From 4c16d378fd237a7fa32a3a8b10c7b97d2adaaee7 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 11 Mar 2026 12:15:26 +0000
Subject: [PATCH] [PATCH] nspawn: apply BindUser/Ephemeral from settings file
 only if trusted

Originally reported on yeswehack.com as:
YWH-PGM9780-116

Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df
Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a

(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40)
(cherry picked from commit 718711ed876c870a72149eea279b819cdab14e91)
(cherry picked from commit e4db9c12957d315c0ed22c6ca87a816d0927d6dc)

Origin: backport, https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a

Gbp-Pq: Name CVE-2026-40226-1.patch
---
 src/nspawn/nspawn.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 7515380f..16a39f8e 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4028,7 +4028,12 @@ static int merge_settings(Settings *settings, const char *path) {
         }
 
         if ((arg_settings_mask & SETTING_EPHEMERAL) == 0)
-                arg_ephemeral = settings->ephemeral;
+        {
+                if (!arg_settings_trusted)
+                        log_warning("Ignoring ephemeral setting, file %s is not trusted.", path);
+                else
+                        arg_ephemeral = settings->ephemeral;
+        }
 
         if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&
             settings->root) {
-- 
2.30.2