From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

Date: Wed, 23 Nov 2022 16:09:56 +0100

Subject: [PATCH 2/2] pam: add a call to pam_namespace

A call to pam_namespace is required so that children of user@.service end up in

a namespace as expected. pam_namespace gets called as part of the stack that

creates a session (login, sshd, gdm, etc.) and those processes end up in a

namespace, but it also needs to be called from our stack which is parallel and

descends from pid1 itself.

The call to pam_namespace is similar to the call to pam_keyinit that was added

in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service

creates a new session which is disconnected from the parent environment. Both

calls are not suitable for inclusion in the shared part of the stack (e.g.

@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser

should not include them.

Fixes #17043 (Allow to execute user service into dedicated namespace

              if pam_namespace enabled)

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836

(Polyinstantiation is ignored/bypassed in GNOME sessions)

---

 src/login/systemd-user.in | 1 +

 1 file changed, 1 insertion(+)

diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in

index d5597d28cb..06f7e36458 100644

--- a/src/login/systemd-user.in

+++ b/src/login/systemd-user.in

@@ -15,6 +15,7 @@ session  required pam_selinux.so nottys open

 {% endif %}

 session  required pam_loginuid.so

 session  optional pam_keyinit.so force revoke

+session  required pam_namespace.so

 {% if ENABLE_HOMED %}

 -session  optional pam_systemd_home.so

 {% endif %}

-- 

2.38.1