Check whether we can use PID namespaces

In unprivileged podman containers, /proc is not fully visible (there are other filesystems mounted on subdirectories of /proc). Therefore we can't mount a new /proc in the sandbox that matches the PID namespace of the sandbox. So this commit automatically disables sandboxing if /proc is not fully visible.
author: Eelco Dolstra <edolstra@gmail.com> 2023-01-27 15:25:56 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2023-02-07 22:51:53 +0100
commit: bc1d9fd8b5a14334af1d0455e6b4d595cae959d5 (patch)
tree: 0d2c294a900597ee2ae9b09e39d9f8cd98077343 /src/libutil/namespaces.hh
parent: fb2f7f5dcc6b37a4f39f59d9f477d3fa57d79095 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/libutil/namespaces.hh b/src/libutil/namespaces.hh
index 4ed6cb683..ad7bb559e 100644
--- a/src/libutil/namespaces.hh
+++ b/src/libutil/namespaces.hh
@@ -6,4 +6,6 @@ bool userNamespacesSupported();
 
 bool mountNamespacesSupported();
 
+bool pidNamespacesSupported();
+
 }
author	Eelco Dolstra <edolstra@gmail.com>	2023-01-27 15:25:56 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2023-02-07 22:51:53 +0100
commit	bc1d9fd8b5a14334af1d0455e6b4d595cae959d5 (patch)
tree	0d2c294a900597ee2ae9b09e39d9f8cd98077343 /src/libutil/namespaces.hh
parent	fb2f7f5dcc6b37a4f39f59d9f477d3fa57d79095 (diff)