From: Yu Watanabe Date: Sat, 18 Feb 2023 17:42:52 +0000 (+0900) Subject: core/manager: falling back to execute generators without sandboxing X-Git-Tag: v254-rc1~1221 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a2275dcb9d48925f8192f44ec371710ce812bfce;p=thirdparty%2Fsystemd.git core/manager: falling back to execute generators without sandboxing When running in a container, like podman, docker or so, creating new mount namespace may be disabled. Fixes #26474. Fixes RHBZ#2165004 (https://bugzilla.redhat.com/show_bug.cgi?id=2165004). --- diff --git a/src/core/manager.c b/src/core/manager.c index 7b394794b0d..380a4e30d7a 100644 --- a/src/core/manager.c +++ b/src/core/manager.c @@ -3829,12 +3829,25 @@ static int manager_run_generators(Manager *m) { } r = safe_fork("(sd-gens)", - FORK_RESET_SIGNALS | FORK_LOG | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP, + FORK_RESET_SIGNALS | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP, NULL); if (r == 0) { r = manager_execute_generators(m, paths, /* remount_ro= */ true); _exit(r >= 0 ? EXIT_SUCCESS : EXIT_FAILURE); } + if (r < 0) { + if (!ERRNO_IS_PRIVILEGE(r)) { + log_error_errno(r, "Failed to fork off sandboxing environment for executing generators: %m"); + goto finish; + } + + /* Failed to fork with new mount namespace? Maybe, running in a container environment with + * seccomp or without capability. */ + log_debug_errno(r, + "Failed to fork off sandboxing environment for executing generators. " + "Falling back to execute generators without sandboxing: %m"); + r = manager_execute_generators(m, paths, /* remount_ro= */ false); + } finish: lookup_paths_trim_generator(&m->lookup_paths);