mirror of
https://github.com/systemd/systemd
synced 2024-09-06 16:56:43 +00:00
8aee931e7a
This adds a small, socket-activated Varlink daemon that can delegate UID ranges for user namespaces to clients asking for it. The primary call is AllocateUserRange() where the user passes in an uninitialized userns fd, which is then set up. There are other calls that allow assigning a mount fd to a userns allocated that way, to set up permissions for a cgroup subtree, and to allocate a veth for such a user namespace. Since the UID assignments are supposed to be transitive, i.e. not permanent, care is taken to ensure that users cannot create inodes owned by these UIDs, so that persistancy cannot be acquired. This is implemented via a BPF-LSM module that ensures that any member of a userns allocated that way cannot create files unless the mount it operates on is owned by the userns itself, or is explicitly allowelisted. BPF LSM program with contributions from Alexei Starovoitov. |
||
|---|---|---|
| .. | ||
| 80-6rd-tunnel.link | ||
| 80-6rd-tunnel.network | ||
| 80-auto-link-local.network.example | ||
| 80-container-host0.network | ||
| 80-container-vb.link | ||
| 80-container-vb.network | ||
| 80-container-ve.link | ||
| 80-container-ve.network | ||
| 80-container-vz.link | ||
| 80-container-vz.network | ||
| 80-namespace-ns.network | ||
| 80-vm-vt.link | ||
| 80-vm-vt.network | ||
| 80-wifi-adhoc.network | ||
| 80-wifi-ap.network.example | ||
| 80-wifi-station.network.example | ||
| 89-ethernet.network.example | ||
| 99-default.link | ||
| meson.build | ||