From e533610375cf0d42de7af8c5ec16cc6b27cb4913 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 6 Mar 2025 14:17:14 +0100
Subject: [PATCH] portable: Set DelegateNamespaces=no for all portable profiles

We don't want to delegate any namespaces to portable services, so
let's explicitly set DelegateNamespaces=no in the portable profiles.
---
 src/portable/profile/default/service.conf   | 1 +
 src/portable/profile/nonetwork/service.conf | 1 +
 src/portable/profile/strict/service.conf    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf
index 35dfd778f28..2cb54d84c3c 100644
--- a/src/portable/profile/default/service.conf
+++ b/src/portable/profile/default/service.conf
@@ -24,6 +24,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+DelegateNamespaces=no
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf
index e8d2a9bb1a1..29b7d6f6220 100644
--- a/src/portable/profile/nonetwork/service.conf
+++ b/src/portable/profile/nonetwork/service.conf
@@ -22,6 +22,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+DelegateNamespaces=no
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf
index aa5bcfbb08e..8e7d3300e2e 100644
--- a/src/portable/profile/strict/service.conf
+++ b/src/portable/profile/strict/service.conf
@@ -20,6 +20,7 @@ NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+DelegateNamespaces=no
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
-- 
2.47.3