From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 6 Mar 2025 13:17:14 +0000 (+0100)
Subject: portable: Set DelegateNamespaces=no for all portable profiles
X-Git-Tag: v258-rc1~1153^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F36633%2Fhead;p=thirdparty%2Fsystemd.git

portable: Set DelegateNamespaces=no for all portable profiles

We don't want to delegate any namespaces to portable services, so
let's explicitly set DelegateNamespaces=no in the portable profiles.
---

diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf
index 35dfd778f28..2cb54d84c3c 100644
--- a/src/portable/profile/default/service.conf
+++ b/src/portable/profile/default/service.conf
@@ -24,6 +24,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+DelegateNamespaces=no
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf
index e8d2a9bb1a1..29b7d6f6220 100644
--- a/src/portable/profile/nonetwork/service.conf
+++ b/src/portable/profile/nonetwork/service.conf
@@ -22,6 +22,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+DelegateNamespaces=no
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf
index aa5bcfbb08e..8e7d3300e2e 100644
--- a/src/portable/profile/strict/service.conf
+++ b/src/portable/profile/strict/service.conf
@@ -20,6 +20,7 @@ NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+DelegateNamespaces=no
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native