From dfb4b39d4d764a6242554d7b4d7f54f0197eca76 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Tue, 4 Nov 2025 11:04:50 +0100
Subject: [PATCH 1/3] core/socket: fix alignment, extract common conditions

---
 src/core/socket.c | 42 +++++++++++++++++++-----------------------
 1 file changed, 19 insertions(+), 23 deletions(-)

diff --git a/src/core/socket.c b/src/core/socket.c
index cc339d631d..c53f84906f 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1580,31 +1580,27 @@ static int socket_address_listen_in_cgroup(
         if (r < 0)
                 return log_unit_error_errno(UNIT(s), r, "Failed to acquire runtime: %m");
 
-        if (s->exec_context.user_namespace_path &&
-                s->exec_runtime &&
-                s->exec_runtime->shared &&
-                s->exec_runtime->shared->userns_storage_socket[0] >= 0) {
-                r = open_shareable_ns_path(s->exec_runtime->shared->userns_storage_socket, s->exec_context.user_namespace_path, CLONE_NEWUSER);
-                if (r < 0)
-                        return log_unit_error_errno(UNIT(s), r, "Failed to open user namespace path %s: %m", s->exec_context.user_namespace_path);
-        }
+        if (s->exec_runtime && s->exec_runtime->shared) {
+                if (s->exec_context.user_namespace_path &&
+                    s->exec_runtime->shared->userns_storage_socket[0] >= 0) {
+                        r = open_shareable_ns_path(s->exec_runtime->shared->userns_storage_socket, s->exec_context.user_namespace_path, CLONE_NEWUSER);
+                        if (r < 0)
+                                return log_unit_error_errno(UNIT(s), r, "Failed to open user namespace path %s: %m", s->exec_context.user_namespace_path);
+                }
 
-        if (s->exec_context.network_namespace_path &&
-            s->exec_runtime &&
-            s->exec_runtime->shared &&
-            s->exec_runtime->shared->netns_storage_socket[0] >= 0) {
-                r = open_shareable_ns_path(s->exec_runtime->shared->netns_storage_socket, s->exec_context.network_namespace_path, CLONE_NEWNET);
-                if (r < 0)
-                        return log_unit_error_errno(UNIT(s), r, "Failed to open network namespace path %s: %m", s->exec_context.network_namespace_path);
-        }
+                if (s->exec_context.network_namespace_path &&
+                    s->exec_runtime->shared->netns_storage_socket[0] >= 0) {
+                        r = open_shareable_ns_path(s->exec_runtime->shared->netns_storage_socket, s->exec_context.network_namespace_path, CLONE_NEWNET);
+                        if (r < 0)
+                                return log_unit_error_errno(UNIT(s), r, "Failed to open network namespace path %s: %m", s->exec_context.network_namespace_path);
+                }
 
-        if (s->exec_context.ipc_namespace_path &&
-            s->exec_runtime &&
-            s->exec_runtime->shared &&
-            s->exec_runtime->shared->ipcns_storage_socket[0] >= 0) {
-                r = open_shareable_ns_path(s->exec_runtime->shared->ipcns_storage_socket, s->exec_context.ipc_namespace_path, CLONE_NEWIPC);
-                if (r < 0)
-                        return log_unit_error_errno(UNIT(s), r, "Failed to open IPC namespace path %s: %m", s->exec_context.ipc_namespace_path);
+                if (s->exec_context.ipc_namespace_path &&
+                    s->exec_runtime->shared->ipcns_storage_socket[0] >= 0) {
+                        r = open_shareable_ns_path(s->exec_runtime->shared->ipcns_storage_socket, s->exec_context.ipc_namespace_path, CLONE_NEWIPC);
+                        if (r < 0)
+                                return log_unit_error_errno(UNIT(s), r, "Failed to open IPC namespace path %s: %m", s->exec_context.ipc_namespace_path);
+                }
         }
 
         if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0)

From 675a4841cc9a6d6ebed7e616647566fae4b41a54 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Wed, 5 Nov 2025 17:27:56 +0100
Subject: [PATCH 2/3] core/service: do not pass $MANAGERPID and friends if
 pidns is employed

---
 src/core/service.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/core/service.c b/src/core/service.c
index 5c1e6189f5..7b44635194 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1810,7 +1810,9 @@ static int service_spawn_internal(
                                 return -ENOMEM;
         }
 
-        if (MANAGER_IS_USER(UNIT(s)->manager)) {
+        if (MANAGER_IS_USER(UNIT(s)->manager) &&
+            !exec_needs_pid_namespace(&s->exec_context, /* params = */ NULL)) {
+
                 if (asprintf(our_env + n_env++, "MANAGERPID="PID_FMT, getpid_cached()) < 0)
                         return -ENOMEM;
 

From 96d4750e7e435a68104c6575a78774f17370afc1 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Wed, 5 Nov 2025 17:42:28 +0100
Subject: [PATCH 3/3] core/exec-invoke: pass the correct pid (1) to processes
 in pidns

---
 src/core/exec-invoke.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index d9b976b432..592b593e99 100644
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -2009,6 +2009,7 @@ static int build_environment(
 
         _cleanup_strv_free_ char **e = NULL;
         size_t n = 0;
+        pid_t exec_pid;
         int r;
 
         assert(c);
@@ -2016,10 +2017,12 @@ static int build_environment(
         assert(cgroup_context);
         assert(ret);
 
+        exec_pid = needs_sandboxing && exec_needs_pid_namespace(c, p) ? 1 : getpid_cached();
+
         if (p->n_socket_fds + p->n_stashed_fds > 0) {
                 _cleanup_free_ char *joined = NULL;
 
-                r = strv_extendf_with_size(&e, &n, "LISTEN_PID="PID_FMT, getpid_cached());
+                r = strv_extendf_with_size(&e, &n, "LISTEN_PID="PID_FMT, exec_pid);
                 if (r < 0)
                         return r;
 
@@ -2044,7 +2047,7 @@ static int build_environment(
         }
 
         if ((p->flags & EXEC_SET_WATCHDOG) && p->watchdog_usec > 0) {
-                r = strv_extendf_with_size(&e, &n, "WATCHDOG_PID="PID_FMT, getpid_cached());
+                r = strv_extendf_with_size(&e, &n, "WATCHDOG_PID="PID_FMT, exec_pid);
                 if (r < 0)
                         return r;
 
@@ -2174,7 +2177,7 @@ static int build_environment(
                         return r;
         }
 
-        r = strv_extendf_with_size(&e, &n, "SYSTEMD_EXEC_PID=" PID_FMT, getpid_cached());
+        r = strv_extendf_with_size(&e, &n, "SYSTEMD_EXEC_PID=" PID_FMT, exec_pid);
         if (r < 0)
                 return r;