From 0ab316ff14df521efcd2282de7860239032c9357 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 6 Nov 2025 09:31:58 +0100
Subject: [PATCH 1/2] chase: fix typo in log message

(While we are at it, add quotes around user provided strings)
---
 src/basic/chase.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/basic/chase.c b/src/basic/chase.c
index ef3d24ecbe..a547043c16 100644
--- a/src/basic/chase.c
+++ b/src/basic/chase.c
@@ -68,7 +68,7 @@ static int log_autofs_mount_point(int fd, const char *path, ChaseFlags flags) {
         (void) fd_get_path(fd, &n1);
 
         return log_warning_errno(SYNTHETIC_ERRNO(EREMOTE),
-                                 "Detected autofs mount point %s during canonicalization of %s.",
+                                 "Detected autofs mount point '%s' during canonicalization of '%s'.",
                                  strna(n1), path);
 }
 
@@ -83,7 +83,7 @@ static int log_prohibited_symlink(int fd, ChaseFlags flags) {
         (void) fd_get_path(fd, &n1);
 
         return log_warning_errno(SYNTHETIC_ERRNO(EREMCHG),
-                                 "Detected symlink where not symlink is allowed at %s, refusing.",
+                                 "Detected symlink where no symlink is allowed at '%s', refusing.",
                                  strna(n1));
 }
 

From 36e10dc5a5fd2bf982bde22219372194cdffbc83 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 6 Nov 2025 10:47:26 +0100
Subject: [PATCH 2/2] tar-util: make sure we can unpack hardlinked symlinks

This is something ostree does. Yuck. But let's make t work.
---
 src/shared/tar-util.c               |  4 ++--
 test/units/TEST-13-NSPAWN.unpriv.sh | 12 +++++++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/shared/tar-util.c b/src/shared/tar-util.c
index 05dd4cd9fc..d66bba1d60 100644
--- a/src/shared/tar-util.c
+++ b/src/shared/tar-util.c
@@ -827,7 +827,7 @@ int tar_x(int input_fd, int tree_fd, TarFlags flags) {
                                                                 "Invalid hardlink path name '%s' in entry, refusing.", target);
 
                                         _cleanup_close_ int target_fd = -EBADF;
-                                        r = chaseat(tree_fd, target, CHASE_PROHIBIT_SYMLINKS|CHASE_AT_RESOLVE_IN_ROOT, /* ret_path= */ NULL, &target_fd);
+                                        r = chaseat(tree_fd, target, CHASE_PROHIBIT_SYMLINKS|CHASE_AT_RESOLVE_IN_ROOT|CHASE_NOFOLLOW, /* ret_path= */ NULL, &target_fd);
                                         if (r < 0)
                                                 return log_error_errno(
                                                                 r,
@@ -856,7 +856,7 @@ int tar_x(int input_fd, int tree_fd, TarFlags flags) {
 
                                                 _cleanup_close_ int target_parent_fd = -EBADF;
                                                 _cleanup_free_ char *target_filename = NULL;
-                                                r = chaseat(tree_fd, target, CHASE_PROHIBIT_SYMLINKS|CHASE_AT_RESOLVE_IN_ROOT|CHASE_PARENT|CHASE_EXTRACT_FILENAME, &target_filename, &target_parent_fd);
+                                                r = chaseat(tree_fd, target, CHASE_PROHIBIT_SYMLINKS|CHASE_AT_RESOLVE_IN_ROOT|CHASE_PARENT|CHASE_EXTRACT_FILENAME|CHASE_NOFOLLOW, &target_filename, &target_parent_fd);
                                                 if (r < 0)
                                                         return log_error_errno(
                                                                         r,
diff --git a/test/units/TEST-13-NSPAWN.unpriv.sh b/test/units/TEST-13-NSPAWN.unpriv.sh
index 02faeb1796..7ae2c74efa 100755
--- a/test/units/TEST-13-NSPAWN.unpriv.sh
+++ b/test/units/TEST-13-NSPAWN.unpriv.sh
@@ -175,9 +175,15 @@ chattr +A /home/testuser/.local/state/machines/inodetest/testfile
 chown foreign-0:foreign-0 /home/testuser/.local/state/machines/inodetest/testfile.hard /home/testuser/.local/state/machines/inodetest
 ls -al /home/testuser/.local/state/machines/inodetest
 
+# Verify UID squashing
 echo gaga > /home/testuser/.local/state/machines/inodetest/squashtest
 chown 1000:1000 /home/testuser/.local/state/machines/inodetest/squashtest
 
+# Ensure hardlinked symlinks work
+ln -s sometarget /home/testuser/.local/state/machines/inodetest/testfile.sym
+ln /home/testuser/.local/state/machines/inodetest/testfile.sym /home/testuser/.local/state/machines/inodetest/testfile.symhard
+chown -h foreign-0:foreign-0 /home/testuser/.local/state/machines/inodetest/testfile.symhard
+
 run0 --pipe -u testuser importctl -m --user export-tar inodetest |
     run0 --pipe -u testuser importctl -m --user import-tar - inodetest2
 
@@ -199,7 +205,11 @@ cmp <(lsattr /home/testuser/.local/state/machines/inodetest/testfile | cut -d "
 # verify that squashing outside of 64K works
 test "$(stat -c'%U:%G' /home/testuser/.local/state/machines/inodetest2/squashtest)" = "foreign-65534:foreign-65534"
 
-# chown to foreing UID range, so that removal works
+# Verify that the hardlinked symlink is restored as such
+cmp <(stat -c"%i" /home/testuser/.local/state/machines/inodetest2/testfile.sym) <(stat -c"%i" /home/testuser/.local/state/machines/inodetest2/testfile.symhard)
+test "$(readlink /home/testuser/.local/state/machines/inodetest2/testfile.symhard)" = "sometarget"
+
+# chown to foreign UID range, so that removal works
 chown foreign-4711:foreign-4711 /home/testuser/.local/state/machines/inodetest/squashtest
 
 run0 -u testuser machinectl --user remove inodetest