done with the namespace specific unit setting such as <varname>PrivateNetwork=</varname> or
<varname>PrivateMounts=</varname>.</para>
+ <para>Note that some namespace sandboxing options might entail mount namespace for private API VFS instances,
+ such as <varname>PrivatePIDs=</varname>, <varname>ProtectControlGroups=private/strict</varname>, or
+ <varname>PrivateNetwork=</varname>. If any of the mentioned options are enabled, mount namespace
+ is implicitly delegated.</para>
+
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
if (context->delegate_namespaces == NAMESPACE_FLAGS_INITIAL)
return params->runtime_scope == RUNTIME_SCOPE_USER;
- return FLAGS_SET(context->delegate_namespaces, namespace);
+ if (FLAGS_SET(context->delegate_namespaces, namespace))
+ return true;
+
+ /* Various namespaces imply mountns for private procfs/sysfs/cgroupfs instances, which means when
+ * those are delegated mountns must be deferred too.
+ *
+ * The list should stay in sync with exec_needs_mount_namespace(). */
+ if (namespace == CLONE_NEWNS)
+ return context->delegate_namespaces & (CLONE_NEWPID|CLONE_NEWCGROUP|CLONE_NEWNET);
+
+ return false;
}
static int setup_delegated_namespaces(
# so we can't write to it when running in a container.
if ! systemd-detect-virt --container; then
(! systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid')
- systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes -p DelegateNamespaces="mnt pid" --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid'
+ systemd-run -p PrivateUsersEx=self -p PrivatePIDs=yes -p MountAPIVFS=yes -p DelegateNamespaces=pid --wait --pipe -- sh -c 'echo 5 >/proc/sys/kernel/ns_last_pid'
fi
}
projects / thirdparty / systemd.git / commitdiff
