <option>--read-only</option> switch, a ready-only bind
+          mount is created. When combined with the <option>--mkdir</option> switch, the destination path is first created
+          before the mount is applied. Note that this option is currently only supported for units that run within a mount
+          namespace (e.g.: with <option>RootImage=</option>, <option>PrivateMounts=</option>, etc.). This command supports bind
+          mounting directories, regular files, device nodes, <constant>AF_UNIX</constant> socket nodes, as well as FIFOs.
+          The bind mount is ephemeral, and it is undone as soon as the current unit process exists.
+          Note that the namespace mentioned here, where the bind mount will be added to, is the one where the main service
+          process runs, as other processes run in distinct namespaces (e.g.: <option>ExecReload=</option>,
+          <option>ExecStartPre=</option>, etc.) </para></listitem>
+        </varlistentry>
+
         <varlistentry>
           <term><command>service-log-level</command> <replaceable>SERVICE</replaceable> [<replaceable>LEVEL</replaceable>]</term>
 
@@ -2246,6 +2263,21 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--mkdir</option></term>
+
+        <listitem><para>When used with <command>bind</command>, creates the destination file or directory before
+        applying the bind mount. Note that even though the name of this option suggests that it is suitable only for
+        directories, this option also creates the destination file node to mount over if the object to mount is not
+        a directory, but a regular file, device node, socket or FIFO.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--read-only</option></term>
+
+        <listitem><para>When used with <command>bind</command>, creates a read-only bind mount.</para></listitem>
+      </varlistentry>
+
       <xi:include href="user-system-options.xml" xpointer="host" />
       <xi:include href="user-system-options.xml" xpointer="machine" />
 
 
@@ -275,15 +275,20 @@
         <term><varname>MountAPIVFS=</varname></term>
 
         <listitem><para>Takes a boolean argument. If on, a private mount namespace for the unit's processes is created
-        and the API file systems <filename>/proc/</filename>, <filename>/sys/</filename>, and <filename>/dev/</filename>
-        are mounted inside of it, unless they are already mounted. Note that this option has no effect unless used in
-        conjunction with <varname>RootDirectory=</varname>/<varname>RootImage=</varname> as these three mounts are
+        and the API file systems <filename>/proc/</filename>, <filename>/sys/</filename>, <filename>/dev/</filename> and
+        <filename>/run/</filename> (as an empty <literal>tmpfs</literal>) are mounted inside of it, unless they are
+        already mounted. Note that this option has no effect unless used in conjunction with
+        <varname>RootDirectory=</varname>/<varname>RootImage=</varname> as these four mounts are
         generally mounted in the host anyway, and unless the root directory is changed, the private mount namespace
-        will be a 1:1 copy of the host's, and include these three mounts. Note that the <filename>/dev/</filename> file
+        will be a 1:1 copy of the host's, and include these four mounts. Note that the <filename>/dev/</filename> file
         system of the host is bind mounted if this option is used without <varname>PrivateDevices=</varname>. To run
         the service with a private, minimal version of <filename>/dev/</filename>, combine this option with
         <varname>PrivateDevices=</varname>.</para>
 
+        <para>In order to allow propagating mounts at runtime in a safe manner, <filename>/run/systemd/propagate</filename>
+        on the host will be used to set up new mounts, and <filename>/run/host/incoming/</filename> in the private namespace
+        will be used as an intermediate step to store them before being moved to the final mount point.</para>
+
         <xi:include href="system-only.xml" xpointer="singular"/></listitem>
       </varlistentry>
 
 
@@ -2198,6 +2198,8 @@ public_programs += executable(
         'src/systemctl/systemctl-log-setting.h',
         'src/systemctl/systemctl-logind.c',
         'src/systemctl/systemctl-logind.h',
+        'src/systemctl/systemctl-mount.c',
+        'src/systemctl/systemctl-mount.h',
         'src/systemctl/systemctl-preset-all.c',
         'src/systemctl/systemctl-preset-all.h',
         'src/systemctl/systemctl-reset-failed.c',
 
@@ -214,7 +214,7 @@ _systemctl () {
                              list-timers list-units list-unit-files poweroff
                              reboot rescue show-environment suspend get-default
                              is-system-running preset-all'
-        [FILE]='link switch-root'
+        [FILE]='link switch-root bind'
         [TARGETS]='set-default'
         [MACHINES]='list-machines'
         [LOG_LEVEL]='log-level'
 
@@ -31,6 +31,7 @@
         "reset-failed:Reset failed state for all, one, or more units"
         "list-dependencies:Show unit dependency tree"
         "clean:Remove configuration, state, cache, logs or runtime data of units"
+        "bind:Bind mount a path from the host into a unit's namespace"
     )
 
     local -a machine_commands=(
@@ -378,6 +379,10 @@ done
         _files
     }
 
+(( $+functions[_systemctl_bind] )) || _systemctl_bind() {
+        _files
+    }
+
 # no systemctl completion for:
 #    [STANDALONE]='daemon-reexec daemon-reload default
 #                  emergency exit halt kexec list-jobs list-units
 
@@ -16,6 +16,7 @@
 #include "dbus-job.h"
 #include "dbus-manager.h"
 #include "dbus-scope.h"
+#include "dbus-service.h"
 #include "dbus-unit.h"
 #include "dbus.h"
 #include "env-util.h"
@@ -725,6 +726,11 @@ static int method_set_unit_properties(sd_bus_message *message, void *userdata, s
         return method_generic_unit_operation(message, userdata, error, bus_unit_method_set_properties, GENERIC_UNIT_LOAD|GENERIC_UNIT_VALIDATE_LOADED);
 }
 
+static int method_bind_mount_unit(sd_bus_message *message, void *userdata, sd_bus_error *error) {
+        /* Only add mounts on fully loaded units */
+        return method_generic_unit_operation(message, userdata, error, bus_service_method_bind_mount, GENERIC_UNIT_VALIDATE_LOADED);
+}
+
 static int method_ref_unit(sd_bus_message *message, void *userdata, sd_bus_error *error) {
         /* Only allow reffing of fully loaded units, and make sure reffing a unit loads it. */
         return method_generic_unit_operation(message, userdata, error, bus_unit_method_ref, GENERIC_UNIT_LOAD|GENERIC_UNIT_VALIDATE_LOADED);
@@ -2760,6 +2766,16 @@ const sd_bus_vtable bus_manager_vtable[] = {
                                  NULL,,
                                  method_set_unit_properties,
                                  SD_BUS_VTABLE_UNPRIVILEGED),
+        SD_BUS_METHOD_WITH_NAMES("BindMountUnit",
+                                 "sssbb",
+                                 SD_BUS_PARAM(name)
+                                 SD_BUS_PARAM(source)
+                                 SD_BUS_PARAM(destination)
+                                 SD_BUS_PARAM(read_only)
+                                 SD_BUS_PARAM(mkdir),
+                                 NULL,,
+                                 method_bind_mount_unit,
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
         SD_BUS_METHOD_WITH_NAMES("RefUnit",
                                  "s",
                                  SD_BUS_PARAM(name),
 
@@ -11,11 +11,15 @@
 #include "dbus-manager.h"
 #include "dbus-service.h"
 #include "dbus-util.h"
+#include "execute.h"
 #include "exit-status.h"
 #include "fd-util.h"
 #include "fileio.h"
+#include "locale-util.h"
+#include "mount-util.h"
 #include "parse-util.h"
 #include "path-util.h"
+#include "selinux-access.h"
 #include "service.h"
 #include "signal-util.h"
 #include "string-util.h"
@@ -91,6 +95,79 @@ static int property_get_exit_status_set(
         return sd_bus_message_close_container(reply);
 }
 
+int bus_service_method_bind_mount(sd_bus_message *message, void *userdata, sd_bus_error *error) {
+        int read_only, make_file_or_directory;
+        const char *dest, *src, *propagate_directory;
+        Unit *u = userdata;
+        ExecContext *c;
+        pid_t unit_pid;
+        int r;
+
+        assert(message);
+        assert(u);
+
+        if (!MANAGER_IS_SYSTEM(u->manager))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Adding bind mounts at runtime is only supported for system managers.");
+
+        r = mac_selinux_unit_access_check(u, message, "start", error);
+        if (r < 0)
+                return r;
+
+        r = sd_bus_message_read(message, "ssbb", &src, &dest, &read_only, &make_file_or_directory);
+        if (r < 0)
+                return r;
+
+        if (!path_is_absolute(src) || !path_is_normalized(src))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Source path must be absolute and normalized.");
+
+        if (isempty(dest))
+                dest = src;
+        else if (!path_is_absolute(dest) || !path_is_normalized(dest))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Destination path must be absolute and normalized.");
+
+        r = bus_verify_manage_units_async_full(
+                        u,
+                        "bind-mount",
+                        CAP_SYS_ADMIN,
+                        N_("Authentication is required to bind mount on '$(unit)'."),
+                        true,
+                        message,
+                        error);
+        if (r < 0)
+                return r;
+        if (r == 0)
+                return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
+
+        if (u->type != UNIT_SERVICE)
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unit is not of type .service");
+
+        /* If it would be dropped at startup time, return an error. The context should always be available, but
+         * there's an assert in exec_needs_mount_namespace, so double-check just in case. */
+        c = unit_get_exec_context(u);
+        if (!c)
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Cannot access unit execution context");
+        if (path_startswith_strv(dest, c->inaccessible_paths))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s is not accessible to this unit", dest);
+
+        /* Ensure that the unit was started in a private mount namespace */
+        if (!exec_needs_mount_namespace(c, NULL, unit_get_exec_runtime(u)))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unit not running in private mount namespace, cannot activate bind mount");
+
+        unit_pid = unit_main_pid(u);
+        if (unit_pid == 0 || !UNIT_IS_ACTIVE_OR_RELOADING(unit_active_state(u)))
+                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unit is not running");
+
+        propagate_directory = strjoina("/run/systemd/propagate/", u->id);
+        r = bind_mount_in_namespace(unit_pid,
+                                    propagate_directory,
+                                    "/run/systemd/incoming/",
+                                    src, dest, read_only, make_file_or_directory);
+        if (r < 0)
+                return sd_bus_error_set_errnof(error, r, "Failed to mount %s on %s in unit's namespace: %m", src, dest);
+
+        return sd_bus_reply_method_return(message, NULL);
+}
+
 const sd_bus_vtable bus_service_vtable[] = {
         SD_BUS_VTABLE_START(0),
         SD_BUS_PROPERTY("Type", "s", property_get_type, offsetof(Service, type), SD_BUS_VTABLE_PROPERTY_CONST),
@@ -146,6 +223,16 @@ const sd_bus_vtable bus_service_vtable[] = {
         BUS_EXEC_COMMAND_LIST_VTABLE("ExecStopPost", offsetof(Service, exec_command[SERVICE_EXEC_STOP_POST]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),
         BUS_EXEC_EX_COMMAND_LIST_VTABLE("ExecStopPostEx", offsetof(Service, exec_command[SERVICE_EXEC_STOP_POST]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),
 
+        SD_BUS_METHOD_WITH_NAMES("BindMount",
+                                 "ssbb",
+                                 SD_BUS_PARAM(source)
+                                 SD_BUS_PARAM(destination)
+                                 SD_BUS_PARAM(read_only)
+                                 SD_BUS_PARAM(mkdir),
+                                 NULL,,
+                                 bus_service_method_bind_mount,
+                                 SD_BUS_VTABLE_UNPRIVILEGED),
+
         /* The following four are obsolete, and thus marked hidden here. They moved into the Unit interface */
         SD_BUS_PROPERTY("StartLimitInterval", "t", bus_property_get_usec, offsetof(Unit, start_ratelimit.interval), SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_HIDDEN),
         SD_BUS_PROPERTY("StartLimitBurst", "u", bus_property_get_unsigned, offsetof(Unit, start_ratelimit.burst), SD_BUS_VTABLE_PROPERTY_CONST|SD_BUS_VTABLE_HIDDEN),
 
@@ -9,4 +9,5 @@
 extern const sd_bus_vtable bus_service_vtable[];
 
 int bus_service_set_property(Unit *u, const char *name, sd_bus_message *i, UnitWriteFlags flags, sd_bus_error *error);
+int bus_service_method_bind_mount(sd_bus_message *message, void *userdata, sd_bus_error *error);
 int bus_service_commit_properties(Unit *u);