morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 00:47:10 +09:00
Code Issues Packages Projects Releases Wiki Activity

core: delegate mountns implicitly when any of pidns/cgns/netns is in use

Browse Source
This commit is contained in:
Mike Yuan
2025-03-29 21:02:04 +01:00
parent 2b4cfbf91f
commit 32b69b190b
3 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
man/systemd.exec.xml
View File

@@ -2411,6 +2411,11 @@ RestrictNamespaces=~cgroup net</programlisting>
done with the namespace specific unit setting such as <varname>PrivateNetwork=</varname> or
<varname>PrivateMounts=</varname>.</para>
<para>Note that some namespace sandboxing options might entail mount namespace for private API VFS instances,
such as <varname>PrivatePIDs=</varname>, <varname>ProtectControlGroups=private/strict</varname>, or
<varname>PrivateNetwork=</varname>. If any of the mentioned options are enabled, mount namespace
is implicitly delegated.</para>
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>

12
src/core/exec-invoke.c
View File

@@ -4275,7 +4275,17 @@ static bool exec_namespace_is_delegated(
if (context->delegate_namespaces == NAMESPACE_FLAGS_INITIAL)
return params->runtime_scope == RUNTIME_SCOPE_USER;
return FLAGS_SET(context->delegate_namespaces, namespace);
if (FLAGS_SET(context->delegate_namespaces, namespace))
return true;
/* Various namespaces imply mountns for private procfs/sysfs/cgroupfs instances, which means when
* those are delegated mountns must be deferred too.
*
* The list should stay in sync with exec_needs_mount_namespace(). */
if (namespace == CLONE_NEWNS)
return context->delegate_namespaces & (CLONE_NEWPID|CLONE_NEWCGROUP|CLONE_NEWNET);
return false;
}
static int setup_delegated_namespaces(

2
test/units/TEST-07-PID1.delegate-namespaces.sh
View File

@@ -40,7 +40,7 @@ testcase_pid() {
# so we can't write to it when running in a container.
if ! systemd-detect-virt --container; then
(! systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid')
systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes -p DelegateNamespaces="mnt pid" --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid'
systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes -p DelegateNamespaces=pid --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid'
fi
}