Merge pull request #4536 from poettering/seccomp-namespaces

core: add new RestrictNamespaces= unit file setting

Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.

1 files changed, 34 insertions, 16 deletions

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 0973f4047a..3b39a9c912 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1234,22 +1234,16 @@
       <varlistentry>
         <term><varname>NoNewPrivileges=</varname></term>
 
-        <listitem><para>Takes a boolean argument. If true, ensures that the service
-        process and all its children can never gain new privileges through
-        <function>execve</function> (e.g. via setuid or setgid bits, or filesystem
-        capabilities). This is the simplest and most effective way to ensure that
-        a process and its children can never elevate privileges again. Defaults to false,
-        but in the user manager instance certain settings force
-        <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
-        This is the case when <varname>SystemCallFilter=</varname>,
-        <varname>SystemCallArchitectures=</varname>,
-        <varname>RestrictAddressFamilies=</varname>,
-        <varname>PrivateDevices=</varname>,
-        <varname>ProtectKernelTunables=</varname>,
-        <varname>ProtectKernelModules=</varname>,
-        <varname>MemoryDenyWriteExecute=</varname>, or
-        <varname>RestrictRealtime=</varname> are specified.
-        </para></listitem>
+        <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can
+        never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem
+        capabilities). This is the simplest and most effective way to ensure that a process and its children can never
+        elevate privileges again. Defaults to false, but in the user manager instance certain settings force
+        <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.  This is the case when
+        <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>,
+        <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
+        <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
+        <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or
+        <varname>RestrictRealtime=</varname> are specified.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1468,6 +1462,30 @@
       </varlistentry>
 
       <varlistentry>
+        <term><varname>RestrictNamespaces=</varname></term>
+
+        <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details
+        about Linux namespaces, see
+        <citerefentry><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a
+        boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
+        restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
+        prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
+        any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>,
+        <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any
+        namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
+        prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the
+        effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
+        permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
+        which is equivalent to false. Internally, this setting limits access to the
+        <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+        <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
+        <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
+        the specified flags parameters into account. Note that — if this option is used — in addition to restricting
+        creation and switching of the specified types of namespaces (or all of them, if true) access to the
+        <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><varname>ProtectKernelModules=</varname></term>
 
         <listitem><para>Takes a boolean argument. If true, explicit module loading will