execute: load a bunch of libs before we disable dlopen()

2026-04-14 00:14:32 +09:00 · 2025-11-24 09:55:03 +01:00
parent 800d11c36c
commit efaf5a763d
2 changed files with 11 additions and 0 deletions
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -32,6 +32,7 @@
 #include "constants.h"
 #include "copy.h"
 #include "coredump-util.h"
+#include "cryptsetup-util.h"
 #include "dissect-image.h"
 #include "dynamic-user.h"
 #include "env-util.h"
@@ -48,6 +49,7 @@
 #include "io-util.h"
 #include "iovec-util.h"
 #include "journal-send.h"
+#include "libmount-util.h"
 #include "manager.h"
 #include "memfd-util.h"
 #include "mkdir-label.h"
@@ -5818,6 +5820,12 @@ int exec_invoke(
                }
        }

+        /* Load a bunch of libraries we'll possibly need later, before we turn off dlopen() */
+        (void) dlopen_bpf();
+        (void) dlopen_cryptsetup();
+        (void) dlopen_libmount();
+        (void) dlopen_libseccomp();
+
        /* Let's now disable further dlopen()ing of libraries, since we are about to do namespace
         * shenanigans, and do not want to mix resources from host and namespace */
        block_dlopen();
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -212,6 +212,9 @@ executables += [
                'link_with' : executor_libs,
                'dependencies' : [
                        libapparmor_cflags,
+                        libbpf_cflags,
+                        libcryptsetup_cflags,
+                        libmount_cflags,
                        libpam_cflags,
                        libseccomp_cflags,
                        libselinux_cflags,