nspawn: make -U a tiny bit smarter
With this change -U will turn on user namespacing only if the kernel actually supports it and otherwise gracefully degrade to non-userns mode.
This commit is contained in:
parent
d2e5535f9d
commit
ccabee0d64
|
@ -444,7 +444,9 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-U</option></term>
|
<term><option>-U</option></term>
|
||||||
|
|
||||||
<listitem><para>Equivalent to <option>--private-users=pick</option>.</para></listitem>
|
<listitem><para>If the kernel supports the user namespaces feature, equivalent to
|
||||||
|
<option>--private-users=pick</option>, otherwise equivalent to
|
||||||
|
<option>--private-users=no</option>.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
@ -21,6 +21,7 @@
|
||||||
|
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
bool uid_is_valid(uid_t uid);
|
bool uid_is_valid(uid_t uid);
|
||||||
|
|
||||||
|
@ -63,3 +64,7 @@ int take_etc_passwd_lock(const char *root);
|
||||||
|
|
||||||
#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
|
#define PTR_TO_GID(p) ((gid_t) (((uintptr_t) (p))-1))
|
||||||
#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
|
#define GID_TO_PTR(u) ((void*) (((uintptr_t) (u))+1))
|
||||||
|
|
||||||
|
static inline bool userns_supported(void) {
|
||||||
|
return access("/proc/self/uid_map", F_OK) >= 0;
|
||||||
|
}
|
||||||
|
|
|
@ -866,11 +866,14 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'U':
|
case 'U':
|
||||||
arg_userns_mode = USER_NAMESPACE_PICK;
|
if (userns_supported()) {
|
||||||
arg_uid_shift = UID_INVALID;
|
arg_userns_mode = USER_NAMESPACE_PICK;
|
||||||
arg_uid_range = UINT32_C(0x10000);
|
arg_uid_shift = UID_INVALID;
|
||||||
|
arg_uid_range = UINT32_C(0x10000);
|
||||||
|
|
||||||
|
arg_settings_mask |= SETTING_USERNS;
|
||||||
|
}
|
||||||
|
|
||||||
arg_settings_mask |= SETTING_USERNS;
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case ARG_PRIVATE_USERS_CHOWN:
|
case ARG_PRIVATE_USERS_CHOWN:
|
||||||
|
@ -990,7 +993,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (arg_userns_mode != USER_NAMESPACE_NO && access("/proc/self/uid_map", F_OK) < 0) {
|
if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) {
|
||||||
log_error("--private-users= is not supported, kernel compiled without user namespace support.");
|
log_error("--private-users= is not supported, kernel compiled without user namespace support.");
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue