execute: suppress credentials mount if empty

Let's avoid creating another mount in the system if it's empty anyway. This is mostl a cosmetic thing in one (pretty common) special case: if creds settings are used in a unit but no creds actually available to be passed. (While we are at it this also does one more minor optimization: it adjusts the MS_RDONLY/MS_NOSUID/… flags of the source mount we are about to MS_MOVE into the right place only if we actually really move it, and if we instead unmount it again we won't bother with the flags either)
author: Lennart Poettering <lennart@poettering.net> 2023-05-03 22:45:05 +0200
committer: Lennart Poettering <lennart@poettering.net> 2023-05-04 12:10:01 +0200
commit: 21dd1de659935c829a3776b6772f803c2eb4eae3 (patch)
tree: b15ef9ccb26b46d167544f22273db21431189287 /src/core
parent: 9107ef5637fe92d408ef231c748fe04ab04cca18 (diff)
download: systemd-21dd1de659935c829a3776b6772f803c2eb4eae3.tar.gz
1 files changed, 25 insertions, 7 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index b32e341b61..b803edb145 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3258,16 +3258,34 @@ static int setup_credentials_internal(
                 return r;
 
         if (workspace_mounted) {
-                /* Make workspace read-only now, so that any bind mount we make from it defaults to read-only too */
-                r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL);
-                if (r < 0)
-                        return r;
+                bool install;
 
-                /* And mount it to the final place, read-only */
+                /* Determine if we should actually install the prepared mount in the final location by bind
+                 * mounting it there. We do so only if the mount is not established there already, and if the
+                 * mount is actually non-empty (i.e. carries at least one credential). Not that in the best
+                 * case we are doing all this in a mount namespace, thus noone else will see that we
+                 * allocated a file system we are getting rid of again here. */
                 if (final_mounted)
-                        r = umount_verbose(LOG_DEBUG, workspace, MNT_DETACH|UMOUNT_NOFOLLOW);
-                else
+                        install = false; /* already installed */
+                else {
+                        r = dir_is_empty(where, /* ignore_hidden_or_backup= */ false);
+                        if (r < 0)
+                                return r;
+
+                        install = r == 0; /* install only if non-empty */
+                }
+
+                if (install) {
+                        /* Make workspace read-only now, so that any bind mount we make from it defaults to read-only too */
+                        r = mount_nofollow_verbose(LOG_DEBUG, NULL, workspace, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL);
+                        if (r < 0)
+                                return r;
+
+                        /* And mount it to the final place, read-only */
                         r = mount_nofollow_verbose(LOG_DEBUG, workspace, final, NULL, MS_MOVE, NULL);
+                } else
+                        /* Otherwise get rid of it */
+                        r = umount_verbose(LOG_DEBUG, workspace, MNT_DETACH|UMOUNT_NOFOLLOW);
                 if (r < 0)
                         return r;
         } else {
author	Lennart Poettering <lennart@poettering.net>	2023-05-03 22:45:05 +0200
committer	Lennart Poettering <lennart@poettering.net>	2023-05-04 12:10:01 +0200
commit	21dd1de659935c829a3776b6772f803c2eb4eae3 (patch)
tree	b15ef9ccb26b46d167544f22273db21431189287 /src/core
parent	9107ef5637fe92d408ef231c748fe04ab04cca18 (diff)
download	systemd-21dd1de659935c829a3776b6772f803c2eb4eae3.tar.gz