From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 17 Mar 2025 15:17:25 +0000 (+0100)
Subject: core: Also check if we can mount /proc if pid namespace is delegated
X-Git-Tag: v258-rc1~1041^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=918a188fdab1278fbbe2c960e1da7c655f644340;p=thirdparty%2Fsystemd.git

core: Also check if we can mount /proc if pid namespace is delegated

If the pid namespace is delegated, it doesn't matter if we have CAP_SYS_ADMIN,
we'll still fail to mount /proc if part of it is masked on the host so also
check if we can mount /proc if the pid namespace is delegated.
---

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index 9b21e385a89..e69c65feca5 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -4391,7 +4391,7 @@ static int setup_delegated_namespaces(
                  * We need to check prior to entering the user namespace because if we're running unprivileged or in a
                  * system without CAP_SYS_ADMIN, then we can have CAP_SYS_ADMIN in the current user namespace but not
                  * once we unshare a mount namespace. */
-                if (!have_cap_sys_admin) {
+                if (!have_cap_sys_admin || delegate) {
                         r = can_mount_proc(context, params);
                         if (r < 0) {
                                 *reterr_exit_status = EXIT_NAMESPACE;