systemd-confext: mount confexts as noexec and nosuid

Confexts should not contain code, so mount confexts with noexec.
We cannot mount invidial extensions as noexec, as the overlay ignores
it and bypasses it, we need to use the flag on the whole overlay for
it to be effective.
But given there are legacy scripts still shipped in /etc, allow to
override it with --noexec=false.

1 files changed, 10 insertions, 1 deletions

diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml
index 6e164077e2..5e8d11ef3d 100644
--- a/man/systemd-sysext.xml
+++ b/man/systemd-sysext.xml
@@ -151,7 +151,8 @@
     <command>confext</command> will extend only <filename>/etc</filename>. Files and directories contained
     in the confext images outside of the <filename>/etc/</filename> hierarchy are <emphasis>not</emphasis>
     merged, and hence have no effect when included in the image. Formats for these images are of the
-    same as sysext images.</para>
+    same as sysext images. The merged hierarchy will be mounted with <literal>nosuid</literal> and
+    (if not disabled via <option>--noexec=false</option>) <literal>noexec</literal>.</para>
 
     <para>Confexts are looked for in the directories <filename>/run/confexts/</filename>,
     <filename>/var/lib/confexts/</filename>, <filename>/usr/lib/confexts/</filename> and
@@ -290,6 +291,14 @@
         see above for details.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--noexec=</option><replaceable>BOOL</replaceable></term>
+
+        <listitem><para>When merging configuration extensions into <filename>/etc/</filename> the
+        <literal>MS_NOEXEC</literal> mount flag is used by default. This option can be used to disable
+        it.</para></listitem>
+      </varlistentry>
+
       <xi:include href="standard-options.xml" xpointer="no-pager" />
       <xi:include href="standard-options.xml" xpointer="no-legend" />
       <xi:include href="standard-options.xml" xpointer="json" />