From 11b982053bdc31806e571ea0771d7f10cb276d69 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 6 Mar 2025 14:15:34 +0100 Subject: [PATCH 1/2] load-fragment: Fix config_parse_namespace_flags() for DelegateNamespaces= Boolean values have to be handled separately for RestrictNamespaces= because they get stored in a field with reverse meaning (which namespaces are retained), so let's check which field we're parsing and set the proper value accordingly. --- src/core/load-fragment.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 2eb3ed4cf4..60e7c2f50d 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -3593,10 +3593,13 @@ int config_parse_namespace_flags( /* Boolean parameter ignores the previous settings */ r = parse_boolean(rvalue); if (r > 0) { - *flags = 0; + /* RestrictNamespaces= value gets stored into a field with reverse semantics (the namespaces + * which are retained), so RestrictNamespaces=true means we retain no access to any + * namespaces and vice-versa. */ + *flags = streq(lvalue, "RestrictNamespaces") ? 0 : all; return 0; } else if (r == 0) { - *flags = all; + *flags = streq(lvalue, "RestrictNamespaces") ? all : 0; return 0; } From e533610375cf0d42de7af8c5ec16cc6b27cb4913 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Thu, 6 Mar 2025 14:17:14 +0100 Subject: [PATCH 2/2] portable: Set DelegateNamespaces=no for all portable profiles We don't want to delegate any namespaces to portable services, so let's explicitly set DelegateNamespaces=no in the portable profiles. --- src/portable/profile/default/service.conf | 1 + src/portable/profile/nonetwork/service.conf | 1 + src/portable/profile/strict/service.conf | 1 + 3 files changed, 3 insertions(+) diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf index 35dfd778f2..2cb54d84c3 100644 --- a/src/portable/profile/default/service.conf +++ b/src/portable/profile/default/service.conf @@ -24,6 +24,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes +DelegateNamespaces=no SystemCallFilter=@system-service SystemCallErrorNumber=EPERM SystemCallArchitectures=native diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf index e8d2a9bb1a..29b7d6f622 100644 --- a/src/portable/profile/nonetwork/service.conf +++ b/src/portable/profile/nonetwork/service.conf @@ -22,6 +22,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes +DelegateNamespaces=no SystemCallFilter=@system-service SystemCallErrorNumber=EPERM SystemCallArchitectures=native diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf index aa5bcfbb08..8e7d3300e2 100644 --- a/src/portable/profile/strict/service.conf +++ b/src/portable/profile/strict/service.conf @@ -20,6 +20,7 @@ NoNewPrivileges=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes +DelegateNamespaces=no SystemCallFilter=@system-service SystemCallErrorNumber=EPERM SystemCallArchitectures=native