core: Fix time namespace in RestrictNamespaces=

RestrictNamespaces= would accept "time" but would not actually apply
seccomp filters e.g. systemd-run -p RestrictNamespaces=time unshare -T true
should fail but it succeeded.

This commit actually enables time namespace seccomp filtering.

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 14075cb4e7d5ceec0f878fbb0fafe1a86d6b7ecc..82dfa45664edaabaa243ad8c66f484fb6ec458c2 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2322,15 +2322,15 @@ RestrictFileSystems=ext4</programlisting>
         restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
         prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
         any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>,
-        <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any
-        namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
-        prohibited (allow-listing). By prepending the list with a single tilde character (<literal>~</literal>) the
-        effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
-        permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied,
-        which is equivalent to false. This option may appear more than once, in which case the namespace types are
-        merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with
-        <literal>~</literal> (see examples below). Internally, this setting limits access to the
-        <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+        <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant>, <constant>uts</constant>, and
+        <constant>time</constant>. Any namespace type listed is made accessible to the unit's processes, access to
+        namespace types not listed is prohibited (allow-listing). By prepending the list with a single tilde
+        character (<literal>~</literal>) the effect may be inverted: only the listed namespace types will be made
+        inaccessible, all unlisted ones are permitted (deny-listing). If the empty string is assigned, the default
+        namespace restrictions are applied, which is equivalent to false. This option may appear more than once, in
+        which case the namespace types are merged by <constant>OR</constant>, or by <constant>AND</constant> if the
+        lines are prefixed with <literal>~</literal> (see examples below). Internally, this setting limits access to
+        the <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
         <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
         <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
         the specified flags parameters into account. Note that — if this option is used — in addition to restricting

diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h
index c4ff82df6ce866e41ab21f9dabba328755ac1385..7c6214a3bb4b75b594409ff2ab097d717e3ff8e7 100644 (file)
--- a/src/shared/nsflags.h
+++ b/src/shared/nsflags.h
@@ -14,7 +14,8 @@
                           CLONE_NEWNS|                                  \
                           CLONE_NEWPID|                                 \
                           CLONE_NEWUSER|                                \
-                          CLONE_NEWUTS))
+                          CLONE_NEWUTS|                                 \
+                          CLONE_NEWTIME))
 
 #define NAMESPACE_FLAGS_INITIAL  ULONG_MAX
 

diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index 459708ee00c281198a7a8b745b1a391e1c27125a..b4009089783cd6357b9714baec3878729f0ec963 100644 (file)
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -295,7 +295,7 @@ TEST(restrict_namespace) {
         s = mfree(s);
 
         assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0);
-        ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts");
+        ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts time");
         assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
         s = mfree(s);
 

diff --git a/test/units/TEST-07-PID1.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh
index 402a3b3498ff24f82163063c3a85626e5cc62674..1e253b390d53a26573ec484aaa3490fd3fcffa48 100755 (executable)
--- a/test/units/TEST-07-PID1.exec-context.sh
+++ b/test/units/TEST-07-PID1.exec-context.sh
@@ -415,3 +415,7 @@ fi
 (! systemd-run --wait --pipe -p RootDirectory=/tmp/root this-shouldnt-exist)
 (! systemd-run --wait --pipe -p RootDirectory=/tmp/root /foo)
 (! systemd-run --wait --pipe --service-type=oneshot -p ExecStartPre=-/foo/bar/baz -p ExecStart=-/foo/bar/baz -p RootDirectory=/tmp/root -- "- foo")
+
+# RestrictNamespaces=
+systemd-run --wait --pipe unshare -T true
+(! systemd-run --wait --pipe -p RestrictNamespaces=~time unshare -T true)