Merge pull request #4536 from poettering/seccomp-namespaces

core: add new RestrictNamespaces= unit file setting

Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.

1 files changed, 9 insertions, 0 deletions

diff --git a/src/core/execute.h b/src/core/execute.h
index c7d0f7761e..56f880cffe 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -35,6 +35,7 @@ typedef struct ExecParameters ExecParameters;
 #include "list.h"
 #include "missing.h"
 #include "namespace.h"
+#include "nsflags.h"
 
 typedef enum ExecUtmpMode {
         EXEC_UTMP_INIT,
@@ -195,6 +196,8 @@ struct ExecContext {
 
         unsigned long personality;
 
+        unsigned long restrict_namespaces; /* The CLONE_NEWxyz flags permitted to the unit's processes */
+
         Set *syscall_filter;
         Set *syscall_archs;
         int syscall_errno;
@@ -216,6 +219,12 @@ struct ExecContext {
         bool no_new_privileges_set:1;
 };
 
+static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
+        assert(c);
+
+        return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL;
+}
+
 typedef enum ExecFlags {
         EXEC_CONFIRM_SPAWN     = 1U << 0,
         EXEC_APPLY_PERMISSIONS = 1U << 1,