From: Yu Watanabe Date: Thu, 17 Jul 2025 19:34:22 +0000 (+0900) Subject: core/namespace: gracefully handle errors in mounting new bpffs instance X-Git-Tag: v258-rc1~30^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e8e655c52e3b38479532db74485f8540ee80233;p=thirdparty%2Fsystemd.git core/namespace: gracefully handle errors in mounting new bpffs instance Then, fallback to remount /sys/fs/bpf read-only when ProtectKernelTunables=yes. --- diff --git a/src/core/namespace.c b/src/core/namespace.c index 4391c127554..644614a1845 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -957,6 +957,7 @@ static int append_private_bpf( *me = (MountEntry) { .path_const = "/sys/fs/bpf", .mode = MOUNT_BPFFS, + .ignore = !protect_kernel_tunables, /* indicate whether we should fall back to MOUNT_READ_ONLY on failure. */ }; return 0; } @@ -1832,6 +1833,23 @@ static int apply_one_mount( log_debug("Applying namespace mount on %s", mount_entry_path(m)); + if (m->mode == MOUNT_BPFFS) { + r = mount_bpffs(m, p->bpffs_pidref, p->bpffs_socket_fd, p->bpffs_errno_pipe); + if (r >= 0 || + (!ERRNO_IS_NEG_NOT_SUPPORTED(r) && /* old kernel? */ + !ERRNO_IS_NEG_PRIVILEGE(r))) /* ubuntu kernel bug? See issue #38225 */ + return r; + + if (m->ignore) { + log_debug_errno(r, "Failed to mount new bpffs instance, ignoring: %m"); + return 0; + } + + log_debug_errno(r, "Failed to mount new bpffs instance, fallback to making %s read-only, ignoring: %m", mount_entry_path(m)); + m->mode = MOUNT_READ_ONLY; + m->ignore = true; + } + switch (m->mode) { case MOUNT_INACCESSIBLE: { @@ -2034,9 +2052,6 @@ static int apply_one_mount( case MOUNT_OVERLAY: return mount_overlay(m); - case MOUNT_BPFFS: - return mount_bpffs(m, p->bpffs_pidref, p->bpffs_socket_fd, p->bpffs_errno_pipe); - default: assert_not_reached(); }