process-util: add option for cloning with CLONE_NEWUSER

This is useful for allocating a userns fd later on for use in idmapped
mounts.

diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 1b8e663efea51456ef504b4516d722e13120f482..4cd8287bb004d25744064c25aa0a939a05d6981d 100644 (file)
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -1306,8 +1306,10 @@ int safe_fork_full(
                 saved_ssp = &saved_ss;
         }
 
-        if (flags & FORK_NEW_MOUNTNS)
-                pid = raw_clone(SIGCHLD|CLONE_NEWNS);
+        if ((flags & (FORK_NEW_MOUNTNS|FORK_NEW_USERNS)) != 0)
+                pid = raw_clone(SIGCHLD|
+                                (FLAGS_SET(flags, FORK_NEW_MOUNTNS) ? CLONE_NEWNS : 0) |
+                                (FLAGS_SET(flags, FORK_NEW_USERNS) ? CLONE_NEWUSER : 0));
         else
                 pid = fork();
         if (pid < 0)

diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index 8ce6d60f39b066330217ea7eecfd36df15a81dcb..0e064de85e838572a277f081f98b65d83a18399f 100644 (file)
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -165,6 +165,7 @@ typedef enum ForkFlags {
         FORK_RLIMIT_NOFILE_SAFE = 1 << 10, /* Set RLIMIT_NOFILE soft limit to 1K for select() compat */
         FORK_STDOUT_TO_STDERR   = 1 << 11, /* Make stdout a copy of stderr */
         FORK_FLUSH_STDIO        = 1 << 12, /* fflush() stdout (and stderr) before forking */
+        FORK_NEW_USERNS         = 1 << 13, /* Run child in its own user namespace */
 } ForkFlags;
 
 int safe_fork_full(const char *name, const int except_fds[], size_t n_except_fds, ForkFlags flags, pid_t *ret_pid);