picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

nspawn: make -U a tiny bit smarter

Browse source 
With this change -U will turn on user namespacing only if the kernel actually
supports it and otherwise gracefully degrade to non-userns mode.
This commit is contained in:
Lennart Poettering 2016-04-22 14:10:09 +02:00
parent d2e5535f9d
commit ccabee0d64
3 changed files with 16 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
man/systemd-nspawn.xml
View file

@ -444,7 +444,9 @@
<varlistentry> <varlistentry>
<term><option>-U</option></term> <term><option>-U</option></term>
<listitem><para>Equivalent to <option>--private-users=pick</option>.</para></listitem> <listitem><para>If the kernel supports the user namespaces feature, equivalent to
<option>--private-users=pick</option>, otherwise equivalent to
<option>--private-users=no</option>.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

5
src/basic/user-util.h
View file

@ -21,6 +21,7 @@
#include <stdbool.h> #include <stdbool.h>
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h>
bool uid_is_valid(uid_t uid); bool uid_is_valid(uid_t uid);
@ -63,3 +64,7 @@ int take_etc_passwd_lock(const char *root);
#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1)) #define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1)) #define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
static inline bool userns_supported(void) {
return access("/proc/self/uid_map", F_OK) >= 0;
}

13
src/nspawn/nspawn.c
View file

@ -866,11 +866,14 @@ static int parse_argv(int argc, char *argv[]) {
break; break;
case 'U': case 'U':
arg_userns_mode = USER_NAMESPACE_PICK; if (userns_supported()) {
arg_uid_shift = UID_INVALID; arg_userns_mode = USER_NAMESPACE_PICK;
arg_uid_range = UINT32_C(0x10000); arg_uid_shift = UID_INVALID;
arg_uid_range = UINT32_C(0x10000);
arg_settings_mask |= SETTING_USERNS;
}
arg_settings_mask |= SETTING_USERNS;
break; break;
case ARG_PRIVATE_USERS_CHOWN: case ARG_PRIVATE_USERS_CHOWN:
@ -990,7 +993,7 @@ static int parse_argv(int argc, char *argv[]) {
return -EINVAL; return -EINVAL;
} }
if (arg_userns_mode != USER_NAMESPACE_NO && access("/proc/self/uid_map", F_OK) < 0) { if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) {
log_error("--private-users= is not supported, kernel compiled without user namespace support."); log_error("--private-users= is not supported, kernel compiled without user namespace support.");
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }