git-history.diyao.me Git - systemd/.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Thu, 20 Apr 2023 17:07:33 +0000 (19:07 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Sat, 6 Apr 2024 14:08:24 +0000 (16:08 +0200)
commit	8aee931e7ae1adb01eeac0e1e4c0aef6ed3969ec
tree	8cbb0fc640eaf1351df84c61f384d19880031e07	tree \| snapshot
parent	593428680cfe5326d84bdcd00037412ff1c416b3	commit \| diff

nsresourced: add new daemon for granting clients user namespaces and assigning resources to them

This adds a small, socket-activated Varlink daemon that can delegate UID
ranges for user namespaces to clients asking for it.

The primary call is AllocateUserRange() where the user passes in an
uninitialized userns fd, which is then set up.

There are other calls that allow assigning a mount fd to a userns
allocated that way, to set up permissions for a cgroup subtree, and to
allocate a veth for such a user namespace.

Since the UID assignments are supposed to be transitive, i.e. not
permanent, care is taken to ensure that users cannot create inodes owned
by these UIDs, so that persistancy cannot be acquired. This is
implemented via a BPF-LSM module that ensures that any member of a
userns allocated that way cannot create files unless the mount it
operates on is owned by the userns itself, or is explicitly
allowelisted.

BPF LSM program with contributions from Alexei Starovoitov.

27 files changed:

man/rules/meson.build		diff \| blob \| history
man/systemd-nsresourced.service.xml	[new file with mode: 0644]	blob
meson.build		diff \| blob \| history
meson_options.txt		diff \| blob \| history
network/80-namespace-ns.network	[new file with mode: 0644]	blob
network/meson.build		diff \| blob \| history
presets/90-systemd.preset		diff \| blob \| history
src/nsresourced/bpf/userns_restrict/meson.build	[new file with mode: 0644]	blob
src/nsresourced/bpf/userns_restrict/userns-restrict-skel.h	[new file with mode: 0644]	blob
src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.c	[new file with mode: 0644]	blob
src/nsresourced/meson.build	[new file with mode: 0644]	blob
src/nsresourced/nsresourced-manager.c	[new file with mode: 0644]	blob
src/nsresourced/nsresourced-manager.h	[new file with mode: 0644]	blob
src/nsresourced/nsresourced.c	[new file with mode: 0644]	blob
src/nsresourced/nsresourcework.c	[new file with mode: 0644]	blob
src/nsresourced/test-userns-restrict.c	[new file with mode: 0644]	blob
src/nsresourced/userns-registry.c	[new file with mode: 0644]	blob
src/nsresourced/userns-registry.h	[new file with mode: 0644]	blob
src/nsresourced/userns-restrict.c	[new file with mode: 0644]	blob
src/nsresourced/userns-restrict.h	[new file with mode: 0644]	blob
src/shared/meson.build		diff \| blob \| history
src/shared/varlink-io.systemd.NamespaceResource.c	[new file with mode: 0644]	blob
src/shared/varlink-io.systemd.NamespaceResource.h	[new file with mode: 0644]	blob
src/test/test-varlink-idl.c		diff \| blob \| history
units/meson.build		diff \| blob \| history
units/systemd-nsresourced.service.in	[new file with mode: 0644]	blob
units/systemd-nsresourced.socket	[new file with mode: 0644]	blob

https://github.com/systemd/systemd.git

RSS Atom