removed support for linux namespaces; they don't provide any advantage over seccomp

configure.ac

@@ -291,29 +291,6 @@ AC_LIB_HAVE_LINKFLAGS(seccomp,, [#include <seccomp.h>
  fi
 fi
 
-AC_ARG_ENABLE(linux-namespaces,
-  AS_HELP_STRING([--enable-linux-namespaces], [enable support for namespaces (containers) in Linux]),
-    linux_ns_enabled=$enableval, linux_ns_enabled=no)
-
-if [ test "$linux_ns_enabled" = "yes" ];then
-AC_MSG_CHECKING([for Linux namespaces])
-dnl We use Linux namespaces only in the platforms clone() works as expected
-AC_LINK_IFELSE([AC_LANG_PROGRAM([
-		   #include <sched.h>
-		   #include <linux/sched.h>],[
-		   #if defined(__i386__) || defined(__arm__) || defined(__x86_64__) || defined(__mips__)
-		   unshare(CLONE_NEWPID|CLONE_NEWIPC);
-		   #else
-		   # error 1
-		   #endif])],
-		  [AC_MSG_RESULT(yes)
-	  	   AC_DEFINE([ENABLE_LINUX_NS], 1, [Enable Linux namespaces support])
-		   linux_ns_enabled=yes],
-		  [AC_MSG_RESULT(no)
-		   linux_ns_enabled=no
-])
-fi
-
 AC_ARG_ENABLE(systemd,
   AS_HELP_STRING([--disable-systemd], [disable systemd support]),
     systemd_enabled=$enableval, systemd_enabled=yes)
@@ -510,7 +487,6 @@ Summary of build options:
 AC_MSG_NOTICE([
 
 Experimental (not recommended) options:
-  Linux namespaces:     ${linux_ns_enabled}
   dbus:                 ${dbus_enabled}
 ])
 

src/main.c

@@ -893,8 +893,6 @@ static int check_tcp_wrapper(int fd)
 # define check_tcp_wrapper(x) 0
 #endif
 
-typedef pid_t (*fork_func)(void);
-
 int main(int argc, char** argv)
 {
 	int fd, pid, e;
@@ -917,7 +915,6 @@ int main(int argc, char** argv)
 	sigset_t emptyset, blockset;
 	/* tls credentials */
 	struct tls_st creds;
-	fork_func our_fork = fork;
 
 #ifdef DEBUG_LEAKS
 	talloc_enable_leak_report_full();
@@ -1015,10 +1012,6 @@ int main(int argc, char** argv)
 		}
 	}
 
-	/* override the default fork function */
-	if (s->config->isolate)
-		our_fork = safe_fork;
-
 	write_pid_file();
 
 	s->sec_mod_fd = run_sec_mod(s);
@@ -1173,7 +1166,7 @@ int main(int argc, char** argv)
 					break;
 				}
 
-				pid = our_fork();
+				pid = fork();
 				if (pid == 0) {	/* child */
 					/* close any open descriptors, and erase
 					 * sensitive data before running the worker

src/system.c

@@ -21,11 +21,6 @@
 #include <unistd.h>
 #ifdef __linux__
 # include <sys/prctl.h>
-# if defined(ENABLE_LINUX_NS)
-#  include <sched.h>
-#  include <linux/sched.h>
-#  include <sys/syscall.h>
-# endif
 #endif
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -54,23 +49,6 @@ void pr_set_undumpable(const char *mod)
 #endif
 }
 
-#if defined(__linux__) && defined(ENABLE_LINUX_NS)
-pid_t safe_fork(void)
-{
-	long ret;
-	/* fork: 100%
-	 * CLONE_NEWPID|CLONE_NEWNET|CLONE_NEWIPC: 3%
-	 * CLONE_NEWPID|CLONE_NEWIPC: 27%
-	 * CLONE_NEWPID: 36%
-	 */
-	int flags = SIGCHLD|CLONE_NEWPID|CLONE_NEWIPC;
-	ret = syscall(SYS_clone, flags, 0, 0, 0);
-	if (ret == 0 && syscall(SYS_getpid)!= 1)
-		return -1;
-	return ret;
-}
-#endif
-
 SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler)
 {
 	struct sigaction new_action, old_action;

src/system.h

@@ -36,12 +36,6 @@ typedef void (*sighandler_t)(int);
 # define SIGHANDLER_T sighandler_t
 #endif
 
-#if defined(__linux__) && defined(ENABLE_LINUX_NS)
-pid_t safe_fork(void);
-#else
-# define safe_fork fork
-#endif
-
 void pr_set_undumpable(const char* mod);
 void kill_on_parent_kill(int sig);