[systemd-devel] Escaping path in run0 option argument
Andrei Borzenkov
arvidjaar at gmail.com
Thu Mar 13 14:26:59 UTC 2025
On Thu, Mar 13, 2025 at 4:54 PM Daniel Hast <hast.daniel at protonmail.com> wrote:
>
> Hello,
>
> I'm working on a shell script that makes use of run0, and I'm having trouble figuring out how to escape a file path in the --property option. I want to use --property="ProtectSystem=strict" and --property="ReadWritePaths=[...]" to limit the transient service unit's write access to only the files it needs access to (as a sandboxing measure), but one of the paths comes from user input and could have any characters that are valid in a file path (including spaces and, in principle, any Unicode characters except NUL), so it needs to be escaped.
>
> I'm aware of systemd-escape but I'm unsure of how to use it with arguments to run0; if I simply do something like --property="ReadWritePaths=$(systemd-escape --path "$filename")", I get an error: "Failed to start transient service unit: Invalid ReadWritePaths". But if I pass in an unescaped filename with spaces, I also get this error. What's the right way to do this?
Yes, the rules are not apparently documented.
Looking in sources, the values are quoted using '...' or "...". My
understanding is that '\' can be used to escape quote character
itself.
More information about the systemd-devel
mailing list