diff options
author | Quentin Deslandes <qdeslandes@naccy.de> | 2022-09-04 20:30:58 +0200 |
---|---|---|
committer | Quentin Deslandes <qd@naccy.de> | 2022-09-05 17:23:28 +0100 |
commit | 2b2777eda96af054817f00b88a7ba80ab2578d47 (patch) | |
tree | 036c41ca85cc3bff57afedf8b0dea0e11e343ca2 /src/nspawn | |
parent | 1aa18710aff992832cf901c943a21715ee5e65e6 (diff) | |
download | systemd-2b2777eda96af054817f00b88a7ba80ab2578d47.tar.gz |
nspawn: add support for rootidmap bind option
rootidmap bind option will map the root user from the container to the
owner of the mounted directory on the filesystem. This will ensure files
and directories created by the root user in the container will be owned
by the directory owner on the filesystem. All other user will remain
unmapped.
Diffstat (limited to 'src/nspawn')
-rw-r--r-- | src/nspawn/nspawn-mount.c | 4 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 2 |
2 files changed, 4 insertions, 2 deletions
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index 5d37204f6c..7eb5ac82ea 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -733,6 +733,8 @@ static int parse_mount_bind_options(const char *options, unsigned long *mount_fl new_idmapping = REMOUNT_IDMAPPING_HOST_ROOT; else if (streq(word, "noidmap")) new_idmapping = REMOUNT_IDMAPPING_NONE; + else if (streq(word, "rootidmap")) + new_idmapping = REMOUNT_IDMAPPING_HOST_OWNER; else return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid bind mount option: %s", word); @@ -816,7 +818,7 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u } if (idmapping != REMOUNT_IDMAPPING_NONE) { - r = remount_idmap(where, uid_shift, uid_range, idmapping); + r = remount_idmap(where, uid_shift, uid_range, source_st.st_uid, idmapping); if (r < 0) return log_error_errno(r, "Failed to map ids for bind mount %s: %m", where); } diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 6316c03916..50c7f78f1c 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3806,7 +3806,7 @@ static int outer_child( IN_SET(arg_userns_ownership, USER_NAMESPACE_OWNERSHIP_MAP, USER_NAMESPACE_OWNERSHIP_AUTO) && arg_uid_shift != 0) { - r = remount_idmap(directory, arg_uid_shift, arg_uid_range, REMOUNT_IDMAPPING_HOST_ROOT); + r = remount_idmap(directory, arg_uid_shift, arg_uid_range, UID_INVALID, REMOUNT_IDMAPPING_HOST_ROOT); if (r == -EINVAL || ERRNO_IS_NOT_SUPPORTED(r)) { /* This might fail because the kernel or file system doesn't support idmapping. We * can't really distinguish this nicely, nor do we have any guarantees about the |