core: Fix time namespace in RestrictNamespaces=

RestrictNamespaces= would accept "time" but would not actually apply seccomp filters e.g. systemd-run -p RestrictNamespaces=time unshare -T true should fail but it succeeded. This commit actually enables time namespace seccomp filtering.
2025-01-09 01:18:19 +03:00 · 2024-12-02 15:38:46 -08:00 · 2024-12-02 15:38:46 -08:00 · 219a6dbbf3
commit 219a6dbbf3
parent 641714cb30
4 changed files with 16 additions and 11 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -2322,15 +2322,15 @@ RestrictFileSystems=ext4</programlisting>
        restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
        prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
        any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>,
-        <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any
-        namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
-        prohibited (allow-listing). By prepending the list with a single tilde character (<literal>~</literal>) the
-        effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
-        permitted (deny-listing). If the empty string is assigned, the default namespace restrictions are applied,
-        which is equivalent to false. This option may appear more than once, in which case the namespace types are
-        merged by <constant>OR</constant>, or by <constant>AND</constant> if the lines are prefixed with
-        <literal>~</literal> (see examples below). Internally, this setting limits access to the
-        <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+        <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant>, <constant>uts</constant>, and
+        <constant>time</constant>. Any namespace type listed is made accessible to the unit's processes, access to
+        namespace types not listed is prohibited (allow-listing). By prepending the list with a single tilde
+        character (<literal>~</literal>) the effect may be inverted: only the listed namespace types will be made
+        inaccessible, all unlisted ones are permitted (deny-listing). If the empty string is assigned, the default
+        namespace restrictions are applied, which is equivalent to false. This option may appear more than once, in
+        which case the namespace types are merged by <constant>OR</constant>, or by <constant>AND</constant> if the
+        lines are prefixed with <literal>~</literal> (see examples below). Internally, this setting limits access to
+        the <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
        <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
        the specified flags parameters into account. Note that — if this option is used — in addition to restricting
--- a/src/shared/nsflags.h
+++ b/src/shared/nsflags.h
@ -14,7 +14,8 @@
                          CLONE_NEWNS|                                  \
                          CLONE_NEWPID|                                 \
                          CLONE_NEWUSER|                                \
-                          CLONE_NEWUTS))
+                          CLONE_NEWUTS|                                 \
+                          CLONE_NEWTIME))

 #define NAMESPACE_FLAGS_INITIAL  ULONG_MAX

--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@ -295,7 +295,7 @@ TEST(restrict_namespace) {
        s = mfree(s);

        assert_se(namespace_flags_to_string(NAMESPACE_FLAGS_ALL, &s) == 0);
-        ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts");
+        ASSERT_STREQ(s, "cgroup ipc net mnt pid user uts time");
        assert_se(namespace_flags_from_string(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
        s = mfree(s);

--- a/test/units/TEST-07-PID1.exec-context.sh
+++ b/test/units/TEST-07-PID1.exec-context.sh
@ -415,3 +415,7 @@ fi
 (! systemd-run --wait --pipe -p RootDirectory=/tmp/root this-shouldnt-exist)
 (! systemd-run --wait --pipe -p RootDirectory=/tmp/root /foo)
 (! systemd-run --wait --pipe --service-type=oneshot -p ExecStartPre=-/foo/bar/baz -p ExecStart=-/foo/bar/baz -p RootDirectory=/tmp/root -- "- foo")
+
+# RestrictNamespaces=
+systemd-run --wait --pipe unshare -T true
+(! systemd-run --wait --pipe -p RestrictNamespaces=~time unshare -T true)