core: Introduce PrivatePIDs=

This new setting allows unsharing the pid namespace in a unit. Because
you have to fork to get a process into a pid namespace, we fork in
systemd-executor to get into the new pid namespace. The parent then
sends the pid of the child process back to the manager and exits while
the child process continues on with the rest of exec_invoke() and then
executes the actual payload.

Communicating the child pid is done via a new pidref socket pair that is
set up on manager startup.

We unshare the PID namespace right before the mount namespace so we
mount procfs correctly. Note PrivatePIDs=yes always implies MountAPIVFS=yes
to mount procfs.

When running unprivileged in a user session, user namespace is set up first
to allow for PID namespace to be unshared. However, when running in
privileged mode, we unshare the user namespace last to ensure the user
namespace does not own the PID namespace and cannot break out of the sandbox.

Note we disallow Type=forking services from using PrivatePIDs=yes since the
init proess inside the PID namespace must not exit for other processes in
the namespace to exist.

Note Daan De Meyer did the original work for this commit with Ryan Wilson
addressing follow-ups.

Co-authored-by: Daan De Meyer <daan.j.demeyer@gmail.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 6d4b5b7461..03f61e99c7 100644
--- a/NEWS
+++ b/NEWS
@@ -254,6 +254,11 @@ CHANGES WITH 257 in spe:
           the "nobody" user to the dynamic user, rather than via recursive
           chown()ing.
 
+        * A new service property PrivatePIDs= has been added that runs executed
+          processes as PID 1 - the init process - within their own PID namespace.
+          PrivatePIDs= also mounts /proc/ so only processes within the new PID
+          namespace are visible.
+
         systemd-udevd:
 
         * udev rules now set 'uaccess' for /dev/udmabuf, giving locally