From 0104b2cfb355025c78553ff61157223423013ec2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 21 Feb 2023 11:14:00 +0100
Subject: [PATCH] Backport patch for container compatibility

... (rhbz#2165004)
---
 26478.patch  | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 systemd.spec |  4 ++++
 2 files changed, 50 insertions(+)
 create mode 100644 26478.patch

diff --git a/26478.patch b/26478.patch
new file mode 100644
index 0000000..98f980c
--- /dev/null
+++ b/26478.patch
@@ -0,0 +1,46 @@
+From e7662d18a14588740c245d10027e2c42a0a21c0e Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sun, 19 Feb 2023 02:42:52 +0900
+Subject: [PATCH] core/manager: falling back to execute generators without
+ sandboxing
+
+When running in a container, like podman, docker or so, creating new mount
+namespace may be disabled.
+
+Fixes #26474.
+Fixes RHBZ#2165004 (https://bugzilla.redhat.com/show_bug.cgi?id=2165004).
+---
+ src/core/manager.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/manager.c b/src/core/manager.c
+index 7b394794b0d4..380a4e30d7af 100644
+--- a/src/core/manager.c
++++ b/src/core/manager.c
+@@ -3829,12 +3829,25 @@ static int manager_run_generators(Manager *m) {
+         }
+ 
+         r = safe_fork("(sd-gens)",
+-                      FORK_RESET_SIGNALS | FORK_LOG | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP,
++                      FORK_RESET_SIGNALS | FORK_WAIT | FORK_NEW_MOUNTNS | FORK_MOUNTNS_SLAVE | FORK_PRIVATE_TMP,
+                       NULL);
+         if (r == 0) {
+                 r = manager_execute_generators(m, paths, /* remount_ro= */ true);
+                 _exit(r >= 0 ? EXIT_SUCCESS : EXIT_FAILURE);
+         }
++        if (r < 0) {
++                if (!ERRNO_IS_PRIVILEGE(r)) {
++                        log_error_errno(r, "Failed to fork off sandboxing environment for executing generators: %m");
++                        goto finish;
++                }
++
++                /* Failed to fork with new mount namespace? Maybe, running in a container environment with
++                 * seccomp or without capability. */
++                log_debug_errno(r,
++                                "Failed to fork off sandboxing environment for executing generators. "
++                                "Falling back to execute generators without sandboxing: %m");
++                r = manager_execute_generators(m, paths, /* remount_ro= */ false);
++        }
+ 
+ finish:
+         lookup_paths_trim_generator(&m->lookup_paths);
diff --git a/systemd.spec b/systemd.spec
index 9687ff4..16b7972 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -94,6 +94,10 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 # https://bugzilla.redhat.com/show_bug.cgi?id=2164404
 Patch0001:      https://patch-diff.githubusercontent.com/raw/systemd/systemd/pull/26494.patch
 
+# https://github.com/systemd/systemd/issues/26474
+# https://bugzilla.redhat.com/show_bug.cgi?id=2165004
+Patch0002:      https://patch-diff.githubusercontent.com/raw/systemd/systemd/pull/26478.patch
+
 # Those are downstream-only patches, but we don't want them in packit builds:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
 Patch0490:      use-bfq-scheduler.patch