From eea5745f9e8617c806f7451f61b3b43422b242a1 Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Thu, 17 Jul 2025 05:03:54 -0400
Subject: [PATCH 1/3] sysext: introduce global config file

Introduce systemd/{sysext/confext}.conf and systemd/{sysext/confext}.conf.d to provide an
alternative way of setting the cmdline options in systemd-sysext.

The config file has to have a [Sysext] or [Confext] option respectively,
which will be overridden by the cmdline.

As an example of supported config, add Mutable= option.
---
 src/sysext/sysext.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index 005ea6d977..a4512d48e5 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -17,6 +17,7 @@
 #include "bus-util.h"
 #include "capability-util.h"
 #include "chase.h"
+#include "conf-parser.h"
 #include "devnum-util.h"
 #include "discover-image.h"
 #include "dissect-image.h"
@@ -148,6 +149,36 @@ static int parse_mutable_mode(const char *p) {
         return mutable_mode_from_string(p);
 }
 
+static DEFINE_CONFIG_PARSE_ENUM(config_parse_mutable_mode, mutable_mode, MutableMode);
+
+static int parse_config_file(ImageClass image_class) {
+        const char *section = image_class == IMAGE_SYSEXT ? "SysExt" : "ConfExt";
+        const ConfigTableItem items[] = {
+                { section, "Mutable",           config_parse_mutable_mode,      0,      &arg_mutable            },
+                {}
+        };
+        _cleanup_free_ char *config_file = NULL;
+        int r;
+
+        config_file = strjoin("systemd/", image_class_info[image_class].short_identifier, ".conf");
+        if (!config_file)
+                return log_oom();
+
+        r = config_parse_standard_file_with_dropins_full(
+                        arg_root,
+                        config_file,
+                        image_class == IMAGE_SYSEXT ? "SysExt\0" : "ConfExt\0",
+                        config_item_table_lookup, items,
+                        CONFIG_PARSE_WARN,
+                        /* userdata = */ NULL,
+                        /* ret_stats_by_path = */ NULL,
+                        /* ret_dropin_files = */ NULL);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
 static int is_our_mount_point(
                 ImageClass image_class,
                 const char *p) {
@@ -2593,6 +2624,7 @@ static int run(int argc, char *argv[]) {
 
         arg_image_class = invoked_as(argv, "systemd-confext") ? IMAGE_CONFEXT : IMAGE_SYSEXT;
 
+        /* Parse environment variable first */
         env_var = getenv(image_class_info[arg_image_class].mode_env);
         if (env_var) {
                 r = parse_mutable_mode(env_var);
@@ -2603,6 +2635,12 @@ static int run(int argc, char *argv[]) {
                         arg_mutable = r;
         }
 
+        /* Parse configuration file */
+        r = parse_config_file(arg_image_class);
+        if (r < 0)
+                log_warning_errno(r, "Failed to parse global config file, ignoring: %m");
+
+        /* Parse command line */
         r = parse_argv(argc, argv);
         if (r <= 0)
                 return r;

From afbf09350b404148a960df62d6c5e922c9a21211 Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Thu, 17 Jul 2025 05:28:21 -0400
Subject: [PATCH 2/3] man/sysext.conf: add systemd-sysext config files

Add sysext.conf, which similar to other configs like coredump, will be
searched in:
/{etc run usr/lib}/systemd/{sysext/confext}.conf
but also
/{etc run usr/lib}/systemd/{sysext/confext}.conf.d/*

This config is an alternative to command line options, especially useful
if we want to extend the service units without modifying them.
---
 man/rules/meson.build  |  1 +
 man/sysext.conf.xml    | 89 ++++++++++++++++++++++++++++++++++++++++++
 man/systemd-sysext.xml |  8 +++-
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 man/sysext.conf.xml

diff --git a/man/rules/meson.build b/man/rules/meson.build
index fdec807cb2..b8b8360ac3 100644
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@@ -1137,6 +1137,7 @@ manpages = [
    'systemd-sysext-initrd.service',
    'systemd-sysext.service'],
   'ENABLE_SYSEXT'],
+ ['sysext.conf', '5', ['confext.conf'], 'ENABLE_SYSEXT'],
  ['systemd-system-update-generator', '8', [], ''],
  ['systemd-system.conf',
   '5',
diff --git a/man/sysext.conf.xml b/man/sysext.conf.xml
new file mode 100644
index 0000000000..cdd88f2447
--- /dev/null
+++ b/man/sysext.conf.xml
@@ -0,0 +1,89 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="sysext.conf" conditional='ENABLE_SYSEXT'
+    xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>sysext.conf</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>sysext.conf</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sysext.conf</refname>
+    <refname>confext.conf</refname>
+    <refname>sysext.conf.d</refname>
+    <refname>confext.conf.d</refname>
+    <refpurpose>Configuration files for systemd-sysext</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <para><filename>/etc/systemd/sysext.conf</filename></para>
+    <para><filename>/etc/systemd/sysext.conf.d/*.conf</filename></para>
+    <para><filename>/run/systemd/sysext.conf</filename></para>
+    <para><filename>/run/systemd/sysext.conf.d/*.conf</filename></para>
+    <para><filename>/usr/lib/systemd/sysext.conf</filename></para>
+    <para><filename>/usr/lib/systemd/sysext.conf.d/*.conf</filename></para>
+    <para><filename>/etc/systemd/confext.conf</filename></para>
+    <para><filename>/etc/systemd/confext.conf.d/*.conf</filename></para>
+    <para><filename>/run/systemd/confext.conf</filename></para>
+    <para><filename>/run/systemd/confext.conf.d/*.conf</filename></para>
+    <para><filename>/usr/lib/systemd/confext.conf</filename></para>
+    <para><filename>/usr/lib/systemd/confext.conf.d/*.conf</filename></para>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>These configuration files control the behavior of
+    <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> and
+    <citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+    They are especially useful when needing to customize the behavior of the
+    respective extension service units.</para>
+  </refsect1>
+
+  <xi:include href="standard-conf.xml" xpointer="main-conf" />
+
+  <refsect1>
+    <title>Options</title>
+
+    <para>The following options are understood in both the <literal>[Sysext]</literal> and
+    <literal>[Confext]</literal> sections:</para>
+
+    <refsect2>
+      <title>Section Options</title>
+
+      <variablelist class='config-directives'>
+        <varlistentry>
+          <term><varname>Mutable=</varname></term>
+          <listitem><para>Set the mutable mode for system extensions. Takes one of <literal>no</literal>,
+          <literal>yes</literal>, <literal>auto</literal>, <literal>import</literal>,
+          <literal>ephemeral</literal>, or <literal>ephemeral-import</literal>. For details about the modes,
+          see the <option>--mutable=</option> option in
+          <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+          Defaults to <literal>no</literal>.</para>
+
+          <xi:include href="version-info.xml" xpointer="v259"/>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
+    </simplelist></para>
+  </refsect1>
+
+</refentry>
diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml
index 07e97071a5..8705fa7275 100644
--- a/man/systemd-sysext.xml
+++ b/man/systemd-sysext.xml
@@ -74,7 +74,12 @@
     <para>System extension images are strictly read-only by default. On mutable host file systems,
     <filename>/usr/</filename> and <filename>/opt/</filename> hierarchies become read-only while extensions
     are merged, unless mutability is enabled. Mutability may be enabled via the <option>--mutable=</option>
-    option; see "Mutability" below for more information.</para>
+    option and the <varname>Mutable=</varname> option in the configuration file;
+    see "Mutability" below for more information.</para>
+
+    <para>Various command options can be configured globally via configuration files. See
+    <citerefentry><refentrytitle>sysext.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    for details.</para>
 
     <para>System extensions are supposed to be purely additive, i.e. they are supposed to include only files
     that do not exist in the underlying basic OS image. However, the underlying mechanism (overlayfs) also
@@ -477,6 +482,7 @@
     <title>See Also</title>
     <para><simplelist type="inline">
       <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>sysext.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
       <member><citerefentry><refentrytitle>importctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>

From 887d0f8e9358b7009e58c90b6af82379d16246de Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Thu, 17 Jul 2025 10:16:24 -0400
Subject: [PATCH 3/3] sysext: support ImagePolicy global config option

Just as Mutable=, support ImagePolicy in systemd/{sysext/confext}.conf and
dropins in systemd/{sysext.confext}.conf.d/* configs.
---
 man/sysext.conf.xml | 12 ++++++++++++
 src/sysext/sysext.c |  1 +
 2 files changed, 13 insertions(+)

diff --git a/man/sysext.conf.xml b/man/sysext.conf.xml
index cdd88f2447..f717b74426 100644
--- a/man/sysext.conf.xml
+++ b/man/sysext.conf.xml
@@ -73,6 +73,18 @@
           <xi:include href="version-info.xml" xpointer="v259"/>
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term><varname>ImagePolicy=</varname></term>
+          <listitem><para>Set the image policy. Takes an image policy string as argument, as per
+          <citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
+          For details, see the <option>--image-policy=</option> option in
+          <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+          </para>
+
+          <xi:include href="version-info.xml" xpointer="v259"/>
+          </listitem>
+        </varlistentry>
       </variablelist>
     </refsect2>
   </refsect1>
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index a4512d48e5..15a00237e4 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -155,6 +155,7 @@ static int parse_config_file(ImageClass image_class) {
         const char *section = image_class == IMAGE_SYSEXT ? "SysExt" : "ConfExt";
         const ConfigTableItem items[] = {
                 { section, "Mutable",           config_parse_mutable_mode,      0,      &arg_mutable            },
+                { section, "ImagePolicy",       config_parse_image_policy,      0,      &arg_image_policy       },
                 {}
         };
         _cleanup_free_ char *config_file = NULL;