Skip to content

Commit a07b992

Browse files
blucayuwata
bluca
authored and
yuwata
committed
core: add ExtensionDirectories= setting
Add a new setting that follows the same principle and implementation as ExtensionImages, but using directories as sources. It will be used to implement support for extending portable images with directories, since portable services can already use a directory as root.
1 parent 071be97 commit a07b992

17 files changed

+216
-13
lines changed

man/org.freedesktop.systemd1.xml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2682,6 +2682,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
26822682
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
26832683
readonly s RootVerity = '...';
26842684
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
2685+
readonly as ExtensionDirectories = ['...', ...];
2686+
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
26852687
readonly a(sba(ss)) ExtensionImages = [...];
26862688
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
26872689
readonly a(ssba(ss)) MountImages = [...];
@@ -3827,6 +3829,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
38273829

38283830
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
38293831

3832+
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionDirectories"/>
3833+
38303834
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
38313835

38323836
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>
@@ -4185,6 +4189,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
41854189
<varname>RootHashSignature</varname>
41864190
<varname>MountImages</varname>
41874191
<varname>ExtensionImages</varname>
4192+
<varname>ExtensionDirectories</varname>
41884193
see systemd.exec(5) for their meaning.</para>
41894194

41904195
<para><varname>MemoryAvailable</varname> indicates how much unused memory is available to the unit before
@@ -4559,6 +4564,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
45594564
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
45604565
readonly s RootVerity = '...';
45614566
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
4567+
readonly as ExtensionDirectories = ['...', ...];
4568+
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
45624569
readonly a(sba(ss)) ExtensionImages = [...];
45634570
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
45644571
readonly a(ssba(ss)) MountImages = [...];
@@ -5722,6 +5729,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
57225729

57235730
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
57245731

5732+
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionDirectories"/>
5733+
57255734
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
57265735

57275736
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>
@@ -6344,6 +6353,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
63446353
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
63456354
readonly s RootVerity = '...';
63466355
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
6356+
readonly as ExtensionDirectories = ['...', ...];
6357+
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
63476358
readonly a(sba(ss)) ExtensionImages = [...];
63486359
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
63496360
readonly a(ssba(ss)) MountImages = [...];
@@ -7353,6 +7364,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
73537364

73547365
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
73557366

7367+
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionDirectories"/>
7368+
73567369
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
73577370

73587371
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>
@@ -8102,6 +8115,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
81028115
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
81038116
readonly s RootVerity = '...';
81048117
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
8118+
readonly as ExtensionDirectories = ['...', ...];
8119+
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
81058120
readonly a(sba(ss)) ExtensionImages = [...];
81068121
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
81078122
readonly a(ssba(ss)) MountImages = [...];
@@ -9083,6 +9098,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
90839098

90849099
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
90859100

9101+
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionDirectories"/>
9102+
90869103
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
90879104

90889105
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>

man/systemd.exec.xml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -459,6 +459,34 @@
459459

460460
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
461461
</varlistentry>
462+
463+
<varlistentry>
464+
<term><varname>ExtensionDirectories=</varname></term>
465+
466+
<listitem><para>This setting is similar to <varname>BindReadOnlyPaths=</varname> in that it mounts a file
467+
system hierarchy from a directory, but instead of providing a destination path, an overlay will be set
468+
up. This option expects a whitespace separated list of source directories.</para>
469+
470+
<para>A read-only OverlayFS will be set up on top of <filename>/usr/</filename> and
471+
<filename>/opt/</filename> hierarchies. The order in which the directories are listed will determine
472+
the order in which the overlay is laid down: directories specified first to last will result in overlayfs
473+
layers bottom to top.</para>
474+
475+
<para>Each directory listed in <varname>ExtensionDirectories=</varname> may be prefixed with <literal>-</literal>,
476+
in which case it will be ignored when its source path does not exist. Any mounts created with this option are
477+
specific to the unit, and are not visible in the host's mount table.</para>
478+
479+
<para>These settings may be used more than once, each usage appends to the unit's list of directories
480+
paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
481+
reset.</para>
482+
483+
<para>Each directory must contain a <filename>/usr/lib/extension-release.d/extension-release.IMAGE</filename>
484+
file, with the appropriate metadata which matches <varname>RootImage=</varname>/<varname>RootDirectory=</varname>
485+
or the host. See:
486+
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
487+
488+
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
489+
</varlistentry>
462490
</variablelist>
463491
</refsect1>
464492

src/core/dbus-execute.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1204,6 +1204,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
12041204
SD_BUS_PROPERTY("RootHashSignature", "ay", property_get_root_hash_sig, 0, SD_BUS_VTABLE_PROPERTY_CONST),
12051205
SD_BUS_PROPERTY("RootHashSignaturePath", "s", NULL, offsetof(ExecContext, root_hash_sig_path), SD_BUS_VTABLE_PROPERTY_CONST),
12061206
SD_BUS_PROPERTY("RootVerity", "s", NULL, offsetof(ExecContext, root_verity), SD_BUS_VTABLE_PROPERTY_CONST),
1207+
SD_BUS_PROPERTY("ExtensionDirectories", "as", NULL, offsetof(ExecContext, extension_directories), SD_BUS_VTABLE_PROPERTY_CONST),
12071208
SD_BUS_PROPERTY("ExtensionImages", "a(sba(ss))", property_get_extension_images, 0, SD_BUS_VTABLE_PROPERTY_CONST),
12081209
SD_BUS_PROPERTY("MountImages", "a(ssba(ss))", property_get_mount_images, 0, SD_BUS_VTABLE_PROPERTY_CONST),
12091210
SD_BUS_PROPERTY("OOMScoreAdjust", "i", property_get_oom_score_adjust, 0, SD_BUS_VTABLE_PROPERTY_CONST),
@@ -3261,7 +3262,8 @@ int bus_exec_context_set_transient_property(
32613262
return 1;
32623263

32633264
} else if (STR_IN_SET(name, "ReadWriteDirectories", "ReadOnlyDirectories", "InaccessibleDirectories",
3264-
"ReadWritePaths", "ReadOnlyPaths", "InaccessiblePaths", "ExecPaths", "NoExecPaths")) {
3265+
"ReadWritePaths", "ReadOnlyPaths", "InaccessiblePaths", "ExecPaths", "NoExecPaths",
3266+
"ExtensionDirectories")) {
32653267
_cleanup_strv_free_ char **l = NULL;
32663268
char ***dirs;
32673269
char **p;
@@ -3291,6 +3293,8 @@ int bus_exec_context_set_transient_property(
32913293
dirs = &c->exec_paths;
32923294
else if (streq(name, "NoExecPaths"))
32933295
dirs = &c->no_exec_paths;
3296+
else if (streq(name, "ExtensionDirectories"))
3297+
dirs = &c->extension_directories;
32943298
else /* "InaccessiblePaths" */
32953299
dirs = &c->inaccessible_paths;
32963300

src/core/execute.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2065,6 +2065,9 @@ bool exec_needs_mount_namespace(
20652065
if (context->n_extension_images > 0)
20662066
return true;
20672067

2068+
if (!strv_isempty(context->extension_directories))
2069+
return true;
2070+
20682071
if (!IN_SET(context->mount_flags, 0, MS_SHARED))
20692072
return true;
20702073

@@ -3566,6 +3569,7 @@ static int apply_mount_namespace(
35663569
context->root_verity,
35673570
context->extension_images,
35683571
context->n_extension_images,
3572+
context->extension_directories,
35693573
propagate_dir,
35703574
incoming_dir,
35713575
root_dir || root_image ? params->notify_socket : NULL,
@@ -5244,6 +5248,7 @@ void exec_context_done(ExecContext *c) {
52445248
c->root_hash_sig_path = mfree(c->root_hash_sig_path);
52455249
c->root_verity = mfree(c->root_verity);
52465250
c->extension_images = mount_image_free_many(c->extension_images, &c->n_extension_images);
5251+
c->extension_directories = strv_free(c->extension_directories);
52475252
c->tty_path = mfree(c->tty_path);
52485253
c->syslog_identifier = mfree(c->syslog_identifier);
52495254
c->user = mfree(c->user);
@@ -6120,6 +6125,8 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
61206125
strempty(o->options));
61216126
fprintf(f, "\n");
61226127
}
6128+
6129+
strv_dump(f, prefix, "ExtensionDirectories", c->extension_directories);
61236130
}
61246131

61256132
bool exec_context_maintains_privileges(const ExecContext *c) {

src/core/execute.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -273,6 +273,7 @@ struct ExecContext {
273273
size_t n_mount_images;
274274
MountImage *extension_images;
275275
size_t n_extension_images;
276+
char **extension_directories;
276277

277278
uint64_t capability_bounding_set;
278279
uint64_t capability_ambient_set;

src/core/load-fragment-gperf.gperf.in

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
{{type}}.RootHash, config_parse_exec_root_hash, 0, offsetof({{type}}, exec_context)
1010
{{type}}.RootHashSignature, config_parse_exec_root_hash_sig, 0, offsetof({{type}}, exec_context)
1111
{{type}}.RootVerity, config_parse_unit_path_printf, true, offsetof({{type}}, exec_context.root_verity)
12+
{{type}}.ExtensionDirectories, config_parse_namespace_path_strv, 0, offsetof({{type}}, exec_context.extension_directories)
1213
{{type}}.ExtensionImages, config_parse_extension_images, 0, offsetof({{type}}, exec_context)
1314
{{type}}.MountImages, config_parse_mount_images, 0, offsetof({{type}}, exec_context)
1415
{{type}}.User, config_parse_user_group_compat, 0, offsetof({{type}}, exec_context.user)

0 commit comments

Comments
 (0)