diff --git a/man/system-or-user-ns-mountfsd.xml b/man/system-or-user-ns-mountfsd.xml new file mode 100644 index 0000000000..192090f396 --- /dev/null +++ b/man/system-or-user-ns-mountfsd.xml @@ -0,0 +1,23 @@ + + + + + + + + + <para id="singular">When enabled for services running in per-user instances of the service manager + this option implicitly enables <varname>PrivateUsers=</varname> (requires unprivileged user namespaces + support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl) + and also relies on + <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + + <para id="plural">When enabled for services running in per-user instances of the service manager + these options implicitly enable <varname>PrivateUsers=</varname> (requires unprivileged user namespaces + support to be enabled in the kernel via the <literal>kernel.unprivileged_userns_clone=</literal> sysctl) + and also rely on + <citerefentry><refentrytitle>systemd-mountfsd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> + +</refsect1> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c0c147045e..6ffe3b9989 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -201,7 +201,7 @@ <xi:include href="vpick.xml" xpointer="image"/> - <xi:include href="system-only.xml" xpointer="singular"/> + <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/> <xi:include href="version-info.xml" xpointer="v233"/></listitem> </varlistentry> @@ -225,7 +225,7 @@ <constant>esp</constant>, <constant>xbootldr</constant>, <constant>tmp</constant>, <constant>var</constant>.</para> - <xi:include href="system-only.xml" xpointer="singular"/> + <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/> <xi:include href="version-info.xml" xpointer="v247"/></listitem> </varlistentry> @@ -523,7 +523,7 @@ <varname>PrivateDevices=</varname> below, as it may change the setting of <varname>DevicePolicy=</varname>.</para> - <xi:include href="system-only.xml" xpointer="singular"/> + <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/> <xi:include href="version-info.xml" xpointer="v247"/></listitem> </varlistentry> @@ -590,7 +590,7 @@ <xi:include href="vpick.xml" xpointer="image"/> - <xi:include href="system-only.xml" xpointer="singular"/> + <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/> <xi:include href="version-info.xml" xpointer="v248"/></listitem> </varlistentry> diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index e02d2ddee6..93b5080ff6 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -4486,6 +4486,9 @@ static bool exec_needs_cap_sys_admin(const ExecContext *context, const ExecParam context->n_temporary_filesystems > 0 || context->root_directory || !strv_isempty(context->extension_directories) || + context->root_image || + context->n_mount_images > 0 || + context->n_extension_images > 0 || context->protect_system != PROTECT_SYSTEM_NO || context->protect_home != PROTECT_HOME_NO || exec_needs_pid_namespace(context, params) || diff --git a/test/units/TEST-50-DISSECT.mountfsd.sh b/test/units/TEST-50-DISSECT.mountfsd.sh index 52fa94ecc5..b6ff5012bf 100755 --- a/test/units/TEST-50-DISSECT.mountfsd.sh +++ b/test/units/TEST-50-DISSECT.mountfsd.sh @@ -70,7 +70,6 @@ systemd-dissect --image-policy='root=verity+signed:=absent+unused' --mtree /var/ # If the kernel support is present unprivileged user units should be able to use verity images too if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then systemd-run -M testuser@ --user --pipe --wait \ - --property PrivateUsers=yes \ --property RootImage="$MINIMAL_IMAGE.gpt" \ test -e "/dev/mapper/${MINIMAL_IMAGE_ROOTHASH}-verity" fi