From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 6 Mar 2025 13:15:34 +0000 (+0100)
Subject: load-fragment: Fix config_parse_namespace_flags() for DelegateNamespaces=
X-Git-Tag: v258-rc1~1153^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11b982053bdc31806e571ea0771d7f10cb276d69;p=thirdparty%2Fsystemd.git

load-fragment: Fix config_parse_namespace_flags() for DelegateNamespaces=

Boolean values have to be handled separately for RestrictNamespaces= because
they get stored in a field with reverse meaning (which namespaces are retained),
so let's check which field we're parsing and set the proper value accordingly.
---

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 2eb3ed4cf4d..60e7c2f50db 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3593,10 +3593,13 @@ int config_parse_namespace_flags(
         /* Boolean parameter ignores the previous settings */
         r = parse_boolean(rvalue);
         if (r > 0) {
-                *flags = 0;
+                /* RestrictNamespaces= value gets stored into a field with reverse semantics (the namespaces
+                 * which are retained), so RestrictNamespaces=true means we retain no access to any
+                 * namespaces and vice-versa. */
+                *flags = streq(lvalue, "RestrictNamespaces") ? 0 : all;
                 return 0;
         } else if (r == 0) {
-                *flags = all;
+                *flags = streq(lvalue, "RestrictNamespaces") ? all : 0;
                 return 0;
         }