https-github-com-bit
diff --git a/‎man/org.freedesktop.systemd1.xml‎
Lines changed: 48 additions & 0 deletions b/‎man/org.freedesktop.systemd1.xml‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎man/systemd.exec.xml‎
Lines changed: 19 additions & 2 deletions b/‎man/systemd.exec.xml‎
Lines changed: 19 additions & 2 deletions
diff --git a/‎src/core/dbus-execute.c‎
Lines changed: 7 additions & 1 deletion b/‎src/core/dbus-execute.c‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎src/core/execute.c‎
Lines changed: 25 additions & 23 deletions b/‎src/core/execute.c‎
Lines changed: 25 additions & 23 deletions
diff --git a/‎src/core/execute.h‎
Lines changed: 1 addition & 1 deletion b/‎src/core/execute.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/core/load-fragment-gperf.gperf.m4‎
Lines changed: 2 additions & 0 deletions b/‎src/core/load-fragment-gperf.gperf.m4‎
Lines changed: 2 additions & 0 deletions
@@ -2643,6 +2643,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as InaccessiblePaths = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as ExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as NoExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly t MountFlags = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b PrivateTmp = ...;
@@ -3154,6 +3158,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property InaccessiblePaths is not documented!-->
 
+    <!--property ExecPaths is not documented!-->
+
+    <!--property NoExecPaths is not documented!-->
+
     <!--property PrivateTmp is not documented!-->
 
     <!--property PrivateDevices is not documented!-->
@@ -3722,6 +3730,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="InaccessiblePaths"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="ExecPaths"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="NoExecPaths"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MountFlags"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="PrivateTmp"/>
@@ -4385,6 +4397,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as InaccessiblePaths = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as ExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as NoExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly t MountFlags = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b PrivateTmp = ...;
@@ -4924,6 +4940,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property InaccessiblePaths is not documented!-->
 
+    <!--property ExecPaths is not documented!-->
+
+    <!--property NoExecPaths is not documented!-->
+
     <!--property PrivateTmp is not documented!-->
 
     <!--property PrivateDevices is not documented!-->
@@ -5490,6 +5510,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="InaccessiblePaths"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="ExecPaths"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="NoExecPaths"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MountFlags"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="PrivateTmp"/>
@@ -6066,6 +6090,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as InaccessiblePaths = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as ExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as NoExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly t MountFlags = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b PrivateTmp = ...;
@@ -6533,6 +6561,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property InaccessiblePaths is not documented!-->
 
+    <!--property ExecPaths is not documented!-->
+
+    <!--property NoExecPaths is not documented!-->
+
     <!--property PrivateTmp is not documented!-->
 
     <!--property PrivateDevices is not documented!-->
@@ -7017,6 +7049,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="InaccessiblePaths"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="ExecPaths"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="NoExecPaths"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MountFlags"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="PrivateTmp"/>
@@ -7714,6 +7750,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as InaccessiblePaths = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as ExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
+      readonly as NoExecPaths = ['...', ...];
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly t MountFlags = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b PrivateTmp = ...;
@@ -8167,6 +8207,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property InaccessiblePaths is not documented!-->
 
+    <!--property ExecPaths is not documented!-->
+
+    <!--property NoExecPaths is not documented!-->
+
     <!--property PrivateTmp is not documented!-->
 
     <!--property PrivateDevices is not documented!-->
@@ -8637,6 +8681,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="InaccessiblePaths"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="ExecPaths"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="NoExecPaths"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="MountFlags"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="PrivateTmp"/>
 
@@ -1359,6 +1359,8 @@ StateDirectory=aaa/bbb ccc</programlisting>
         <term><varname>ReadWritePaths=</varname></term>
         <term><varname>ReadOnlyPaths=</varname></term>
         <term><varname>InaccessiblePaths=</varname></term>
+        <term><varname>ExecPaths=</varname></term>
+        <term><varname>NoExecPaths=</varname></term>
 
         <listitem><para>Sets up a new file system namespace for executed processes. These options may be used
         to limit access a process has to the file system. Each setting takes a space-separated list of paths
@@ -1380,12 +1382,18 @@ StateDirectory=aaa/bbb ccc</programlisting>
         <varname>BindPaths=</varname>, or <varname>BindReadOnlyPaths=</varname> inside it. For a more flexible option,
         see <varname>TemporaryFileSystem=</varname>.</para>
 
+        <para>Content in paths listed in <varname>NoExecPaths=</varname> are not executable even if the usual
+        file access controls would permit this. Nest <varname>ExecPaths=</varname> inside of
+        <varname>NoExecPaths=</varname> in order to provide executable content within non-executable
+        directories.</para>
+
         <para>Non-directory paths may be specified as well. These options may be specified more than once,
         in which case all paths listed will have limited access from within the namespace. If the empty string is
         assigned to this option, the specific list is reset, and all prior assignments have no effect.</para>
 
-        <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname> and
-        <varname>InaccessiblePaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be
+        <para>Paths in <varname>ReadWritePaths=</varname>, <varname>ReadOnlyPaths=</varname>,
+        <varname>InaccessiblePaths=</varname>, <varname>ExecPaths=</varname> and
+        <varname>NoExecPaths=</varname> may be prefixed with <literal>-</literal>, in which case they will be
         ignored when they do not exist. If prefixed with <literal>+</literal> the paths are taken relative to the root
         directory of the unit, as configured with <varname>RootDirectory=</varname>/<varname>RootImage=</varname>,
         instead of relative to the root directory of the host (see above). When combining <literal>-</literal> and
@@ -1408,6 +1416,15 @@ StateDirectory=aaa/bbb ccc</programlisting>
         <varname>CapabilityBoundingSet=~CAP_SYS_ADMIN</varname> or
         <varname>SystemCallFilter=~@mount</varname>.</para>
 
+        <para>Simple allow-list example using these directives:
+        <programlisting>[Service]
+ReadOnlyPaths=/
+ReadWritePaths=/var /run
+InaccessiblePaths=-/lost+found
+NoExecPaths=/
+ExecPaths=/usr/sbin/my_daemon /usr/lib /usr/lib64
+</programlisting></para>
+
         <xi:include href="system-only.xml" xpointer="plural"/></listitem>
       </varlistentry>
 
 
@@ -1094,6 +1094,8 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("ReadWritePaths", "as", NULL, offsetof(ExecContext, read_write_paths), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("ReadOnlyPaths", "as", NULL, offsetof(ExecContext, read_only_paths), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("InaccessiblePaths", "as", NULL, offsetof(ExecContext, inaccessible_paths), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("ExecPaths", "as", NULL, offsetof(ExecContext, exec_paths), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("NoExecPaths", "as", NULL, offsetof(ExecContext, no_exec_paths), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("MountFlags", "t", bus_property_get_ulong, offsetof(ExecContext, mount_flags), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("PrivateTmp", "b", bus_property_get_bool, offsetof(ExecContext, private_tmp), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST),
@@ -2981,7 +2983,7 @@ int bus_exec_context_set_transient_property(
                 return 1;
 
         } else if (STR_IN_SET(name, "ReadWriteDirectories", "ReadOnlyDirectories", "InaccessibleDirectories",
-                              "ReadWritePaths", "ReadOnlyPaths", "InaccessiblePaths")) {
+                              "ReadWritePaths", "ReadOnlyPaths", "InaccessiblePaths", "ExecPaths", "NoExecPaths")) {
                 _cleanup_strv_free_ char **l = NULL;
                 char ***dirs;
                 char **p;
@@ -3007,6 +3009,10 @@ int bus_exec_context_set_transient_property(
                                 dirs = &c->read_write_paths;
                         else if (STR_IN_SET(name, "ReadOnlyDirectories", "ReadOnlyPaths"))
                                 dirs = &c->read_only_paths;
+                        else if (streq(name, "ExecPaths"))
+                                dirs = &c->exec_paths;
+                        else if (streq(name, "NoExecPaths"))
+                                dirs = &c->no_exec_paths;
                         else /* "InaccessiblePaths" */
                                 dirs = &c->inaccessible_paths;
 
 
@@ -1999,7 +1999,9 @@ bool exec_needs_mount_namespace(
 
         if (!strv_isempty(context->read_write_paths) ||
             !strv_isempty(context->read_only_paths) ||
-            !strv_isempty(context->inaccessible_paths))
+            !strv_isempty(context->inaccessible_paths) ||
+            !strv_isempty(context->exec_paths) ||
+            !strv_isempty(context->no_exec_paths))
                 return true;
 
         if (context->n_bind_mounts > 0)
@@ -3206,6 +3208,8 @@ static int apply_mount_namespace(
                             &ns_info, context->read_write_paths,
                             needs_sandboxing ? context->read_only_paths : NULL,
                             needs_sandboxing ? context->inaccessible_paths : NULL,
+                            needs_sandboxing ? context->exec_paths : NULL,
+                            needs_sandboxing ? context->no_exec_paths : NULL,
                             empty_directories,
                             bind_mounts,
                             n_bind_mounts,
@@ -4815,6 +4819,8 @@ void exec_context_done(ExecContext *c) {
         c->read_only_paths = strv_free(c->read_only_paths);
         c->read_write_paths = strv_free(c->read_write_paths);
         c->inaccessible_paths = strv_free(c->inaccessible_paths);
+        c->exec_paths = strv_free(c->exec_paths);
+        c->no_exec_paths = strv_free(c->no_exec_paths);
 
         bind_mount_free_many(c->bind_mounts, c->n_bind_mounts);
         c->bind_mounts = NULL;
@@ -5162,6 +5168,18 @@ static void strv_fprintf(FILE *f, char **l) {
                 fprintf(f, " %s", *g);
 }
 
+static void strv_dump(FILE* f, const char *prefix, const char *name, char **strv) {
+        assert(f);
+        assert(prefix);
+        assert(name);
+
+        if (!strv_isempty(strv)) {
+                fprintf(f, "%s%s:", name, prefix);
+                strv_fprintf(f, strv);
+                fputs("\n", f);
+        }
+}
+
 void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
         char **e, **d, buf_clean[FORMAT_TIMESPAN_MAX];
         int r;
@@ -5474,32 +5492,16 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
 
         fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
 
-        if (!strv_isempty(c->supplementary_groups)) {
-                fprintf(f, "%sSupplementaryGroups:", prefix);
-                strv_fprintf(f, c->supplementary_groups);
-                fputs("\n", f);
-        }
+        strv_dump(f, prefix, "SupplementaryGroups", c->supplementary_groups);
 
         if (c->pam_name)
                 fprintf(f, "%sPAMName: %s\n", prefix, c->pam_name);
 
-        if (!strv_isempty(c->read_write_paths)) {
-                fprintf(f, "%sReadWritePaths:", prefix);
-                strv_fprintf(f, c->read_write_paths);
-                fputs("\n", f);
-        }
-
-        if (!strv_isempty(c->read_only_paths)) {
-                fprintf(f, "%sReadOnlyPaths:", prefix);
-                strv_fprintf(f, c->read_only_paths);
-                fputs("\n", f);
-        }
-
-        if (!strv_isempty(c->inaccessible_paths)) {
-                fprintf(f, "%sInaccessiblePaths:", prefix);
-                strv_fprintf(f, c->inaccessible_paths);
-                fputs("\n", f);
-        }
+        strv_dump(f, prefix, "ReadWritePaths", c->read_write_paths);
+        strv_dump(f, prefix, "ReadOnlyPaths", c->read_only_paths);
+        strv_dump(f, prefix, "InaccessiblePaths", c->inaccessible_paths);
+        strv_dump(f, prefix, "ExecPaths", c->exec_paths);
+        strv_dump(f, prefix, "NoExecPaths", c->no_exec_paths);
 
         for (size_t i = 0; i < c->n_bind_mounts; i++)
                 fprintf(f, "%s%s: %s%s:%s:%s\n", prefix,
 
@@ -243,7 +243,7 @@ struct ExecContext {
         char *apparmor_profile;
         char *smack_process_label;
 
-        char **read_write_paths, **read_only_paths, **inaccessible_paths;
+        char **read_write_paths, **read_only_paths, **inaccessible_paths, **exec_paths, **no_exec_paths;
         unsigned long mount_flags;
         BindMount *bind_mounts;
         size_t n_bind_mounts;
 
@@ -119,6 +119,8 @@ $1.InaccessibleDirectories,              config_parse_namespace_path_strv,
 $1.ReadWritePaths,                       config_parse_namespace_path_strv,            0,                                  offsetof($1, exec_context.read_write_paths)
 $1.ReadOnlyPaths,                        config_parse_namespace_path_strv,            0,                                  offsetof($1, exec_context.read_only_paths)
 $1.InaccessiblePaths,                    config_parse_namespace_path_strv,            0,                                  offsetof($1, exec_context.inaccessible_paths)
+$1.ExecPaths,                            config_parse_namespace_path_strv,            0,                                  offsetof($1, exec_context.exec_paths)
+$1.NoExecPaths,                          config_parse_namespace_path_strv,            0,                                  offsetof($1, exec_context.no_exec_paths)
 $1.BindPaths,                            config_parse_bind_paths,                     0,                                  offsetof($1, exec_context)
 $1.BindReadOnlyPaths,                    config_parse_bind_paths,                     0,                                  offsetof($1, exec_context)
 $1.TemporaryFileSystem,                  config_parse_temporary_filesystems,          0,                                  offsetof($1, exec_context)