From c225bc59b8907de11f389bd8efb82155ccde75a7 Mon Sep 17 00:00:00 2001
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Tue, 16 Feb 2021 12:17:36 +0000
Subject: [PATCH] proc: dont trigger mount error with invalid options on old
 kernels

As of commit 4e39995371738b04d98d27b0d34ea8fe09ec9fab ("core: introduce
ProtectProc= and ProcSubset= to expose hidepid= and subset= procfs
mount options") kernels older than v5.8 generate multple warnings at
boot, as seen in this Yocto build from today:

     qemux86-64 login: root
     [   65.829009] proc: Bad value for 'hidepid'
     root@qemux86-64:~# dmesg|grep proc:
     [   16.990706] proc: Bad value for 'hidepid'
     [   28.060178] proc: Bad value for 'hidepid'
     [   28.874229] proc: Bad value for 'hidepid'
     [   32.685107] proc: Bad value for 'hidepid'
     [   65.829009] proc: Bad value for 'hidepid'
     root@qemux86-64:~#

We see reports of the issue as in general its hard to someone to tell
the difference between an error in dmesg which they should worry about and
one that is harmless. This adds support burden to developers so Yocto
Project has added this patch.

The commit that triggers this is systemd v247-rc1~378^2~3 -- so any
systemd 247 and above plus kernel v5.7 or older will need this.

As noted in https://github.com/systemd/systemd/issues/16896
it is possible changes could be backported to different kernel versions
so the test isn't 100% foolproof but does give better results than a
continual stream of bug reports.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 src/core/namespace.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 4ed0991b56d1..3fa2d4e9d640 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -4,7 +4,9 @@
 #include <linux/loop.h>
 #include <sched.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <sys/mount.h>
+#include <sys/utsname.h>
 #include <unistd.h>
 #include <linux/fs.h>
 
@@ -881,12 +883,28 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
         _cleanup_free_ char *opts = NULL;
         const char *entry_path;
         int r, n;
+        struct utsname uts;
+        bool old = false;
 
         assert(m);
         assert(ns_info);
 
-        if (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
-            ns_info->proc_subset != PROC_SUBSET_ALL) {
+        /* If uname says that the system is older than v5.8, then the textual hidepid= stuff is not
+         * supported by the kernel, and thus the per-instance hidepid= neither, which means we
+         * really don't want to use it, since it would affect our host's /proc * mount. Hence let's
+         * gracefully fallback to a classic, unrestricted version. */
+
+        r = uname(&uts);
+        if (r < 0)
+               return -errno;
+
+        if (strverscmp(uts.release, "5.8") < 0) {
+                log_debug("Pre v5.8 kernel detected [v%s] - skipping hidepid=", uts.release);
+                old = true;
+        }
+
+        if (!old && (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
+            ns_info->proc_subset != PROC_SUBSET_ALL)) {
 
                 /* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it
                  * pretended to be per-instance but actually was per-namespace), hence let's make use of it