From 4fea4f8295b12110d1d17f4e622535aea99dc854 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 27 Feb 2025 09:24:04 +0100 Subject: [PATCH] exec-invoke: Simplify logic --- src/core/exec-invoke.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 47a4141b01e..f9c3355441f 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -5215,15 +5215,17 @@ int exec_invoke( * We need to check prior to entering the user namespace because if we're running unprivileged or in a * system without CAP_SYS_ADMIN, then we can have CAP_SYS_ADMIN in the current user namespace but not * once we unshare a mount namespace. */ - r = has_cap_sys_admin ? 1 : can_mount_proc(context, params); - if (r < 0) { - *exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, r, "Failed to detect if /proc/ can be remounted: %m"); - } - if (r == 0) { - *exit_status = EXIT_NAMESPACE; - return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EPERM), - "PrivatePIDs=yes is configured, but /proc/ cannot be re-mounted due to lack of privileges, refusing."); + if (!has_cap_sys_admin) { + r = can_mount_proc(context, params); + if (r < 0) { + *exit_status = EXIT_NAMESPACE; + return log_exec_error_errno(context, params, r, "Failed to detect if /proc/ can be remounted: %m"); + } + if (r == 0) { + *exit_status = EXIT_NAMESPACE; + return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EPERM), + "PrivatePIDs=yes is configured, but /proc/ cannot be re-mounted due to lack of privileges, refusing."); + } } r = setup_private_pids(context, params); -- 2.47.3