mirror of
https://github.com/systemd/systemd
synced 2024-07-23 03:04:57 +00:00
Merge pull request #32800 from YHNdnzj/preserve-cred-mounts
switch-root: preserve the whole cred mount tree (/run/credentials/)
This commit is contained in:
commit
b3aa88a475
|
@ -39,13 +39,12 @@ int switch_root(const char *new_root,
|
|||
unsigned long mount_flags; /* Flags to apply if SWITCH_ROOT_RECURSIVE_RUN is unset */
|
||||
unsigned long mount_flags_recursive_run; /* Flags to apply if SWITCH_ROOT_RECURSIVE_RUN is set (0 if shall be skipped) */
|
||||
} transfer_table[] = {
|
||||
{ "/dev", MS_BIND|MS_REC, MS_BIND|MS_REC }, /* Recursive, because we want to save the original /dev/shm/ + /dev/pts/ and similar */
|
||||
{ "/sys", MS_BIND|MS_REC, MS_BIND|MS_REC }, /* Similar, we want to retain various API VFS, or the cgroupv1 /sys/fs/cgroup/ tree */
|
||||
{ "/proc", MS_BIND|MS_REC, MS_BIND|MS_REC }, /* Similar */
|
||||
{ "/run", MS_BIND, MS_BIND|MS_REC }, /* Recursive except on soft reboot, see above */
|
||||
{ SYSTEM_CREDENTIALS_DIRECTORY, MS_BIND, 0 /* skip! */ }, /* Credentials passed into the system should survive */
|
||||
{ ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY, MS_BIND, 0 /* skip! */ }, /* Similar */
|
||||
{ "/run/host", MS_BIND|MS_REC, 0 /* skip! */ }, /* Host supplied hierarchy should also survive */
|
||||
{ "/dev", MS_BIND|MS_REC, MS_BIND|MS_REC }, /* Recursive, because we want to save the original /dev/shm/ + /dev/pts/ and similar */
|
||||
{ "/sys", MS_BIND|MS_REC, MS_BIND|MS_REC }, /* Similar, we want to retain various API VFS, or the cgroupv1 /sys/fs/cgroup/ tree */
|
||||
{ "/proc", MS_BIND|MS_REC, MS_BIND|MS_REC }, /* Similar */
|
||||
{ "/run", MS_BIND, MS_BIND|MS_REC }, /* Recursive except on soft reboot, see above */
|
||||
{ "/run/credentials", MS_BIND|MS_REC, 0 /* skip! */ }, /* Credential mounts should survive */
|
||||
{ "/run/host", MS_BIND|MS_REC, 0 /* skip! */ }, /* Host supplied hierarchy should also survive */
|
||||
};
|
||||
|
||||
_cleanup_close_ int old_root_fd = -EBADF, new_root_fd = -EBADF;
|
||||
|
|
|
@ -44,6 +44,9 @@ if [ -f /run/TEST-82-SOFTREBOOT.touch3 ]; then
|
|||
test "$(systemctl show -P ActiveState TEST-82-SOFTREBOOT-nosurvive-sigterm.service)" != "active"
|
||||
test "$(systemctl show -P ActiveState TEST-82-SOFTREBOOT-nosurvive.service)" != "active"
|
||||
|
||||
[[ ! -e /run/credentials/TEST-82-SOFTREBOOT-nosurvive.service ]]
|
||||
assert_eq "$(cat /run/credentials/TEST-82-SOFTREBOOT-survive-argv.service/preserve)" "yay"
|
||||
|
||||
# Check journals
|
||||
journalctl -o short-monotonic --no-hostname --grep '(will soft-reboot|KILL|corrupt)'
|
||||
assert_eq "$(journalctl -q -o short-monotonic -u systemd-journald.service --grep 'corrupt')" ""
|
||||
|
@ -195,7 +198,7 @@ EOF
|
|||
# IgnoreOnIsolate=yes so that they aren't stopped via the "testsuite.target" isolation we do on next boot,
|
||||
# and will be killed by the final sigterm/sigkill spree.
|
||||
systemd-run --collect --service-type=notify -p DefaultDependencies=no -p IgnoreOnIsolate=yes --unit=TEST-82-SOFTREBOOT-nosurvive-sigterm.service "$survive_sigterm"
|
||||
systemd-run --collect --service-type=exec -p DefaultDependencies=no -p IgnoreOnIsolate=yes --unit=TEST-82-SOFTREBOOT-nosurvive.service sleep infinity
|
||||
systemd-run --collect --service-type=exec -p DefaultDependencies=no -p IgnoreOnIsolate=yes -p SetCredential=gone:hoge --unit=TEST-82-SOFTREBOOT-nosurvive.service sleep infinity
|
||||
|
||||
# Ensure that the unit doesn't get deactivated by dependencies on the source file. Given it's a verity
|
||||
# image that is already open, even if the tmpfs with the image goes away, the file will be pinned by the
|
||||
|
@ -212,6 +215,7 @@ EOF
|
|||
--property After=basic.target \
|
||||
--property "Conflicts=reboot.target kexec.target poweroff.target halt.target emergency.target rescue.target" \
|
||||
--property "Before=reboot.target kexec.target poweroff.target halt.target emergency.target rescue.target" \
|
||||
--property SetCredential=preserve:yay \
|
||||
"$survive_argv"
|
||||
systemd-run --service-type=exec --unit=TEST-82-SOFTREBOOT-survive.service \
|
||||
--property TemporaryFileSystem="/run /tmp /var" \
|
||||
|
|
Loading…
Reference in a new issue