From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 20 Nov 2019 11:27:28 +0000 (+0100)
Subject: core: don't insist on ProtectHostname= if unshare() is blocked
X-Git-Tag: v244-rc1~11^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F14090%2Fhead;p=thirdparty%2Fsystemd.git

core: don't insist on ProtectHostname= if unshare() is blocked

Previously we'd only skip ProtectHostname= if kernel support for
namespaces was lacking. With this change we also accept if unshare()
fails because it is blocked.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index def73977fc1..abc164ff5be 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3448,8 +3448,12 @@ static int exec_child(
         if (context->protect_hostname) {
                 if (ns_type_supported(NAMESPACE_UTS)) {
                         if (unshare(CLONE_NEWUTS) < 0) {
-                                *exit_status = EXIT_NAMESPACE;
-                                return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
+                                if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
+                                        *exit_status = EXIT_NAMESPACE;
+                                        return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
+                                }
+
+                                log_unit_warning(unit, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
                         }
                 } else
                         log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");