From: Daan De Meyer Date: Mon, 17 Mar 2025 10:29:48 +0000 (+0100) Subject: bus-unit-util: Fix DelegateNamespaces= parser X-Git-Tag: v258-rc1~1041^2~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad9b5d4732ec2131aec12fcfed8d141fb720fd95;p=thirdparty%2Fsystemd.git bus-unit-util: Fix DelegateNamespaces= parser Similarly to the config file parse method, let's fix the systemd-run parser as well. Follow up for 11b982053bdc31806e571ea0771d7f10cb276d69 --- diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index f7874131613..1e04a051a6d 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -1669,13 +1669,17 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con if (STR_IN_SET(field, "RestrictNamespaces", "DelegateNamespaces")) { bool invert = false; + unsigned long all = UPDATE_FLAG(NAMESPACE_FLAGS_ALL, CLONE_NEWUSER, !streq(field, "DelegateNamespaces")); unsigned long flags; r = parse_boolean(eq); if (r > 0) - flags = 0; + /* RestrictNamespaces= value gets stored into a field with reverse semantics (the + * namespaces which are retained), so RestrictNamespaces=true means we retain no + * access to any namespaces and vice-versa. */ + flags = streq(field, "RestrictNamespaces") ? 0 : all; else if (r == 0) - flags = NAMESPACE_FLAGS_ALL; + flags = streq(field, "RestrictNamespaces") ? all : 0; else { if (eq[0] == '~') { invert = true; @@ -1688,7 +1692,7 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con } if (invert) - flags = (~flags) & NAMESPACE_FLAGS_ALL; + flags = (~flags) & all; r = sd_bus_message_append(m, "(sv)", field, "t", (uint64_t) flags); if (r < 0)