core/manager: falling back to execute generators without sandboxing

When running in a container, like podman, docker or so, creating new mount namespace may be disabled. Fixes #26474. Fixes RHBZ#2165004 (https://bugzilla.redhat.com/show_bug.cgi?id=2165004).
2024-07-21 10:17:21 +00:00 · 2023-02-19 02:42:52 +09:00 · 2023-02-19 02:42:52 +09:00 · a2275dcb9d
parent 512f2da5c7
commit a2275dcb9d
1 changed files with 14 additions and 1 deletions
--- a/src/core/manager.c
+++ b/src/core/manager.c
@ -3829,12 +3829,25 @@ static int manager_run_generators(Manager *m) {
        }

        r = safe_fork("(sd-gens)",
-                      FORK_RESET_SIGNALS | FORK_LOG | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP,
+                      FORK_RESET_SIGNALS | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP,
                      NULL);
        if (r == 0) {
                r = manager_execute_generators(m, paths, /* remount_ro= */ true);
                _exit(r >= 0 ? EXIT_SUCCESS : EXIT_FAILURE);
        }
+        if (r < 0) {
+                if (!ERRNO_IS_PRIVILEGE(r)) {
+                        log_error_errno(r, "Failed to fork off sandboxing environment for executing generators: %m");
+                        goto finish;
+                }
+
+                /* Failed to fork with new mount namespace? Maybe, running in a container environment with
+                 * seccomp or without capability. */
+                log_debug_errno(r,
+                                "Failed to fork off sandboxing environment for executing generators. "
+                                "Falling back to execute generators without sandboxing: %m");
+                r = manager_execute_generators(m, paths, /* remount_ro= */ false);
+        }

 finish:
        lookup_paths_trim_generator(&m->lookup_paths);