git.ipfire.org Git - thirdparty/systemd.git/commit

author	Daan De Meyer <daan@amutable.com>
	Sun, 15 Feb 2026 13:22:44 +0000 (14:22 +0100)
committer	Daan De Meyer <daan@amutable.com>
	Mon, 16 Feb 2026 09:27:02 +0000 (10:27 +0100)
commit	211c3c9d41c18b63c9aba66d31d75ddf5448247a
tree	f51fea4afffb0d66c3a8a564fd4c4c63f31ecc12	tree
parent	e2c1f3ca2a69a033c748d62f9be0db8817826839	commit \| diff

namespace-util: Merge namespace_enter_delegated() into namespace_enter()

There's no need to pass in a boolean to decide whether we use
namespace_enter_delegated() or not. Instead, we can just check if we
have CAP_SYS_ADMIN in our own user namespace. If we don't, then we have
to insist on a child user namespace being passed in and we have to enter
it first to get CAP_SYS_ADMIN as without CAP_SYS_ADMIN we wouldn't be able
to call setns() in the first place. If we do have CAP_SYS_ADMIN, we can
always enter the other namespaces first before entering the user namespace.

Additionally, we don't fail anymore if we can't reset the UID/GID since a
root user might not always be available in every user namespace we might
enter.

src/basic/namespace-util.c		diff \| blob \| blame \| history
src/basic/namespace-util.h		diff \| blob \| blame \| history
src/basic/process-util.c		diff \| blob \| blame \| history
src/basic/process-util.h		diff \| blob \| blame \| history
src/core/exec-credential.c		diff \| blob \| blame \| history
src/test/meson.build		diff \| blob \| blame \| history
src/test/test-namespace-util.c	[new file with mode: 0644]	blob