context->protect_home,
context->protect_system,
context->mount_flags);
- if (err < 0) {
+
+ if (err == -EPERM)
+ log_warning_unit(params->unit_id, "Failed to set up file system namespace due to lack of privileges. Execution sandbox will not be in effect: %s", strerror(-err));
+ else if (err < 0) {
*error = EXIT_NAMESPACE;
return err;
}
#endif
#ifdef HAVE_SELINUX
- if (use_selinux()) {
+ if (mac_selinux_use()) {
if (context->selinux_context) {
err = setexeccon(context->selinux_context);
if (err < 0 && !context->selinux_context_ignore) {
if (params->selinux_context_net && socket_fd >= 0) {
_cleanup_free_ char *label = NULL;
- err = label_get_child_mls_label(socket_fd, command->path, &label);
+ err = mac_selinux_get_child_mls_label(socket_fd, command->path, &label);
if (err < 0) {
*error = EXIT_SELINUX_CONTEXT;
return err;
#endif
#ifdef HAVE_APPARMOR
- if (context->apparmor_profile && use_apparmor()) {
+ if (context->apparmor_profile && mac_apparmor_use()) {
err = aa_change_onexec(context->apparmor_profile);
if (err < 0 && !context->apparmor_profile_ignore) {
*error = EXIT_APPARMOR_PROFILE;
n_fds = params->n_fds;
}
- err = exec_context_load_environment(context, &files_env);
+ err = exec_context_load_environment(context, params->unit_id, &files_env);
if (err < 0) {
log_struct_unit(LOG_ERR,
params->unit_id,
}
}
-int exec_context_load_environment(const ExecContext *c, char ***l) {
+int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) {
char **i, **r = NULL;
assert(c);
}
/* Log invalid environment variables with filename */
if (p)
- p = strv_env_clean_log(p, pglob.gl_pathv[n]);
+ p = strv_env_clean_log(p, unit_id, pglob.gl_pathv[n]);
if (r == NULL)
r = p;