From 482fb9ae4015fa898564476a20a8422f750e308b Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Sat, 13 Dec 2025 17:37:26 +0100 Subject: [PATCH] core/exec-credential: stop removing empty credentials dir Starting from cfbf7538d87023840c5574fa5b0452e5b0f42149 we'd always install the credentials dir regardless of whether it's empty, with the correct permissions. Hence the problem stated in the comment should no longer be a concern. Moreover, this ensures later in setup_namespace() the mountpoint would be in-place. This is important for credential reloading as it saves the trouble of remounting the upper tmpfs as rw again and create the mountpoint. --- src/core/exec-credential.c | 7 ++----- src/core/namespace.c | 1 - 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c index 79ec0da49d7..531845623f6 100644 --- a/src/core/exec-credential.c +++ b/src/core/exec-credential.c @@ -1145,11 +1145,8 @@ int exec_setup_credentials( return r; r = setup_credentials_internal(context, cgroup_context, params, unit, p, uid, gid); + if (r < 0) + (void) rmdir(p); - /* If the credentials dir is empty and not a mount point, then there's no point in having it. Let's - * try to remove it. This matters in particular if we created the dir as mount point but then didn't - * actually end up mounting anything on it. In that case we'd rather have ENOENT than EACCESS being - * seen by users when trying access this inode. */ - (void) rmdir(p); return r; } diff --git a/src/core/namespace.c b/src/core/namespace.c index 6e9c6a09f87..0ed686f9ece 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -2845,7 +2845,6 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) { .mode = MOUNT_BIND, .read_only = true, .source_const = p->creds_path, - .ignore = true, }; } -- 2.47.3