On Thu, Jul 18, 2024 at 2:14 PM Thomas Köller <thomas@xxxxxxxxxxxxxxxxxx> wrote:
> Does it use any hardening options at all?
Thanks for the hint. As it seems this is an undocumented side effect of
'ProtectSystem = full'. From reading the docs I got the impression that
only file system access is affected by this parameter.
Yes, but namespace persistence actually relies on filesystem access – it's implemented as a bind-mount of the namespace file descriptor (onto /run/netns for the 'ip netns' tool), as otherwise namespaces only exist as long as processes that hold them.
So if you have any service options that cause a new *mount* namespace to be created (preventing its filesystem mounts from being visible outside the unit), then it cannot pin persistent network namespaces.
(It's also a bit overkill to use ProtectSystem for this kind of script, really.)
--
Mantas Mikulėnas
