core: Disable pid namespacing for control processes

PID namespaces frankly don't make any sense for control processes, so let's gracefully degrade to no pid namespaces for control processes.
2025-03-21 09:41:15 +01:00 · 2025-03-21 09:41:15 +01:00 · 8f92f05192
parent abc6842c2a
commit 8f92f05192
5 changed files with 12 additions and 8 deletions
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -3614,7 +3614,7 @@ static int apply_mount_namespace(
                .private_dev = needs_sandboxing && context->private_devices,
                .private_network = needs_sandboxing && exec_needs_network_namespace(context),
                .private_ipc = needs_sandboxing && exec_needs_ipc_namespace(context),
-                .private_pids = needs_sandboxing && exec_needs_pid_namespace(context) ? context->private_pids : PRIVATE_PIDS_NO,
+                .private_pids = needs_sandboxing && exec_needs_pid_namespace(context, params) ? context->private_pids : PRIVATE_PIDS_NO,
                .private_tmp = needs_sandboxing ? context->private_tmp : PRIVATE_TMP_NO,

                .mount_apivfs = needs_sandboxing && exec_context_get_effective_mount_apivfs(context),
@ -4244,7 +4244,7 @@ static bool exec_context_needs_cap_sys_admin(const ExecContext *context, const E
               !strv_isempty(context->extension_directories) ||
               context->protect_system != PROTECT_SYSTEM_NO ||
               context->protect_home != PROTECT_HOME_NO ||
-               exec_needs_pid_namespace(context) ||
+               exec_needs_pid_namespace(context, params) ||
               context->protect_kernel_tunables ||
               context->protect_kernel_modules ||
               context->protect_kernel_logs ||
@ -4396,7 +4396,7 @@ static int setup_delegated_namespaces(

        /* Unshare a new PID namespace before setting up mounts to ensure /proc/ is mounted with only processes in PID namespace visible.
         * Note PrivatePIDs=yes implies MountAPIVFS=yes so we'll always ensure procfs is remounted. */
-        if (needs_sandboxing && exec_needs_pid_namespace(context) &&
+        if (needs_sandboxing && exec_needs_pid_namespace(context, params) &&
            exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWPID) == delegate) {
                if (params->pidref_transport_fd < 0) {
                        *reterr_exit_status = EXIT_NAMESPACE;
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -276,9 +276,13 @@ bool exec_is_cgroup_mount_read_only(const ExecContext *context, const ExecParame
        return IN_SET(exec_get_protect_control_groups(context, params), PROTECT_CONTROL_GROUPS_YES, PROTECT_CONTROL_GROUPS_STRICT);
 }

-bool exec_needs_pid_namespace(const ExecContext *context) {
+bool exec_needs_pid_namespace(const ExecContext *context, const ExecParameters *params) {
        assert(context);

+        /* PID namespaces don't really make sense for control processes so let's not use them for those. */
+        if (params && FLAGS_SET(params->flags, EXEC_IS_CONTROL))
+                return false;
+
        return context->private_pids != PRIVATE_PIDS_NO && ns_type_supported(NAMESPACE_PID);
 }

@ -335,7 +339,7 @@ bool exec_needs_mount_namespace(
            context->protect_proc != PROTECT_PROC_DEFAULT ||
            context->proc_subset != PROC_SUBSET_ALL ||
            exec_needs_ipc_namespace(context) ||
-            exec_needs_pid_namespace(context))
+            exec_needs_pid_namespace(context, params))
                return true;

        if (context->root_directory) {
--- a/src/core/execute.h
+++ b/src/core/execute.h
@ -629,7 +629,7 @@ ExecDirectoryType exec_resource_type_from_string(const char *s) _pure_;
 bool exec_needs_mount_namespace(const ExecContext *context, const ExecParameters *params, const ExecRuntime *runtime);
 bool exec_needs_network_namespace(const ExecContext *context);
 bool exec_needs_ipc_namespace(const ExecContext *context);
-bool exec_needs_pid_namespace(const ExecContext *context);
+bool exec_needs_pid_namespace(const ExecContext *context, const ExecParameters *params);

 ProtectControlGroups exec_get_protect_control_groups(const ExecContext *context, const ExecParameters *params);
 bool exec_needs_cgroup_namespace(const ExecContext *context, const ExecParameters *params);
--- a/src/core/service.c
+++ b/src/core/service.c
@ -711,7 +711,7 @@ static int service_verify(Service *s) {
        if (s->type == SERVICE_DBUS && !s->bus_name)
                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service is of type D-Bus but no D-Bus service name has been specified. Refusing.");

-        if (s->type == SERVICE_FORKING && exec_needs_pid_namespace(&s->exec_context))
+        if (s->type == SERVICE_FORKING && exec_needs_pid_namespace(&s->exec_context, /* params= */ NULL))
                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service of Type=forking does not support PrivatePIDs=yes. Refusing.");

        if (s->usb_function_descriptors && !s->usb_function_strings)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -4181,7 +4181,7 @@ static int unit_verify_contexts(const Unit *u) {
            exec_needs_mount_namespace(ec, /* params = */ NULL, /* runtime = */ NULL))
                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory= may not be below /proc/, /sys/ or /dev/ when using mount namespacing. Refusing.");

-        if (exec_needs_pid_namespace(ec) && !UNIT_VTABLE(u)->notify_pidref)
+        if (exec_needs_pid_namespace(ec, /* params= */ NULL) && !UNIT_VTABLE(u)->notify_pidref)
                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "PrivatePIDs= setting is only supported for service units. Refusing.");

        const KillContext *kc = unit_get_kill_context(u);