nspawn: fix --link-journal=host with --private-users=pick and friends

Fixes #38611.
2025-10-06 00:13:24 +02:00 · 2025-08-19 00:13:48 +09:00
parent 045227426e
commit 88fce09026
2 changed files with 40 additions and 7 deletions
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2566,7 +2566,7 @@ static int setup_hostname(void) {
        return 0;
 }

-static int setup_journal(const char *directory) {
+static int setup_journal(const char *directory, uid_t uid_shift, uid_t uid_range) {
        _cleanup_free_ char *d = NULL;
        sd_id128_t this_id;
        bool try;
@@ -2693,11 +2693,20 @@ static int setup_journal(const char *directory) {
        if (r < 0)
                return log_error_errno(r, "Failed to create %s: %m", q);

-        r = mount_nofollow_verbose(LOG_DEBUG, p, q, NULL, MS_BIND, NULL);
-        if (r < 0)
-                return log_error_errno(r, "Failed to bind mount journal from host into guest: %m");
-
-        return 0;
+        return mount_custom(
+                        directory,
+                        &(CustomMount) {
+                                .type = CUSTOM_MOUNT_BIND,
+                                .options = (char*) (uid_is_valid(uid_shift) ? "rootidmap" : NULL),
+                                .source = p,
+                                .destination = p,
+                                .destination_uid = UID_INVALID,
+                        },
+                        /* n = */ 1,
+                        uid_shift,
+                        uid_range,
+                        arg_selinux_apifs_context,
+                        MOUNT_NON_ROOT_ONLY);
 }

 static int drop_capabilities(uid_t uid) {
@@ -4270,7 +4279,7 @@ static int outer_child(
        if (r < 0)
                return r;

-        r = setup_journal(directory);
+        r = setup_journal(directory, chown_uid, chown_range);
        if (r < 0)
                return r;

--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1446,4 +1446,28 @@ testcase_unpriv_dir() {
    rm -rf "$root"
 }

+testcase_link_journa_hostl() {
+    local root hoge i
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.link-journal.XXX)"
+    create_dummy_container "$root"
+
+    systemd-id128 new > "$root"/etc/machine-id
+
+    mkdir -p /var/log/journal
+
+    hoge="/var/log/journal/$(cat "$root"/etc/machine-id)/hoge"
+
+    for i in no yes pick; do
+        systemd-nspawn \
+            --directory="$root" --private-users="$i" --link-journal=host \
+            bash -xec 'p="/var/log/journal/$(cat /etc/machine-id)"; mountpoint "$p"; [[ "$(stat "$p" --format=%u)" == 0 ]]; touch "$p/hoge"'
+
+        [[ "$(stat "$hoge" --format=%u)" == 0 ]]
+        rm "$hoge"
+    done
+
+    rm -fr "$root"
+}
+
 run_testcases