core/manager: falling back to execute generators without sandboxing

When running in a container, like podman, docker or so, creating new mount
namespace may be disabled.

Fixes #26474.
Fixes RHBZ#2165004 (https://bugzilla.redhat.com/show_bug.cgi?id=2165004).

diff --git a/src/core/manager.c b/src/core/manager.c
index 7b394794b0d4d5efdff42c10629aec1f043f42f9..380a4e30d7afbcdc3298f4f55d03c4c4dece83e5 100644 (file)
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3829,12 +3829,25 @@ static int manager_run_generators(Manager *m) {
         }
 
         r = safe_fork("(sd-gens)",
-                      FORK_RESET_SIGNALS | FORK_LOG | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP,
+                      FORK_RESET_SIGNALS | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP,
                       NULL);
         if (r == 0) {
                 r = manager_execute_generators(m, paths, /* remount_ro= */ true);
                 _exit(r >= 0 ? EXIT_SUCCESS : EXIT_FAILURE);
         }
+        if (r < 0) {
+                if (!ERRNO_IS_PRIVILEGE(r)) {
+                        log_error_errno(r, "Failed to fork off sandboxing environment for executing generators: %m");
+                        goto finish;
+                }
+
+                /* Failed to fork with new mount namespace? Maybe, running in a container environment with
+                 * seccomp or without capability. */
+                log_debug_errno(r,
+                                "Failed to fork off sandboxing environment for executing generators. "
+                                "Falling back to execute generators without sandboxing: %m");
+                r = manager_execute_generators(m, paths, /* remount_ro= */ false);
+        }
 
 finish:
         lookup_paths_trim_generator(&m->lookup_paths);