From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 18 Aug 2025 21:18:34 +0000 (+0200)
Subject: importd: downgrade log message about bound capability set dropping + netns
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F39322%2Fhead;p=thirdparty%2Fsystemd.git

importd: downgrade log message about bound capability set dropping + netns

An unprivileged process cannot reduce its own capability bounding set,
hence, while it is nice to reduce the set, let's not log about it
loudly, in case we are invoked unpriv (which we explicity support these
days after all).

An unpriv process also cannot detach from its netns, hence also
downgrade the warning to a debug message.
---

diff --git a/src/import/import-common.c b/src/import/import-common.c
index d8fd6e39825..f3d70c6f0fe 100644
--- a/src/import/import-common.c
+++ b/src/import/import-common.c
@@ -72,11 +72,11 @@ int import_fork_tar_x(int tree_fd, int userns_fd, PidRef *ret_pid) {
                 }
 
                 if (unshare(CLONE_NEWNET) < 0)
-                        log_warning_errno(errno, "Failed to lock tar into network namespace, ignoring: %m");
+                        log_debug_errno(errno, "Failed to lock tar into network namespace, ignoring: %m");
 
                 r = capability_bounding_set_drop(retain, true);
                 if (r < 0)
-                        log_warning_errno(r, "Failed to drop capabilities, ignoring: %m");
+                        log_debug_errno(r, "Failed to drop capabilities, ignoring: %m");
 
                 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
                         log_warning_errno(errno, "Failed to enable PR_SET_NO_NEW_PRIVS, ignoring: %m");