]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b281686) | patch
core: Make DelegateNamespaces= work for user managers with CAP_SYS_ADMIN 36771/head
authorDaan De Meyer <daan.j.demeyer@gmail.com>
Mon, 17 Mar 2025 10:35:23 +0000 (11:35 +0100)
committerDaan De Meyer <daan.j.demeyer@gmail.com>
Wed, 19 Mar 2025 09:01:19 +0000 (10:01 +0100)
commit38748596f0783f2b773bd95d4af4d83f5b5ff872
tree12acd905f9d55d302c6819f453472f4f9df80322tree | snapshot
parentb281686b4f812365adc6896cee6ca20aa69b1bafcommit | diff
core: Make DelegateNamespaces= work for user managers with CAP_SYS_ADMIN

Currently DelegateNamespaces= only works for services spawned by the
system manager. User managers will always unshare the user namespace
first even if they're running with CAP_SYS_ADMIN.

Let's add support for DelegateNamespaces= for user managers if they're
running with CAP_SYS_ADMIN. By default, we'll still delegate all namespaces
for user managers, but this can now be overridden by explicitly passing
DelegateNamespaces=.

If a user manager is running without CAP_SYS_ADMIN, the user manager is
still always unshared first just like before.
src/core/exec-invoke.c diff | blob | blame | history
test/units/TEST-07-PID1.delegate-namespaces.sh diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.