From: Mike Yuan <me@yhndnzj.com>
Date: Thu, 26 Mar 2026 08:23:29 +0000 (+0100)
Subject: mount-util: restore compat for kernels without MOUNT_ATTR_NOSYMFOLLOW (< 5.14)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=08eff23a2dfb3f487e2451bb8cfb43c8fe59a9e0;p=thirdparty%2Fsystemd.git

mount-util: restore compat for kernels without MOUNT_ATTR_NOSYMFOLLOW (< 5.14)

Follow-up for 6753bd8a2f38bd77a4c8b973174db6ec8bcaf3ab

Replaces #41341
---

diff --git a/README b/README
index 0b2d53de1c8..359db5c3f43 100644
--- a/README
+++ b/README
@@ -60,7 +60,7 @@ REQUIREMENTS:
 
         Linux kernel â¥ 5.11 for epoll_pwait2()
                      â¥ 5.12 for idmapped mount (mount_setattr())
-                     â¥ 5.14 for cgroup.kill and quotactl_fd()
+                     â¥ 5.14 for cgroup.kill, quotactl_fd(), and MOUNT_ATTR_NOSYMFOLLOW
 
         â ï¸ Kernel versions below 5.14 ("recommended baseline") have significant gaps
            in functionality and are not recommended for use with this version
@@ -77,7 +77,7 @@ REQUIREMENTS:
                      â¥ 6.10 for fcntl(F_DUPFD_QUERY), unprivileged linkat(AT_EMPTY_PATH),
                                 and block device 'partscan' sysfs attribute
                      â¥ 6.12 for AT_HANDLE_MNT_ID_UNIQUE
-                     â¥ 6.13 for PIDFD_GET_INFO and {set,remove}xattrat() and
+                     â¥ 6.13 for PIDFD_GET_INFO, {set,remove}xattrat(), and
                                 FSCONFIG_SET_FD support for overlayfs layers
                      â¥ 6.16 for coredump pattern '%F' (pidfd) specifier and SO_PASSRIGHTS
 
diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
index 382992edf08..02f63f802a4 100644
--- a/src/shared/mount-util.c
+++ b/src/shared/mount-util.c
@@ -1988,10 +1988,19 @@ int fsmount_credentials_fs(int *ret_fsfd) {
         if (fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0) < 0)
                 return -errno;
 
-        int mfd = fsmount(fs_fd, FSMOUNT_CLOEXEC,
-                          ms_flags_to_mount_attr(credentials_fs_mount_flags(/* ro= */ false)));
+        unsigned mount_attrs = ms_flags_to_mount_attr(credentials_fs_mount_flags(/* ro = */ false));
+
+        int mfd = RET_NERRNO(fsmount(fs_fd, FSMOUNT_CLOEXEC, mount_attrs));
+        if (mfd == -EINVAL) {
+                /* MS_NOSYMFOLLOW was added in kernel 5.10, but the new mount API counterpart was missing
+                 * until 5.14 (c.f. https://github.com/torvalds/linux/commit/dd8b477f9a3d8edb136207acb3652e1a34a661b7).
+                 *
+                 * TODO: drop this once our baseline is raised to 5.14 */
+                assert(FLAGS_SET(mount_attrs, MOUNT_ATTR_NOSYMFOLLOW));
+                mfd = RET_NERRNO(fsmount(fs_fd, FSMOUNT_CLOEXEC, mount_attrs & ~MOUNT_ATTR_NOSYMFOLLOW));
+        }
         if (mfd < 0)
-                return -errno;
+                return mfd;
 
         if (ret_fsfd)
                 *ret_fsfd = TAKE_FD(fs_fd);