From 6577cf1ba96027053cedce97ebb22d4ea96887bd Mon Sep 17 00:00:00 2001
From: davjav <davjav@users.noreply.github.com>
Date: Mon, 7 Oct 2024 19:35:22 -0700
Subject: [PATCH 1/2] Add credential support for mount units

Add EXEC_SETUP_CREDENTIALS flag to allow using credentials with mount units.
Fixes: https://github.com/systemd/systemd/issues/23535
---
 src/core/mount.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/core/mount.c b/src/core/mount.c
index 689ef5672db..c3a2f7ab7e6 100644
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -854,9 +854,19 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) {
         }
 }
 
-static int mount_spawn(Mount *m, ExecCommand *c, PidRef *ret_pid) {
-        _cleanup_(exec_params_shallow_clear) ExecParameters exec_params = EXEC_PARAMETERS_INIT(
-                        EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN);
+static ExecFlags mount_exec_flags(MountState state) {
+        ExecFlags flags = EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN;
+
+        assert(IN_SET(state, MOUNT_MOUNTING, MOUNT_REMOUNTING, MOUNT_UNMOUNTING));
+
+        if (IN_SET(state, MOUNT_MOUNTING, MOUNT_REMOUNTING))
+                flags |= EXEC_SETUP_CREDENTIALS;
+
+        return flags;
+}
+
+static int mount_spawn(Mount *m, ExecCommand *c, ExecFlags flags, PidRef *ret_pid) {
+        _cleanup_(exec_params_shallow_clear) ExecParameters exec_params = EXEC_PARAMETERS_INIT(flags);
         _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL;
         int r;
 
@@ -1047,7 +1057,7 @@ static void mount_enter_unmounting(Mount *m) {
 
         mount_unwatch_control_pid(m);
 
-        r = mount_spawn(m, m->control_command, &m->control_pid);
+        r = mount_spawn(m, m->control_command, mount_exec_flags(MOUNT_UNMOUNTING), &m->control_pid);
         if (r < 0) {
                 log_unit_warning_errno(UNIT(m), r, "Failed to spawn 'umount' task: %m");
                 goto fail;
@@ -1192,7 +1202,7 @@ static void mount_enter_mounting(Mount *m) {
 
         mount_unwatch_control_pid(m);
 
-        r = mount_spawn(m, m->control_command, &m->control_pid);
+        r = mount_spawn(m, m->control_command, mount_exec_flags(MOUNT_MOUNTING), &m->control_pid);
         if (r < 0) {
                 log_unit_warning_errno(UNIT(m), r, "Failed to spawn 'mount' task: %m");
                 goto fail;
@@ -1257,7 +1267,7 @@ static void mount_enter_remounting(Mount *m) {
 
         mount_unwatch_control_pid(m);
 
-        r = mount_spawn(m, m->control_command, &m->control_pid);
+        r = mount_spawn(m, m->control_command, mount_exec_flags(MOUNT_REMOUNTING), &m->control_pid);
         if (r < 0) {
                 log_unit_warning_errno(UNIT(m), r, "Failed to spawn 'remount' task: %m");
                 goto fail;

From 5b66f3df16524508c81e8b896c75bf67b33ba9d7 Mon Sep 17 00:00:00 2001
From: davjav <davjav@users.noreply.github.com>
Date: Sun, 27 Oct 2024 13:42:57 -0700
Subject: [PATCH 2/2] test: mount unit with credential

Verify mount unit credential file is present.
---
 test/units/TEST-54-CREDS.sh | 46 +++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/test/units/TEST-54-CREDS.sh b/test/units/TEST-54-CREDS.sh
index 3a4fa654e94..82dd37aa4d6 100755
--- a/test/units/TEST-54-CREDS.sh
+++ b/test/units/TEST-54-CREDS.sh
@@ -23,6 +23,49 @@ run_with_cred_compare() (
     diff "$log_file" <(echo -ne "$exp")
 )
 
+test_mount_with_credential() {
+    local credfile tmpdir unit
+    credfile="/tmp/mount-cred"
+    tmpdir="/tmp/test-54-mount"
+    unit=$(systemd-escape --suffix mount --path "$tmpdir")
+
+    echo foo >"$credfile"
+    mkdir -p "$tmpdir"
+
+    # Set up test mount unit
+    cat >/run/systemd/system/"$unit" <<EOF
+[Mount]
+What=tmpfs
+Where=$tmpdir
+Type=thisisatest
+LoadCredential=loadcred:$credfile
+EOF
+
+    # Set up test mount type
+    cat >/usr/sbin/mount.thisisatest <<EOF
+#!/usr/bin/env bash
+# Mount after verifying credential file content
+if [ \$(cat \${CREDENTIALS_DIRECTORY}/loadcred) = "foo" ]; then
+    mount -t tmpfs \$1 \$2
+fi
+EOF
+    chmod +x /usr/sbin/mount.thisisatest
+
+    # Verify mount succeeds
+    systemctl daemon-reload
+    systemctl start "$unit"
+    systemctl --no-pager show -p SubState --value "$unit" | grep -q mounted
+
+    # Verify mount fails with different credential file content
+    echo bar >"$credfile"
+    (! systemctl restart "$unit")
+
+    # Stop unit and delete files
+    systemctl stop "$unit"
+    rm -f "$credfile" /run/systemd/system/"$unit" /usr/sbin/mount.thisisatest
+    rm -rf "$tmpdir"
+}
+
 # Sanity checks
 #
 # Create a dummy "full" disk (similar to /dev/full) to check out-of-space
@@ -474,6 +517,9 @@ systemd-creds encrypt --user /tmp/usertest.data /tmp/usertest.creds --name=mytes
 systemctl start user@0.service
 XDG_RUNTIME_DIR=/run/user/0 systemd-run --pipe --user --unit=waldi.service -p LoadCredentialEncrypted=mytest:/tmp/usertest.creds cat /run/user/0/credentials/waldi.service/mytest | cmp /tmp/usertest.data
 
+# Test mount unit with credential
+test_mount_with_credential
+
 systemd-analyze log-level info
 
 touch /testok