From e4817103d0f32a3492608f14da6628d5c9b83197 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 27 May 2024 01:52:11 +0100
Subject: [PATCH] executor: check for all permission related errnos when
 setting up IPC namespace

Denials from AppArmor are raised as EACCES, so EPERM is not enough. Do
the same check as PrivateNetwork above.

Fixes https://github.com/systemd/systemd/issues/31037

Related to 06384eb3c5044f632f50304a0210a402460f1189

(cherry picked from commit cafe40ec8201db31c6d3519474ef40a72541d511)
---
 src/core/exec-invoke.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index fe14ceeb31..24524fa0f1 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -4639,7 +4639,7 @@ int exec_invoke(
 
                 if (ns_type_supported(NAMESPACE_IPC)) {
                         r = setup_shareable_ns(runtime->shared->ipcns_storage_socket, CLONE_NEWIPC);
-                        if (r == -EPERM)
+                        if (ERRNO_IS_NEG_PRIVILEGE(r))
                                 log_exec_warning_errno(context, params, r,
                                                        "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m");
                         else if (r < 0) {