sd-event: several follow-ups for recent change (#39743 )

test: add missing assertion
Follow-up for 5a5cb6ba50594355734ff58487d2272a86b741b1. Fixes CID#1643217.
2026-03-31 04:04:54 +02:00 · 2025-11-15 22:47:42 +01:00 · 2025-11-16 05:51:22 +09:00 · 2025-11-16 05:44:35 +09:00 · 2025-11-16 04:46:18 +09:00 · 2025-11-15 22:01:46 +08:00
4 changed files with 61 additions and 12 deletions
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@ -4249,12 +4249,6 @@ static int source_dispatch(sd_event_source *s) {
        s->dispatching = false;
        /* More post sources might have been added while executing the callback, let's make sure
         * those are marked pending as well. */
        r = maybe_mark_post_sources_pending(saved_type, saved_event);
        if (r < 0)
                return r;
 finish:
        if (r < 0) {
                log_debug_errno(r, "Event source %s (type %s) returned error, %s: %m",
@ -4271,6 +4265,12 @@ finish:
        else if (r < 0)
                assert_se(sd_event_source_set_enabled(s, SD_EVENT_OFF) >= 0);
        /* More post sources might have been added while executing the callback, let's make sure
         * those are marked pending as well. */
        r = maybe_mark_post_sources_pending(saved_type, saved_event);
        if (r < 0)
                return r;
        return 1;
 }
--- a/src/libsystemd/sd-event/test-event.c
+++ b/src/libsystemd/sd-event/test-event.c
@ -1075,7 +1075,7 @@ static int exit_on_idle_defer_handler(sd_event_source *s, void *userdata) {
        /* Disable ourselves, which should trigger exit-on-idle after the second iteration */
        if (*c == 2)
-                sd_event_source_set_enabled(s, SD_EVENT_OFF);
+                ASSERT_OK(sd_event_source_set_enabled(s, SD_EVENT_OFF));
        return 0;
 }
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@ -814,9 +814,20 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u
                        return r;
        }
        /* ID remapping cannot be done if user namespaces are not in use (uid_shift is UID_INVALID).
         * Fail if idmapping was explicitly requested in this state. Otherwise, treat UID_INVALID
         * as 0 for ownership operations. */
        if (idmapping != REMOUNT_IDMAPPING_NONE && !uid_is_valid(uid_shift))
                return log_error_errno(
                                SYNTHETIC_ERRNO(EINVAL),
                                "ID remapping requested for %s, but user namespacing is not enabled.",
                                m->source);
        uid_t chown_uid = uid_is_valid(uid_shift) ? uid_shift : 0;
        /* If this is a bind mount from a temporary sources change ownership of the source to the container's
         * root UID. Otherwise it would always show up as "nobody" if user namespacing is used. */
-        if (m->rm_rf_tmpdir && chown(m->source, uid_shift, uid_shift) < 0)
+        if (m->rm_rf_tmpdir && chown(m->source, chown_uid, chown_uid) < 0)
                return log_error_errno(errno, "Failed to chown %s: %m", m->source);
        /* UID/GIDs of idmapped mounts are always resolved in the caller's user namespace. In other
@ -850,7 +861,7 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u
                if (stat(where, &dest_st) < 0)
                        return log_error_errno(errno, "Failed to stat %s: %m", where);
-                dest_uid = uid_is_valid(m->destination_uid) ? uid_shift + m->destination_uid : dest_st.st_uid;
+                dest_uid = uid_is_valid(m->destination_uid) ? chown_uid + m->destination_uid : dest_st.st_uid;
                if (S_ISDIR(source_st.st_mode) && !S_ISDIR(dest_st.st_mode))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@ -863,7 +874,7 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u
                                               m->source, where);
        } else { /* Path doesn't exist yet? */
-                r = mkdir_parents_safe_label(dest, where, 0755, uid_shift, uid_shift, MKDIR_IGNORE_EXISTING);
+                r = mkdir_parents_safe_label(dest, where, 0755, chown_uid, chown_uid, MKDIR_IGNORE_EXISTING);
                if (r < 0)
                        return log_error_errno(r, "Failed to make parents of %s: %m", where);
@ -878,10 +889,10 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u
                if (r < 0)
                        return log_error_errno(r, "Failed to create mount point %s: %m", where);
-                if (chown(where, uid_shift, uid_shift) < 0)
+                if (chown(where, chown_uid, chown_uid) < 0)
                        return log_error_errno(errno, "Failed to chown %s: %m", where);
-                dest_uid = uid_shift + (uid_is_valid(m->destination_uid) ? m->destination_uid : 0);
+                dest_uid = chown_uid + (uid_is_valid(m->destination_uid) ? m->destination_uid : 0);
        }
        if (move_mount(fd_clone, "", AT_FDCWD, where, MOVE_MOUNT_F_EMPTY_PATH) < 0)
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@ -1477,6 +1477,44 @@ testcase_link_journal_host() {
    rm -fr "$root" "$hoge"
 }
 testcase_volatile_link_journal_no_userns() {
    local root machine_id journal_dir acl_output
    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.volatile-journal.XXX)"
    create_dummy_container "$root"
    machine_id="$(systemd-id128 new)"
    echo "$machine_id" >"$root/etc/machine-id"
    journal_dir="/var/log/journal/$machine_id"
    mkdir -p "$journal_dir"
    chown root:root "$journal_dir"
    systemd-nspawn --register=no \
                   --directory="$root" \
                   --boot \
                   --volatile=yes \
                   --link-journal=host \
                   systemd.unit=systemd-tmpfiles-setup.service
    local gid
    gid="$(stat -c '%g' "$journal_dir")"
    # Ensure GID is not 4294967295 (GID_INVALID)
    [[ "$gid" != "4294967295" ]]
    # Ensure the directory is owned by a valid user (root or systemd-journal
    # group). The GID should be either 0 (root) or the systemd-journal GID, not
    # some bombastically large number
    [[ "$gid" -lt 65535 ]]
    # Ensure the invalid GID doesn't appear in ACLs
    acl_output="$(getfacl "$journal_dir" || true)"
    grep -q "4294967295" <<< "$acl_output" && exit 1
    rm -fr "$root" "$journal_dir"
 }
 testcase_cap_net_bind_service() {
    local root
Author	SHA1	Message	Date
Daan De Meyer	6de1c68924	sd-event: several follow-ups for recent change (#39743 )	2025-11-15 22:47:42 +01:00
Yu Watanabe	de8ea7e219	test: add missing assertion Follow-up for 5a5cb6ba50594355734ff58487d2272a86b741b1. Fixes CID#1643217.	2025-11-16 05:51:22 +09:00
Yu Watanabe	8e4ef4a18c	sd-event: do not ignore result of callbacks Follow-up for 4c8b6d636c92e84f4b40db5656db58f71f397a1d and 6aff6d3ffc8a481bb663ac4dd0cf479845a6e24f. Fixes CID#1643218 and friends.	2025-11-16 05:44:35 +09:00
Yu Watanabe	c9fc7eb87e	nspawn: Prevent invalid UIDs propagating in bind mounts (#39729 ) Commit 88fce090263ba8944cf491346eae2e8022dfd88d modified the mount_bind() function, causing it to perform arithmetic on the uid_shift parameter. However, it performs this arithmetic even when uid_shift was UID_INVALID, which was not intended. This typically occurred when mount_custom() was called for a simple bind mount without user namespaces (and thus no rootidmap mount option). This arithmetic (e.g., uid_shift + m->destination_uid) then wraps around, resulting in the invalid ID 4294967295 ((uid_t)-1). This bug manifests for users running systemd-nspawn with --link-journal=host and --volatile=yes (but without --private-users), causing systemd-tmpfiles to fail. Make mount_bind() robust by checking if uid_shift is valid before using it in arithmetic. If it is UID_INVALID, it defaults to a shift of 0 for the ownership calculation, restoring correct behavior for plain bind mounts while preserving the intended logic for ID-mapped mounts. Fixes: #39714	2025-11-16 04:46:18 +09:00
Chris Down	bb49e719d9	test: Add nspawn regression test for --link-journal --volatile	2025-11-15 22:01:46 +08:00
Chris Down	63855693dc	nspawn: Prevent invalid UIDs propagating in bind mounts Commit 88fce09 modified the mount_bind() function, causing it to perform arithmetic on the uid_shift parameter. However, it performs this arithmetic even when uid_shift was UID_INVALID, which was not intended. This typically occurred when mount_custom() was called for a simple bind mount without user namespaces (and thus no rootidmap mount option). This arithmetic (e.g., uid_shift + m->destination_uid) then wraps around, resulting in the invalid ID 4294967295 ((uid_t)-1). This bug manifests for users running systemd-nspawn with --link-journal=host and --volatile=yes (but without --private-users), causing systemd-tmpfiles to fail. Make mount_bind() robust by checking if uid_shift is valid before using it in arithmetic. If it is UID_INVALID, it defaults to a shift of 0 for the ownership calculation, restoring correct behavior for plain bind mounts while preserving the intended logic for ID-mapped mounts. Fixes: #39714	2025-11-14 18:18:24 +08:00