From: Ryan Wilson Date: Mon, 2 Dec 2024 23:38:46 +0000 (-0800) Subject: core: Fix time namespace in RestrictNamespaces= X-Git-Tag: v258-rc1~1928 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=219a6dbbf3ad0121ec43118d4fcdb7b375532cbe;p=thirdparty%2Fsystemd.git core: Fix time namespace in RestrictNamespaces= RestrictNamespaces= would accept "time" but would not actually apply seccomp filters e.g. systemd-run -p RestrictNamespaces=time unshare -T true should fail but it succeeded. This commit actually enables time namespace seccomp filtering. --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 14075cb4e7d..82dfa45664e 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2322,15 +2322,15 @@ RestrictFileSystems=ext4 restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of any combination of: cgroup, ipc, net, - mnt, pid, user and uts. Any - namespace type listed is made accessible to the unit's processes, access to namespace types not listed is - prohibited (allow-listing). By prepending the list with a single tilde character (~) the - effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are - permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied, - which is equivalent to false. This option may appear more than once, in which case the namespace types are - merged by OR, or by AND if the lines are prefixed with - ~ (see examples below). Internally, this setting limits access to the - unshare2, + mnt, pid, user, uts, and + time. Any namespace type listed is made accessible to the unit's processes, access to + namespace types not listed is prohibited (allow-listing). By prepending the list with a single tilde + character (~) the effect may be inverted: only the listed namespace types will be made + inaccessible, all unlisted ones are permitted (deny-listing). If the empty string is assigned, the default + namespace restrictions are applied, which is equivalent to false. This option may appear more than once, in + which case the namespace types are merged by OR, or by AND if the + lines are prefixed with ~ (see examples below). Internally, this setting limits access to + the unshare2, clone2 and setns2 system calls, taking the specified flags parameters into account. Note that — if this option is used — in addition to restricting diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h index c4ff82df6ce..7c6214a3bb4 100644 --- a/src/shared/nsflags.h +++ b/src/shared/nsflags.h @@ -14,7 +14,8 @@ CLONE_NEWNS| \ CLONE_NEWPID| \ CLONE_NEWUSER| \ - CLONE_NEWUTS)) + CLONE_NEWUTS| \ + CLONE_NEWTIME)) #define NAMESPACE_FLAGS_INITIAL ULONG_MAX diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 459708ee00c..b4009089783 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -295,7 +295,7 @@ TEST(restrict_namespace) { s = mfree(s); assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0); - ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts"); + ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts time"); assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL); s = mfree(s); diff --git a/test/units/TEST-07-PID1.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh index 402a3b3498f..1e253b390d5 100755 --- a/test/units/TEST-07-PID1.exec-context.sh +++ b/test/units/TEST-07-PID1.exec-context.sh @@ -415,3 +415,7 @@ fi (! systemd-run --wait --pipe -p RootDirectory=/tmp/root this-shouldnt-exist) (! systemd-run --wait --pipe -p RootDirectory=/tmp/root /foo) (! systemd-run --wait --pipe --service-type=oneshot -p ExecStartPre=-/foo/bar/baz -p ExecStart=-/foo/bar/baz -p RootDirectory=/tmp/root -- "- foo") + +# RestrictNamespaces= +systemd-run --wait --pipe unshare -T true +(! systemd-run --wait --pipe -p RestrictNamespaces=~time unshare -T true)