picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

build-sys: make the dynamic UID range, and the container UID range configurable 

Also, export these ranges in our pkg-config files.
This commit is contained in:
Lennart Poettering 2017-12-02 12:48:31 +01:00
parent 6a483c5b2f
commit 87d5e4f286
6 changed files with 39 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
meson.build
View File

@ -614,9 +614,6 @@ conf.set('SYSTEM_UID_MAX', system_uid_max)
substs.set('systemuidmax', system_uid_max)
message('maximum system UID is @0@'.format(system_uid_max))
conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
system_gid_max = get_option('system-gid-max')
if system_gid_max == ''
system_gid_max = run_command(
@ -629,6 +626,23 @@ conf.set('SYSTEM_GID_MAX', system_gid_max)
substs.set('systemgidmax', system_gid_max)
message('maximum system GID is @0@'.format(system_gid_max))
dynamic_uid_min = get_option('dynamic-uid-min').to_int()
dynamic_uid_max = get_option('dynamic-uid-max').to_int()
conf.set('DYNAMIC_UID_MIN', dynamic_uid_min)
conf.set('DYNAMIC_UID_MAX', dynamic_uid_max)
substs.set('dynamicuidmin', dynamic_uid_min)
substs.set('dynamicuidmax', dynamic_uid_max)
container_uid_base_min = get_option('container-uid-base-min').to_int()
container_uid_base_max = get_option('container-uid-base-max').to_int()
conf.set('CONTAINER_UID_BASE_MIN', container_uid_base_min)
conf.set('CONTAINER_UID_BASE_MAX', container_uid_base_max)
substs.set('containeruidbasemin', container_uid_base_min)
substs.set('containeruidbasemax', container_uid_base_max)
conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
tty_gid = get_option('tty-gid')
conf.set('TTY_GID', tty_gid)
substs.set('TTY_GID', tty_gid)
@ -2506,6 +2520,10 @@ status = [
'users GID: @0@'.format(users_gid),
'maximum system UID: @0@'.format(system_uid_max),
'maximum system GID: @0@'.format(system_gid_max),
'minimum dynamic UID: @0@'.format(dynamic_uid_min),
'maximum dynamic UID: @0@'.format(dynamic_uid_max),
'minimum container UID base: @0@'.format(container_uid_base_min),
'maximum container UID base: @0@'.format(container_uid_base_max),
'/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')),
'render group access mode: @0@'.format(get_option('group-render-mode')),
'certificate root directory: @0@'.format(get_option('certificate-root')),

12
meson_options.txt
View File

@ -147,6 +147,18 @@ option('system-uid-max', type : 'string',
description : 'maximum system UID')
option('system-gid-max', type : 'string',
description : 'maximum system GID')
option('dynamic-uid-min', type : 'string',
description : 'minimum dynamic UID',
value : '61184') # That's → 0x0000EF00 in hex
option('dynamic-uid-max', type : 'string',
description : 'maximum dynamic UID',
value : '65519') # That's → 0x0000FFEF in hex
option('container-uid-base-min', type : 'string',
description : 'minimum container UID base',
value : '524288') # That's → 0x00080000 in hex
option('container-uid-base-max', type : 'string',
description : 'maximum container UID base',
value : '1878982656') # That's → 0x6FFF0000 in hex
option('tty-gid', type : 'string',
description : 'the numeric GID of the "tty" group',
value : '5')

7
src/basic/user-util.h
View File

@ -60,13 +60,6 @@ int take_etc_passwd_lock(const char *root);
#define UID_INVALID ((uid_t) -1)
#define GID_INVALID ((gid_t) -1)
/* Let's pick a UIDs within the 16bit range, so that we are compatible with containers using 16bit
* user namespacing. At least on Fedora normal users are allocated until UID 60000, hence do not
* allocate from below this. Also stay away from the upper end of the range as that is often used
* for overflow/nobody users. */
#define DYNAMIC_UID_MIN ((uid_t) UINT32_C(0x0000EF00))
#define DYNAMIC_UID_MAX ((uid_t) UINT32_C(0x0000FFEF))
static inline bool uid_is_dynamic(uid_t uid) {
return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX;
}

4
src/core/systemd.pc.in
View File

@ -29,6 +29,10 @@ modulesloaddir=@modulesloaddir@
catalogdir=@catalogdir@
systemuidmax=@systemuidmax@
systemgidmax=@systemgidmax@
dynamicuidmin=@dynamicuidmin@
dynamicuidmax=@dynamicuidmax@
containeruidbasemin=@containeruidbasemin@
containeruidbasemax=@containeruidbasemax@
Name: systemd
Description: systemd System and Service Manager

6
src/nspawn/nspawn-def.h
View File

@ -21,12 +21,6 @@
#include <sys/types.h>
/* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit
* UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems
* may have their own allocation ranges too. */
#define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000))
#define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000))
/* While we are chmod()ing a directory tree, we set the top-level UID base to this "busy" base, so that we can always
* recognize trees we are were chmod()ing recursively and got interrupted in */
#define UID_BUSY_BASE ((uid_t) UINT32_C(0xFFFE0000))

4
src/nspawn/nspawn.c
View File

@ -2862,7 +2862,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
if (--n_tries <= 0)
return -EBUSY;
if (candidate < UID_SHIFT_PICK_MIN || candidate > UID_SHIFT_PICK_MAX)
if (candidate < CONTAINER_UID_BASE_MIN || candidate > CONTAINER_UID_BASE_MAX)
goto next;
if ((candidate & UINT32_C(0xFFFF)) != 0)
goto next;
@ -2904,7 +2904,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
} else
random_bytes(&candidate, sizeof(candidate));
candidate = (candidate % (UID_SHIFT_PICK_MAX - UID_SHIFT_PICK_MIN)) + UID_SHIFT_PICK_MIN;
candidate = (candidate % (CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN)) + CONTAINER_UID_BASE_MIN;
candidate &= (uid_t) UINT32_C(0xFFFF0000);
}
}