Merge 86792c7d00 into ea457d59e9

test: mount unit with credentials
Verify unit credentials file is deleted after successfully mounting.
2024-11-06 16:42:54 +06:00 · 2024-10-27 16:07:01 -07:00 · 2024-10-27 14:57:39 -07:00
2 changed files with 62 additions and 6 deletions
--- a/src/core/mount.c
+++ b/src/core/mount.c
@ -854,9 +854,19 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) {
        }
 }

-static int mount_spawn(Mount *m, ExecCommand *c, PidRef *ret_pid) {
-        _cleanup_(exec_params_shallow_clear) ExecParameters exec_params = EXEC_PARAMETERS_INIT(
-                        EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN);
+static ExecFlags mount_exec_flags(MountState state) {
+        ExecFlags flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN;
+
+        assert(IN_SET(state, MOUNT_MOUNTING, MOUNT_REMOUNTING, MOUNT_UNMOUNTING));
+
+        if (IN_SET(state, MOUNT_MOUNTING, MOUNT_REMOUNTING))
+                flags |= EXEC_SETUP_CREDENTIALS;
+
+        return flags;
+}
+
+static int mount_spawn(Mount *m, ExecCommand *c, ExecFlags flags, PidRef *ret_pid) {
+        _cleanup_(exec_params_shallow_clear) ExecParameters exec_params = EXEC_PARAMETERS_INIT(flags);
        _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL;
        int r;

@ -926,6 +936,10 @@ static void mount_enter_mounted(Mount *m, MountResult f) {
                m->result = f;

        mount_set_state(m, MOUNT_MOUNTED);
+
+        /* Destroy credentials after successfully mounting. Otherwise, credentials will continue to exist until unit
+         * is stopped. */
+        exec_context_destroy_credentials(&m->exec_context, UNIT(m)->manager->prefix[EXEC_DIRECTORY_RUNTIME], UNIT(m)->id);
 }

 static void mount_enter_dead_or_mounted(Mount *m, MountResult f, bool flush_result) {
@ -1047,7 +1061,7 @@ static void mount_enter_unmounting(Mount *m) {

        mount_unwatch_control_pid(m);

-        r = mount_spawn(m, m->control_command, &m->control_pid);
+        r = mount_spawn(m, m->control_command, mount_exec_flags(MOUNT_UNMOUNTING), &m->control_pid);
        if (r < 0) {
                log_unit_warning_errno(UNIT(m), r, "Failed to spawn 'umount' task: %m");
                goto fail;
@ -1192,7 +1206,7 @@ static void mount_enter_mounting(Mount *m) {

        mount_unwatch_control_pid(m);

-        r = mount_spawn(m, m->control_command, &m->control_pid);
+        r = mount_spawn(m, m->control_command, mount_exec_flags(MOUNT_MOUNTING), &m->control_pid);
        if (r < 0) {
                log_unit_warning_errno(UNIT(m), r, "Failed to spawn 'mount' task: %m");
                goto fail;
@ -1257,7 +1271,7 @@ static void mount_enter_remounting(Mount *m) {

        mount_unwatch_control_pid(m);

-        r = mount_spawn(m, m->control_command, &m->control_pid);
+        r = mount_spawn(m, m->control_command, mount_exec_flags(MOUNT_REMOUNTING), &m->control_pid);
        if (r < 0) {
                log_unit_warning_errno(UNIT(m), r, "Failed to spawn 'remount' task: %m");
                goto fail;
--- a/test/units/TEST-54-CREDS.sh
+++ b/test/units/TEST-54-CREDS.sh
@ -23,6 +23,45 @@ run_with_cred_compare() (
    diff "$log_file" <(echo -ne "$exp")
 )

+test_mount_with_credentials() {
+    local tmpdir credfile unit
+    tmpdir="/tmp/test-54-mount"
+    credfile="/tmp/mount-cred"
+    unit=$(systemd-escape --suffix mount --path "$tmpdir")
+
+    mkdir -p "$tmpdir"
+    echo foo >"$credfile"
+
+    # Set up test mount unit
+    cat >/run/systemd/system/"$unit" <<EOF
+[Mount]
+What=tmpfs
+Where=$tmpdir
+Type=tmpfs
+LoadCredential=loadcred:$credfile
+SetCredential=setcred:bar
+EOF
+
+    # Start unit
+    systemctl daemon-reload
+    systemctl start "$unit"
+
+    # Verify mount succeeded
+    [[ "$(systemctl show --property SubState --value "$unit")" = "mounted" ]] || {
+        echo >&2 "Test mount \"$unit\" unit isn't mounted"
+        return 1
+    }
+    mountpoint -q "$tmpdir"
+
+    # Verify unit credentials file is not present
+    [[ ! -e /run/credentials/"$unit" ]]
+
+    # Stop unit and delete files
+    systemctl stop "$unit"
+    rm -f /run/systemd/system/"$unit" "$credfile"
+    rm -rf "$tmpdir"
+}
+
 # Sanity checks
 #
 # Create a dummy "full" disk (similar to /dev/full) to check out-of-space
@ -474,6 +513,9 @@ systemd-creds encrypt --user /tmp/usertest.data /tmp/usertest.creds --name=mytes
 systemctl start user@0.service
 XDG_RUNTIME_DIR=/run/user/0 systemd-run --pipe --user --unit=waldi.service -p LoadCredentialEncrypted=mytest:/tmp/usertest.creds cat /run/user/0/credentials/waldi.service/mytest | cmp /tmp/usertest.data

+# Test mount unit with credentials
+test_mount_with_credentials
+
 systemd-analyze log-level info

 touch /testok
Author	SHA1	Message	Date
davjav	bc5015c4af	Merge `86792c7d00` into `ea457d59e9`	2024-11-06 16:42:54 +06:00
davjav	86792c7d00	test: mount unit with credentials Verify unit credentials file is deleted after successfully mounting.	2024-10-27 16:07:01 -07:00
davjav	15e0254326	Add credential support for mount units Add EXEC_SETUP_CREDENTIALS flag to allow using credentials with mount units. Fixes: https://github.com/systemd/systemd/issues/23535	2024-10-27 14:57:39 -07:00