From afb368951cbe40214e56d3e546b22b1c9d3c1948 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 2 Dec 2024 11:23:24 +0100
Subject: [PATCH] pid1: assume user namespaces are unavailable if we get
 -EINVAL from clone()

As reported in https://github.com/systemd/systemd/issues/35400,
on riscv64, with Linux version 6.6.51-linux4microchip+fpga-2024.09, we get:

[   10.063727] systemd[1]: systemd-modules-load.service: About to execute: /usr/lib/systemd/systemd-modules-load
[   10.071148] (journald)[104]: Failed to fork process (sd-mkuserns): Invalid argument

Fixes https://github.com/systemd/systemd/issues/35400.

'r' is used to make the repeated checks shorter. Without that, the long variable
name is distracting.
---
 src/basic/namespace-util.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c
index 5d02ac60254..5bc7ff6ab5f 100644
--- a/src/basic/namespace-util.c
+++ b/src/basic/namespace-util.c
@@ -551,27 +551,27 @@ int is_idmapping_supported(const char *path) {
         if (r < 0)
                 return r;
 
-        userns_fd = userns_acquire(uid_map, gid_map);
-        if (ERRNO_IS_NEG_NOT_SUPPORTED(userns_fd) || ERRNO_IS_NEG_PRIVILEGE(userns_fd))
+        userns_fd = r = userns_acquire(uid_map, gid_map);
+        if (ERRNO_IS_NEG_NOT_SUPPORTED(r) || ERRNO_IS_NEG_PRIVILEGE(r) || r == -EINVAL)
                 return false;
-        if (userns_fd == -ENOSPC) {
-                log_debug_errno(userns_fd, "Failed to acquire new user namespace, user.max_user_namespaces seems to be exhausted or maybe even zero, assuming ID-mapping is not supported: %m");
+        if (r == -ENOSPC) {
+                log_debug_errno(r, "Failed to acquire new user namespace, user.max_user_namespaces seems to be exhausted or maybe even zero, assuming ID-mapping is not supported: %m");
                 return false;
         }
-        if (userns_fd < 0)
-                return log_debug_errno(userns_fd, "Failed to acquire new user namespace for checking if '%s' supports ID-mapping: %m", path);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to acquire new user namespace for checking if '%s' supports ID-mapping: %m", path);
 
-        dir_fd = RET_NERRNO(open(path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
-        if (ERRNO_IS_NEG_NOT_SUPPORTED(dir_fd))
+        dir_fd = r = RET_NERRNO(open(path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
+        if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
                 return false;
-        if (dir_fd < 0)
-                return log_debug_errno(dir_fd, "Failed to open '%s', cannot determine if ID-mapping is supported: %m", path);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to open '%s', cannot determine if ID-mapping is supported: %m", path);
 
-        mount_fd = RET_NERRNO(open_tree(dir_fd, "", AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC));
-        if (ERRNO_IS_NEG_NOT_SUPPORTED(mount_fd) || ERRNO_IS_NEG_PRIVILEGE(mount_fd) || mount_fd == -EINVAL)
+        mount_fd = r = RET_NERRNO(open_tree(dir_fd, "", AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC));
+        if (ERRNO_IS_NEG_NOT_SUPPORTED(r) || ERRNO_IS_NEG_PRIVILEGE(r) || r == -EINVAL)
                 return false;
-        if (mount_fd < 0)
-                return log_debug_errno(mount_fd, "Failed to open mount tree '%s', cannot determine if ID-mapping is supported: %m", path);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to open mount tree '%s', cannot determine if ID-mapping is supported: %m", path);
 
         r = RET_NERRNO(mount_setattr(mount_fd, "", AT_EMPTY_PATH,
                        &(struct mount_attr) {
-- 
2.47.3