systemd-confext: mount confexts as noexec and nosuid

Confexts should not contain code, so mount confexts with noexec.
We cannot mount invidial extensions as noexec, as the overlay ignores
it and bypasses it, we need to use the flag on the whole overlay for
it to be effective.
But given there are legacy scripts still shipped in /etc, allow to
override it with --noexec=false.

1 files changed, 6 insertions, 0 deletions

diff --git a/test/units/testsuite-50.sh b/test/units/testsuite-50.sh
index 52634c64b2..f6b2467a98 100755
--- a/test/units/testsuite-50.sh
+++ b/test/units/testsuite-50.sh
@@ -515,8 +515,14 @@ mkdir -p /run/confexts/test/etc/extension-release.d
 echo "ID=_any" >/run/confexts/test/etc/extension-release.d/extension-release.test
 echo "ARCHITECTURE=_any" >>/run/confexts/test/etc/extension-release.d/extension-release.test
 echo "MARKER_CONFEXT_123" >/run/confexts/test/etc/testfile
+cat <<EOF>/run/confexts/test/etc/testscript
+#!/bin/bash
+echo "This should not happen"
+EOF
+chmod +x /run/confexts/test/etc/testscript
 systemd-confext merge
 grep -q -F "MARKER_CONFEXT_123" /etc/testfile
+/etc/testscript && { echo 'unexpected success'; exit 1; }
 systemd-confext status
 systemd-confext unmerge
 rm -rf /run/confexts/