Fallback from pidfd_open on permission errors too

Skip using pidfds if we get a permission denied error. This can happen with an old policy and a new kernel that uses the new pidfs filesystem to back pidfds, instead of anonymous inodes, as the existing policy denies access. This is already the case for most uses of pidfd_open, like pidref, but not on these two. Fix them.
ufgkirk · Feb 24, 2024 · 857945c · 857945c
1 parent afdf63f
commit 857945c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
@@ -835,7 +835,7 @@ static int create_session_message(
 
         if (!avoid_pidfd) {
                 pidfd = pidfd_open(getpid_cached(), 0);
-                if (pidfd < 0 && !ERRNO_IS_NOT_SUPPORTED(errno))
+                if (pidfd < 0 && !ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno))
                         return -errno;
         }
 

diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c
@@ -2261,7 +2261,7 @@ static int get_unit_dbus_path_by_pid(
          * sends the numeric PID. */
 
         pidfd = pidfd_open(pid, 0);
-        if (pidfd < 0 && ERRNO_IS_NOT_SUPPORTED(errno))
+        if (pidfd < 0 && ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno))
                 return get_unit_dbus_path_by_pid_fallback(bus, pid, ret_path, ret_unit);
         if (pidfd < 0)
                 return log_error_errno(errno, "Failed to open PID %"PRIu32": %m", pid);