From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 27 Apr 2021 15:00:07 +0000 (+0200)
Subject: process-util: add option for cloning with CLONE_NEWUSER
X-Git-Tag: v249-rc1~269^2~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5f9687363a85112949b71f85dc163dcdbb7f9292;p=thirdparty%2Fsystemd.git

process-util: add option for cloning with CLONE_NEWUSER

This is useful for allocating a userns fd later on for use in idmapped
mounts.
---

diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 1b8e663efea..4cd8287bb00 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -1306,8 +1306,10 @@ int safe_fork_full(
                 saved_ssp = &saved_ss;
         }
 
-        if (flags & FORK_NEW_MOUNTNS)
-                pid = raw_clone(SIGCHLD|CLONE_NEWNS);
+        if ((flags & (FORK_NEW_MOUNTNS|FORK_NEW_USERNS)) != 0)
+                pid = raw_clone(SIGCHLD|
+                                (FLAGS_SET(flags, FORK_NEW_MOUNTNS) ? CLONE_NEWNS : 0) |
+                                (FLAGS_SET(flags, FORK_NEW_USERNS) ? CLONE_NEWUSER : 0));
         else
                 pid = fork();
         if (pid < 0)
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index 8ce6d60f39b..0e064de85e8 100644
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -165,6 +165,7 @@ typedef enum ForkFlags {
         FORK_RLIMIT_NOFILE_SAFE = 1 << 10, /* Set RLIMIT_NOFILE soft limit to 1K for select() compat */
         FORK_STDOUT_TO_STDERR   = 1 << 11, /* Make stdout a copy of stderr */
         FORK_FLUSH_STDIO        = 1 << 12, /* fflush() stdout (and stderr) before forking */
+        FORK_NEW_USERNS         = 1 << 13, /* Run child in its own user namespace */
 } ForkFlags;
 
 int safe_fork_full(const char *name, const int except_fds[], size_t n_except_fds, ForkFlags flags, pid_t *ret_pid);