executor: check for all permission related errnos when setting up IPC…

… namespace Denials from AppArmor are raised as EACCES, so EPERM is not enough. Do the same check as PrivateNetwork above. Fixes systemd/systemd#31037 Related to 06384eb (cherry picked from commit cafe40e) (cherry picked from commit e481710)
systemd · May 27, 2024 · da9a6a5 · da9a6a5
1 parent 10e36db
commit da9a6a5
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/src/core/execute.c b/src/core/execute.c
@@ -5520,12 +5520,14 @@ static int exec_child(
 
                 if (ns_type_supported(NAMESPACE_IPC)) {
                         r = setup_shareable_ns(runtime->shared->ipcns_storage_socket, CLONE_NEWIPC);
-                        if (r == -EPERM)
-                                log_unit_warning_errno(unit, r,
-                                                       "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m");
-                        else if (r < 0) {
-                                *exit_status = EXIT_NAMESPACE;
-                                return log_unit_error_errno(unit, r, "Failed to set up IPC namespacing: %m");
+                        if (r < 0) {
+                                if (ERRNO_IS_PRIVILEGE(r))
+                                        log_unit_warning_errno(unit, r,
+                                                               "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m");
+                                else {
+                                        *exit_status = EXIT_NAMESPACE;
+                                        return log_unit_error_errno(unit, r, "Failed to set up IPC namespacing: %m");
+                                }
                         }
                 } else if (context->ipc_namespace_path) {
                         *exit_status = EXIT_NAMESPACE;