From c8e795b373140f2e7079bcda706862ddcbe9ad66 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Wed, 28 Jun 2023 15:00:16 +0200
Subject: [PATCH] pam: add a call to pam_namespace

A call to pam_namespace is required so that children of user@.service end up in
a namespace as expected. pam_namespace gets called as part of the stack that
creates a session (login, sshd, gdm, etc.) and those processes end up in a
namespace, but it also needs to be called from our stack which is parallel and
descends from pid1 itself.

The call to pam_namespace is similar to the call to pam_keyinit that was added
in ab79099. The pam stack for user@.service
creates a new session which is disconnected from the parent environment. Both
calls are not suitable for inclusion in the shared part of the stack (e.g.
@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
should not include them.

Fixes #17043 (Allow to execute user service into dedicated namespace
              if pam_namespace enabled)
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
(Polyinstantiation is ignored/bypassed in GNOME sessions)

rhel-only

Resolves: #2218184
---
 systemd-user | 1 +
 1 file changed, 1 insertion(+)

diff --git a/systemd-user b/systemd-user
index a701acd..3a4cd2e 100644
--- a/systemd-user
+++ b/systemd-user
@@ -10,4 +10,5 @@ session  required pam_selinux.so nottys open
 session  required pam_loginuid.so
 session  optional pam_keyinit.so force revoke
 session  optional pam_umask.so silent
+session  required pam_namespace.so
 session  include system-auth