core/exec-credential: Remove empty credential mounts

In many cases, units declare ImportCredential with a glob that rarely ever matches any credentials. Still, the presence of ImportCredential causes a credential filesystem to be mounted. This often ends up being empty, but it also enters the initial mount namespace via propagation. We may simply skip these mounts in the common case.
2025-03-21 02:50:18 +03:00 · 2024-09-26 12:00:48 +02:00 · 2024-09-26 12:00:48 +02:00 · 31cb323b50
commit 31cb323b50
parent 5acca1b885
1 changed files with 9 additions and 0 deletions
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@ -989,6 +989,15 @@ static int setup_credentials_internal(
                return r;
        }

+        if (workspace_mounted && !final_mounted && dir_is_empty(where, /* ignore_hidden_or_backup = */ false) > 0) {
+                /* We actually did not produce any credentials in a new mount. Thus, we fall back
+                 * to the plain (empty) directory rather than leaving an empty mount behind. */
+                r = umount_verbose(LOG_DEBUG, workspace, MNT_DETACH|UMOUNT_NOFOLLOW);
+                if (r < 0)
+                        return r;
+                workspace_mounted = false;
+        }
+
        if (workspace_mounted) {
                if (!final_mounted) {
                        /* Make workspace read-only now, so that any bind mount we make from it defaults to