From ac52405c34399ae5be45ab275940bcfa72de2b1d Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Apr 07 2021 22:35:24 +0000
Subject: Avoid /tmp being mounted as tmpfs without the user's will


Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather
adds an After relationship.

rhel-only

Resolves: #1578772

patch_name: 0004-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
present_in_specfile: true
location_in_specfile: 4
squash_commits: true

---

diff --git a/src/core/unit.c b/src/core/unit.c
index 113205b..c9f756c 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -982,13 +982,13 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
                 return 0;
 
         if (c->private_tmp) {
-                const char *p;
+                r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", NULL, true, UNIT_DEPENDENCY_FILE);
+                if (r < 0)
+                        return r;
 
-                FOREACH_STRING(p, "/tmp", "/var/tmp") {
-                        r = unit_require_mounts_for(u, p, UNIT_DEPENDENCY_FILE);
-                        if (r < 0)
-                                return r;
-                }
+                r = unit_require_mounts_for(u, "/var/tmp", UNIT_DEPENDENCY_FILE);
+                if (r < 0)
+                        return r;
 
                 r = unit_add_dependency_by_name(u, UNIT_AFTER, SPECIAL_TMPFILES_SETUP_SERVICE, NULL, true, UNIT_DEPENDENCY_FILE);
                 if (r < 0)
diff --git a/units/basic.target b/units/basic.target
index 4f44292..8fc7c73 100644
--- a/units/basic.target
+++ b/units/basic.target
@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount
 # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as
 # we support that unit being masked, and this should not be considered an error.
 RequiresMountsFor=/var /var/tmp
-Wants=tmp.mount
+# RHEL-only: Disable /tmp on tmpfs.
+#Wants=tmp.mount