Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
lock-util: do not expect EACCES when it cannot happen
As per the documentation, EACCES is only returned when F_SETLK is used, and only on some platforms, which doesn't seem to include Linux: https://github.com/torvalds/linux/blob/master/fs/locks.c F_OFD_SETLK is documented to only return EAGAIN, and F_SETLKW/F_OFD_SETLKW are blocking operations so this logic doesn't apply to them in the first place. Hence, only automatically convert EACCES into EAGAIN for F_SETLK operations, and propagate the original error in the other cases. This is important because in some cases we catch permission errors and gracefully fallback, which is not possible if the original error is lost. This is an issue in practice because, due to a kernel bug present before v6.2, AppArmor denies locking on file descriptors to LXC containers. We support all currently maintained LTS kernels, including v6.1, where despite a lot of effort and attempts over almost a year, the bugfix still hasn't been backported, as it is complex and requires large changes to AppArmor. On affected kernels, all services running with PrivateNetwork=yes fail and do not recover, instead of the normal behaviour of gracefully downgrading to PrivateNetwork=no. The integration tests in the Debian CI fail due to this issue: https://ci.debian.net/packages/s/systemd/testing/arm64/46828037/
- Loading branch information