bunpen: run process inside a new user namespace

pkgs/additional/bunpen/main.ha

@@ -36,6 +36,7 @@ export fn main() void = {
   };
 
   rtext::no_new_privs();
+  restrict::namespace_restrict(&what);
   restrict::landlock_restrict(&what);
   if (opts.drop_shell) {
     do_exec(["/bin/sh"]);

pkgs/additional/bunpen/restrict/namespace.ha

@@ -0,0 +1,9 @@
+// vim: set shiftwidth=2 :
+use rtext;
+
+export fn namespace_restrict(what: *resources) void = {
+  rtext::unshare(rtext::CLONE_NEWUSER)!;
+  // let clone_flags = SIGCHLD | CLONE_NEWNS | CLONE_NEWUSER;
+  // TODO: CLONE_NEWNET, CLONE_NEWIPC, CLONE_NEWUTS, CLONE_NEWCGROUP,
+  // CLONE_NEWPID (might not work without forking to also become reaper)
+};

pkgs/additional/bunpen/rtext/namespace.ha

@@ -0,0 +1,39 @@
+// vim: set shiftwidth=2 :
+use rt;
+
+//// for use with `setns`, `unshare`, `clone` syscalls
+// new time namespace. calling process is NOT moved into the namespace.
+export const CLONE_NEWTIME: u64 = 0x00000080;
+
+// new mount namespace.
+// CLONE_NEWNS implies CLONE_FS.
+export const CLONE_NEWNS: u64 = 0x00020000;
+
+export const CLONE_NEWCGROUP: u64 = 0x02000000;
+
+// new utsname namespace
+export const CLONE_NEWUTS: u64 = 0x04000000;
+
+// CLONE_NEWIPC implies CLONE_SYSVSEM.
+export const CLONE_NEWIPC: u64 = 0x08000000;
+
+// CLONE_NEWUSER implies CLONE_THREAD and CLONE_FS.
+// calling process must NOT be multi-threaded.
+export const CLONE_NEWUSER: u64 = 0x10000000;
+
+// new process ID namespace. calling process is NOT moved into the namespace.
+// the first new child spawned becomes pid 1 and has the role of init(1).
+// CLONE_NEWPID implies CLONE_THREAD.
+export const CLONE_NEWPID: u64 = 0x20000000;
+
+export const CLONE_NEWNET: u64 = 0x40000000;
+
+// additional CLONE flags in kernel, omitted until i need them.
+
+// export fn setns(ns_fd: i32, nstype: i32) (rt::errno | u64) = {
+//   return syscall(rt::SYS_setns, ns_fd: u64, nstype: u64);
+// };
+
+export fn unshare(flags: u64) (rt::errno | u64) = {
+  return syscall(rt::SYS_unshare, flags);
+};