src/core/execute.c

@@ -2247,7 +2247,7 @@ static int setup_exec_directory(
 
                         if (type != EXEC_DIRECTORY_CONFIGURATION &&
                             readlink_and_make_absolute(p, &target) >= 0) {
-                                _cleanup_free_ char *q = NULL, *q_resolved = NULL, *target_resolved = NULL;
+                                _cleanup_free_ char *q = NULL;
 
                                 /* This already exists and is a symlink? Interesting. Maybe it's one created
                                  * by DynamicUser=1 (see above)?
@@ -2256,22 +2256,13 @@ static int setup_exec_directory(
                                  * since they all support the private/ symlink logic at least in some
                                  * configurations, see above. */
 
-                                r = chase_symlinks(target, NULL, 0, &target_resolved, NULL);
-                                if (r < 0)
-                                        goto fail;
-
                                 q = path_join(params->prefix[type], "private", *rt);
                                 if (!q) {
                                         r = -ENOMEM;
                                         goto fail;
                                 }
 
-                                /* /var/lib or friends may be symlinks. So, let's chase them also. */
+                                if (path_equal(q, target)) {
-                                r = chase_symlinks(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
-                                if (r < 0)
-                                        goto fail;
-
-                                if (path_equal(q_resolved, target_resolved)) {
 
                                         /* Hmm, apparently DynamicUser= was once turned on for this service,
                                          * but is no longer. Let's move the directory back up. */

src/core/mount-setup.c

@@ -64,7 +64,7 @@ static const MountPoint mount_table[] = {
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
         { "proc",        "/proc",                     "proc",       NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
-        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_NOEXEC|MS_STRICTATIME,
+        { "devtmpfs",    "/dev",                      "devtmpfs",   "mode=755",                MS_NOSUID|MS_STRICTATIME,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },
         { "securityfs",  "/sys/kernel/security",      "securityfs", NULL,                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,          MNT_NONE                   },

src/test/test-execute.c

@@ -561,7 +561,6 @@ static void test_exec_dynamicuser(Manager *m) {
 
         test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
         test(__func__, m, "exec-dynamicuser-statedir-migrate-step2.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED);
-        test(__func__, m, "exec-dynamicuser-statedir-migrate-step1.service", 0, CLD_EXITED);
 
         (void) rm_rf("/var/lib/test-dynamicuser-migrate", REMOVE_ROOT|REMOVE_PHYSICAL);
         (void) rm_rf("/var/lib/test-dynamicuser-migrate2", REMOVE_ROOT|REMOVE_PHYSICAL);

test/test-execute/exec-capabilityboundingset-invert.service

@@ -2,7 +2,7 @@
 Description=Test for CapabilityBoundingSet
 
 [Service]
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep "^Bounding set .*cap_chown"'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep "^Bounding set .*cap_chown"'
 Type=oneshot
 CapabilityBoundingSet=~CAP_CHOWN

test/test-execute/exec-privatedevices-no-capability-mknod.service

@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=no
 
 [Service]
 PrivateDevices=no
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
 Type=oneshot

test/test-execute/exec-privatedevices-no-capability-sys-rawio.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=no
 
 [Service]
 PrivateDevices=no
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
 Type=oneshot

test/test-execute/exec-privatedevices-yes-capability-mknod.service

@@ -3,6 +3,6 @@ Description=Test CAP_MKNOD capability for PrivateDevices=yes
 
 [Service]
 PrivateDevices=yes
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_mknod'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_mknod'
 Type=oneshot

test/test-execute/exec-privatedevices-yes-capability-sys-rawio.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_RAWIO capability for PrivateDevices=yes
 
 [Service]
 PrivateDevices=yes
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_rawio'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_rawio'
 Type=oneshot

test/test-execute/exec-protectkernellogs-no-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=no
 
 [Service]
 ProtectKernelLogs=no
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
 Type=oneshot

test/test-execute/exec-protectkernellogs-yes-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYSLOG for ProtectKernelLogs=yes
 
 [Service]
 ProtectKernelLogs=yes
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_syslog'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_syslog'
 Type=oneshot

test/test-execute/exec-protectkernelmodules-no-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE ProtectKernelModules=no
 
 [Service]
 ProtectKernelModules=no
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c 'capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
+ExecStart=/bin/sh -x -c 'capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
 Type=oneshot

test/test-execute/exec-protectkernelmodules-yes-capabilities.service

@@ -3,6 +3,6 @@ Description=Test CAP_SYS_MODULE for ProtectKernelModules=yes
 
 [Service]
 ProtectKernelModules=yes
-# sed: remove dropped (cap_xxx-[epi]) and IAB capabilities from the output
+# sed: remove dropped capabilities (cap_xxx-[epi]) from the output
-ExecStart=/bin/sh -x -c '! capsh --print | sed -re "s/[^ ]+?\-[epi]+//g" -e '/IAB/d' | grep cap_sys_module'
+ExecStart=/bin/sh -x -c '! capsh --print | sed -r "s/[^ ]+?\-[epi]+//g" | grep cap_sys_module'
 Type=oneshot