core/exec-credential: stop removing empty credentials dir

Starting from cfbf7538d87023840c5574fa5b0452e5b0f42149 we'd always
install the credentials dir regardless of whether it's empty,
with the correct permissions. Hence the problem stated in the comment
should no longer be a concern. Moreover, this ensures later in
setup_namespace() the mountpoint would be in-place. This is important
for credential reloading as it saves the trouble of remounting
the upper tmpfs as rw again and create the mountpoint.

diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
index 79ec0da49d707cb0448b7c1b8ad5a318c0060a18..531845623f6829b3b70c36659373276ca5b498e8 100644 (file)
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -1145,11 +1145,8 @@ int exec_setup_credentials(
                 return r;
 
         r = setup_credentials_internal(context, cgroup_context, params, unit, p, uid, gid);
+        if (r < 0)
+                (void) rmdir(p);
 
-        /* If the credentials dir is empty and not a mount point, then there's no point in having it. Let's
-         * try to remove it. This matters in particular if we created the dir as mount point but then didn't
-         * actually end up mounting anything on it. In that case we'd rather have ENOENT than EACCESS being
-         * seen by users when trying access this inode. */
-        (void) rmdir(p);
         return r;
 }

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 6e9c6a09f8799280ee08db95cc168ee05f396c71..0ed686f9ece6b55ee9cac7ed3c69e5129c078f11 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -2845,7 +2845,6 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) {
                         .mode = MOUNT_BIND,
                         .read_only = true,
                         .source_const = p->creds_path,
-                        .ignore = true,
                 };
         }