Better logging for clone failure

diff --git a/nsjail.c b/nsjail.c
index b36c2a1ba6efb14618c08c16a7efe6319d4bc78c..b1acb177d3ef406010f4bcf6b8796355b27499d2 100644 (file)
--- a/nsjail.c
+++ b/nsjail.c
@@ -164,7 +164,7 @@ int main(int argc, char *argv[])
                exit(1);
        }
        if (nsjconf.clone_newuser == false && geteuid() != 0) {
-               LOG_E("--disable_clone_newuser requires root() privs");
+               LOG_W("--disable_clone_newuser requires root() privs");
        }
        if (nsjconf.daemonize && (daemon(0, 0) == -1)) {
                PLOG_F("daemon");

diff --git a/subproc.c b/subproc.c
index e9df4698301078600dffa6b4937e37696027a70a..ff16f962bb402831ce282b38605f57a6eaf419c2 100644 (file)
--- a/subproc.c
+++ b/subproc.c
@@ -227,7 +227,8 @@ void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_er
        if (pid == -1) {
                PLOG_E("clone(flags=%#x) failed. You probably need root privileges if your system "
                       "doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your "
-                      "kernel with support for namespaces", flags);
+                      "kernel with support for namespaces or check the setting of the "
+                      "kernel.unprivileged_userns_clone sysctl", flags);
                return;
        }