From 2641ff693f715dd5094c56c59e0e660b9b35c9e2 Mon Sep 17 00:00:00 2001 From: Ryan Wilson Date: Thu, 5 Dec 2024 08:31:42 -0800 Subject: [PATCH] Temporary workaround: PrivateUsers=full implies DelegateNamespaces=yes --- src/core/exec-invoke.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 8305bb2bcf..8c2a689d6e 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -4061,6 +4061,9 @@ static bool exec_context_need_unprivileged_private_users( assert(context); assert(params); + if (context->private_users == PRIVATE_USERS_FULL) + return true; + /* These options require PrivateUsers= when used in user units, as we need to be in a user namespace * to have permission to enable them when not running as root. If we have effective CAP_SYS_ADMIN * (system manager) then we have privileges and don't need this. */ @@ -5015,7 +5018,7 @@ int exec_invoke( /* The kernel requires /proc/pid/setgroups be set to "deny" prior to writing /proc/pid/gid_map in * unprivileged user namespaces. */ - r = setup_private_users(pu, saved_uid, saved_gid, uid, gid, /* allow_setgroups= */ false); + r = setup_private_users(pu, saved_uid, saved_gid, uid, gid, /* allow_setgroups= */ params->runtime_scope != RUNTIME_SCOPE_USER); /* If it was requested explicitly and we can't set it up, fail early. Otherwise, continue and let * the actual requested operations fail (or silently continue). */ if (r < 0 && context->private_users != PRIVATE_USERS_NO) { -- 2.43.5