core/namespace: remove availability checks for procfs hidepid=/subset= opts

diff --git a/README b/README
index 2410174138e9cffd8b825540d1a72543b6571a54..3f4bce5c92478da0f303d53f51537a6bc3f21964 100644 (file)
--- a/README
+++ b/README
@@ -50,7 +50,8 @@ REQUIREMENTS:
                      ≥ 5.6 for getrandom() GRND_INSECURE
                      ≥ 5.7 for CLONE_INTO_CGROUP, cgroup2fs memory_recursiveprot option,
                                BPF links and the BPF LSM hook
-                     ≥ 5.8 for LOOP_CONFIGURE and STATX_ATTR_MOUNT_ROOT
+                     ≥ 5.8 for LOOP_CONFIGURE, STATX_ATTR_MOUNT_ROOT, and procfs
+                               per-instance hidepid=/subset= options
                      ≥ 5.9 for close_range()
                      ≥ 5.10 for STATX_MNT_ID and MS_NOSYMFOLLOW mount option
 

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 87d93a4fe761b71e5e5563fff81a66e7584b66c5..065e291ccb05e0a56fe514a44edb3af008ef7344 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1515,6 +1515,7 @@ static int mount_private_cgroup2fs(const MountEntry *m, const NamespaceParameter
 
 static int mount_procfs(const MountEntry *m, const NamespaceParameters *p) {
         _cleanup_free_ char *opts = NULL;
+        int r;
 
         assert(m);
         assert(p);
@@ -1522,32 +1523,16 @@ static int mount_procfs(const MountEntry *m, const NamespaceParameters *p) {
         if (p->protect_proc != PROTECT_PROC_DEFAULT ||
             p->proc_subset != PROC_SUBSET_ALL) {
 
-                /* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it
-                 * pretended to be per-instance but actually was per-namespace), hence let's make use of it
-                 * if requested. To make sure this logic succeeds only on kernels where hidepid= is
-                 * per-instance, we'll exclusively use the textual value for hidepid=, since support was
-                 * added in the same commit: if it's supported it is thus also per-instance. */
-
-                const char *hpv = p->protect_proc == PROTECT_PROC_DEFAULT ?
-                                  "off" :
-                                  protect_proc_to_string(p->protect_proc);
-
-                /* hidepid= support was added in 5.8, so we can use fsconfig()/fsopen() (which were added in
-                 * 5.2) to check if hidepid= is supported. This avoids a noisy dmesg log by the kernel when
-                 * trying to use hidepid= on systems where it isn't supported. The same applies for subset=.
-                 * fsopen()/fsconfig() was also backported on some distros which allows us to detect
-                 * hidepid=/subset= support in even more scenarios. */
-
-                if (mount_option_supported("proc", "hidepid", hpv) > 0) {
-                        opts = strjoin("hidepid=", hpv);
-                        if (!opts)
-                                return -ENOMEM;
-                }
+                opts = strjoin("hidepid=",
+                               p->protect_proc == PROTECT_PROC_DEFAULT ? "off" : protect_proc_to_string(p->protect_proc));
+                if (!opts)
+                        return -ENOMEM;
 
-                if (p->proc_subset == PROC_SUBSET_PID &&
-                    mount_option_supported("proc", "subset", "pid") > 0)
-                        if (!strextend_with_separator(&opts, ",", "subset=pid"))
-                                return -ENOMEM;
+                if (p->proc_subset != PROC_SUBSET_ALL) {
+                        r = strextendf_with_separator(&opts, ",", "subset=%s", proc_subset_to_string(p->proc_subset));
+                        if (r < 0)
+                                return r;
+                }
         }
 
         /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in