executor: check for all permission related errnos when setting up IPC namespace

bluca · bluca · commit 82cd0d75b323 · 2024-05-28T11:31:24.000+01:00
Denials from AppArmor are raised as EACCES, so EPERM is not enough. Do the same check as PrivateNetwork above. Fixes systemd/systemd#31037 Related to 06384eb (cherry picked from commit cafe40e) (cherry picked from commit e481710) (cherry picked from commit da9a6a5) (cherry picked from commit 524610a)
diff --git a/src/core/execute.c b/src/core/execute.c
@@ -4710,12 +4710,14 @@ static int exec_child(
 
                 if (ns_type_supported(NAMESPACE_NET)) {
                         r = setup_shareable_ns(runtime->netns_storage_socket, CLONE_NEWNET);
-                        if (r == -EPERM)
-                                log_unit_warning_errno(unit, r,
-                                                       "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m");
-                        else if (r < 0) {
-                                *exit_status = EXIT_NETWORK;
-                                return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
+                        if (r < 0) {
+                                if (ERRNO_IS_PRIVILEGE(r))
+                                        log_unit_warning_errno(unit, r,
+                                                               "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m");
+                                else {
+                                        *exit_status = EXIT_NETWORK;
+                                        return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m");
+                                }
                         }
                 } else if (context->network_namespace_path) {
                         *exit_status = EXIT_NETWORK;
@@ -4729,12 +4731,14 @@ static int exec_child(
 
                 if (ns_type_supported(NAMESPACE_IPC)) {
                         r = setup_shareable_ns(runtime->ipcns_storage_socket, CLONE_NEWIPC);
-                        if (r == -EPERM)
-                                log_unit_warning_errno(unit, r,
-                                                       "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m");
-                        else if (r < 0) {
-                                *exit_status = EXIT_NAMESPACE;
-                                return log_unit_error_errno(unit, r, "Failed to set up IPC namespacing: %m");
+                        if (r < 0) {
+                                if (ERRNO_IS_PRIVILEGE(r))
+                                        log_unit_warning_errno(unit, r,
+                                                               "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m");
+                                else {
+                                        *exit_status = EXIT_NAMESPACE;
+                                        return log_unit_error_errno(unit, r, "Failed to set up IPC namespacing: %m");
+                                }
                         }
                 } else if (context->ipc_namespace_path) {
                         *exit_status = EXIT_NAMESPACE;
