core: also enable PrivateUsers= for user services when using images via mountfsd

RootDirectory= and other options already implicitly enable PrivateUsers=
since 6ef721cbc7 if they are set in user
units, so that they can work out of the box.
Now with mountfsd support we can do the same for the images settings,
so enable them and document them.

man/system-or-user-ns-mountfsd.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<!DOCTYPE refsect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+
+<!--
+  SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+<refsect1>
+  <title/>
+
+  <para id="singular">When enabled for services running in per-user instances of the service manager
+  this option implicitly enables <varname>PrivateUsers=</varname> (requires unprivileged user namespaces
+  support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl)
+  and also relies on
+  <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+  <para id="plural">When enabled for services running in per-user instances of the service manager
+  these options implicitly enable <varname>PrivateUsers=</varname> (requires unprivileged user namespaces
+  support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl)
+  and also rely on
+  <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+</refsect1>

man/systemd.exec.xml

@@ -201,7 +201,7 @@
 
         <xi:include href="vpick.xml" xpointer="image"/>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v233"/></listitem>
       </varlistentry>
@@ -225,7 +225,7 @@
         <constant>esp</constant>, <constant>xbootldr</constant>, <constant>tmp</constant>,
         <constant>var</constant>.</para>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v247"/></listitem>
       </varlistentry>
@@ -523,7 +523,7 @@
         <varname>PrivateDevices=</varname> below, as it may change the setting of
         <varname>DevicePolicy=</varname>.</para>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v247"/></listitem>
       </varlistentry>
@@ -590,7 +590,7 @@
 
         <xi:include href="vpick.xml" xpointer="image"/>
 
-        <xi:include href="system-only.xml" xpointer="singular"/>
+        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
 
         <xi:include href="version-info.xml" xpointer="v248"/></listitem>
       </varlistentry>

src/core/exec-invoke.c

@@ -4486,6 +4486,9 @@ static bool exec_needs_cap_sys_admin(const ExecContext *context, const ExecParam
                context->n_temporary_filesystems > 0 ||
                context->root_directory ||
                !strv_isempty(context->extension_directories) ||
+               context->root_image ||
+               context->n_mount_images > 0 ||
+               context->n_extension_images > 0 ||
                context->protect_system != PROTECT_SYSTEM_NO ||
                context->protect_home != PROTECT_HOME_NO ||
                exec_needs_pid_namespace(context, params) ||

test/units/TEST-50-DISSECT.mountfsd.sh

@@ -70,7 +70,6 @@ systemd-dissect --image-policy='root=verity+signed:=absent+unused' --mtree /var/
 # If the kernel support is present unprivileged user units should be able to use verity images too
 if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
     systemd-run -M testuser@ --user --pipe --wait \
-        --property PrivateUsers=yes \
         --property RootImage="$MINIMAL_IMAGE.gpt" \
         test -e "/dev/mapper/${MINIMAL_IMAGE_ROOTHASH}-verity"
 fi