namespace: make whole namespace_setup() work regardless of configured umask

Let's reset the umask during the whole namespace_setup() logic, so that
all our mkdir() + mknod() are not subjected to whatever umask might
currently be set.

This mostly moves the umask save/restore logic out of
mount_private_dev() and into the stack frame of namespace_setup() that
is further out.

Fixes #19899

1 files changed, 4 insertions, 3 deletions

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 5d18b26a74..2239bbfb8a 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -852,13 +852,10 @@ static int mount_private_dev(MountEntry *m) {
         char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
         const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
         bool can_mknod = true;
-        _unused_ _cleanup_umask_ mode_t u;
         int r;
 
         assert(m);
 
-        u = umask(0000);
-
         if (!mkdtemp(temporary_mount))
                 return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount);
 
@@ -1898,6 +1895,10 @@ int setup_namespace(
 
         assert(ns_info);
 
+        /* Make sure that all mknod(), mkdir() calls we do are unaffected by the umask, and the access modes
+         * we configure take effect */
+        BLOCK_WITH_UMASK(0000);
+
         if (!isempty(propagate_dir) && !isempty(incoming_dir))
                 setup_propagate = true;