fix(cockpit): neutralize every namespace-cloning directive (not just PrivateMounts)

Followup to commit 4aebbcc. The previous drop-in disabled the obvious six
hardening flags (PrivateNetwork/IPC/Mounts, ProtectHostname/Control/Kernel
Tunables) but left a long tail enabled. Even with PrivateMounts=no, ANY of
{PrivateTmp, ProtectSystem, ProtectHome, ProtectKernel*, ProtectClock,
ProtectControl*, RestrictNamespaces, ReadWritePaths, ReadOnlyPaths,
InaccessiblePaths} causes systemd to issue CLONE_NEWNS at exec time, which
fails with EOPNOTSUPP on hosts where the parent namespace is unprivileged
(WSL2 / podman-machine / nested containers).

Symptom from the 2026-05-06 journal:

    cockpit.service: Failed to set up mount namespacing:
        Operation not supported
    cockpit.service: Failed at step NAMESPACE spawning
        /usr/libexec/cockpit-certificate-ensure: Operation not supported
    cockpit.service: Control process exited, code=exited, status=226/NAMESPACE
    cockpit.socket: Failed with result 'service-start-limit-hit'.

Fix: explicitly neutralize every directive that triggers CLONE_NEWNS or
adds a private mount, plus reset the list-typed ones (ReadWritePaths,
ReadOnlyPaths, InaccessiblePaths, SystemCallFilter, DeviceAllow,
RestrictAddressFamilies, SystemCallArchitectures) so an inherited list
can't smuggle a private mount back in. Also relax the non-mount hardening
(NoNewPrivileges, RestrictRealtime, MemoryDenyWriteExecute, etc.) -- these
don't cause the NAMESPACE failure but cockpit-certificate-ensure doesn't
need them and removing them silences edge-case complaints from minimal
substrates (LXC, distrobox, podman --privileged=false).

The header comment is rewritten to enumerate the full directive set and
cite the exact symptom from the 2026-05-06 boot log so the next reviewer
sees why each directive is set.

Verified: 26 [Service] directives now disable every CLONE_NEWNS path that
cockpit-ws ships out of the box. cockpit-certificate-ensure does nothing
that needs them -- it only writes a TLS cert under /etc/cockpit/ws-certs.d/.
Long-lived cockpit runtime privsep still happens via cockpit-bridge ->
cockpit-session inside cockpit-ws's own user namespace, unaffected by
this drop-in (matches the Bluefin / Aurora / Universal Blue pattern).

Author: Kabuki94

usr/lib/systemd/system/cockpit.service.d/10-mios-container.conf

@@ -2,40 +2,76 @@
 #
 # Relax cockpit's namespace-isolation hardening so the unit comes up inside
 # containers and WSL2. Cockpit's upstream unit (in cockpit-ws) configures
-# cockpit-certificate-ensure with PrivateNetwork=yes, PrivateIPC=yes,
-# PrivateMounts=yes, ProtectHostname=yes, ProtectControlGroups=yes,
-# ProtectKernelTunables=yes -- none of which the kernel allows when systemd
-# is running without CAP_SYS_ADMIN over its parent namespaces, which is the
-# normal case when MiOS runs as a podman-machine, distrobox, or nested
-# container.
+# cockpit-certificate-ensure with the full systemd hardening surface --
+# PrivateNetwork, PrivateIPC, PrivateMounts, PrivateTmp, ProtectSystem,
+# ProtectHome, ProtectKernelTunables, ProtectKernelModules, ProtectClock,
+# RestrictNamespaces, NoNewPrivileges, plus a SystemCallFilter -- none of
+# which the kernel allows when systemd is running without CAP_SYS_ADMIN
+# over its parent namespaces. That is the normal case when MiOS runs as
+# a podman-machine, distrobox, WSL2 distro, or nested container.
 #
-# Symptom on the 2026-05-05 dev VM run:
+# Symptom on the 2026-05-05 / 2026-05-06 WSL2 boot:
 #
-#     cockpit.service: PrivateNetwork=yes is configured, but the kernel
-#         does not support or we lack privileges for network namespace,
-#         proceeding without.
-#     cockpit.service: PrivateIPC=yes is configured, but IPC namespace
-#         setup failed, ignoring: Operation not permitted
-#     cockpit.service: Failed to set up mount namespacing: Operation not
-#         supported
+#     cockpit.service: Failed to set up mount namespacing:
+#         Operation not supported
 #     cockpit.service: Failed at step NAMESPACE spawning
 #         /usr/libexec/cockpit-certificate-ensure: Operation not supported
 #     cockpit.service: Control process exited, code=exited, status=226/NAMESPACE
 #     cockpit.service: Failed with result 'exit-code'.
+#     cockpit.socket: Failed with result 'service-start-limit-hit'.
 #
-# The retries hit cockpit.socket's TriggerLimitBurst (5 in 10 s) and Cockpit
-# falls over completely. Bluefin and Aurora ship the equivalent drop-in
-# unconditionally; cockpit-certificate-ensure is a tiny binary whose only
-# job is to touch a TLS cert under /etc/cockpit/ws-certs.d/, so the
-# hardening it ships with is essentially symbolic and the relaxation cost is
-# negligible. The actual long-lived cockpit.service runtime is unaffected
-# because cockpit's privsep happens via cockpit-bridge -> cockpit-session
-# inside cockpit-ws's own user namespace.
+# Even with PrivateMounts=no set, ANY of {PrivateTmp, ProtectSystem,
+# ProtectHome, ProtectKernelTunables, ProtectControlGroups,
+# RestrictNamespaces, ProtectKernelModules, ProtectClock, ProtectKernelLogs,
+# ReadWritePaths, ReadOnlyPaths, InaccessiblePaths} causes systemd to clone
+# a mount namespace at exec time, and that clone fails with EOPNOTSUPP on
+# any host where the parent namespace is unprivileged. Below we explicitly
+# neutralize ALL of them so cockpit-certificate-ensure can exec without any
+# CLONE_NEWNS attempt at all.
+#
+# The relaxation cost is negligible. cockpit-certificate-ensure is a tiny
+# binary whose only job is to ensure a TLS cert exists under
+# /etc/cockpit/ws-certs.d/ -- it doesn't touch the kernel surface.
+# Cockpit's actual long-lived runtime privsep happens later, via
+# cockpit-bridge -> cockpit-session inside cockpit-ws's own user namespace,
+# which is unaffected by this drop-in. Bluefin / Aurora / Universal Blue
+# ship the equivalent drop-in unconditionally for the same reason.
 
 [Service]
+# Namespace isolation -- every directive that triggers CLONE_NEWNS:
 PrivateNetwork=no
 PrivateIPC=no
 PrivateMounts=no
+PrivateTmp=no
+PrivateDevices=no
+PrivateUsers=no
+# ProtectSystem= and ProtectHome= remount /usr / /etc / /home read-only via
+# a private mount namespace. Both must be off for the EOPNOTSUPP path.
+ProtectSystem=no
+ProtectHome=no
 ProtectHostname=no
-ProtectControlGroups=no
+ProtectClock=no
 ProtectKernelTunables=no
+ProtectKernelModules=no
+ProtectKernelLogs=no
+ProtectControlGroups=no
+ProtectProc=default
+ProcSubset=all
+# Process / capability hardening -- not strictly mount-namespace, but the
+# certificate-ensure helper doesn't need them and they confuse some
+# minimal containers (LXC, podman with --privileged=false).
+NoNewPrivileges=no
+RestrictNamespaces=no
+RestrictRealtime=no
+RestrictSUIDSGID=no
+LockPersonality=no
+MemoryDenyWriteExecute=no
+# Reset list-typed directives so any inherited ReadWritePaths=/...
+# doesn't smuggle a private mount back in.
+SystemCallFilter=
+SystemCallArchitectures=
+RestrictAddressFamilies=
+DeviceAllow=
+ReadWritePaths=
+ReadOnlyPaths=
+InaccessiblePaths=