nsresourced: add new daemon for granting clients user namespaces and assigning resources to them

This adds a small, socket-activated Varlink daemon that can delegate UID
ranges for user namespaces to clients asking for it.

The primary call is AllocateUserRange() where the user passes in an
uninitialized userns fd, which is then set up.

There are other calls that allow assigning a mount fd to a userns
allocated that way, to set up permissions for a cgroup subtree, and to
allocate a veth for such a user namespace.

Since the UID assignments are supposed to be transitive, i.e. not
permanent, care is taken to ensure that users cannot create inodes owned
by these UIDs, so that persistancy cannot be acquired. This is
implemented via a BPF-LSM module that ensures that any member of a
userns allocated that way cannot create files unless the mount it
operates on is owned by the userns itself, or is explicitly
allowelisted.

BPF LSM program with contributions from Alexei Starovoitov.

1 files changed, 4 insertions, 0 deletions

diff --git a/man/rules/meson.build b/man/rules/meson.build
index 1ca5b105b3..e6c0ac9b52 100644
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@@ -1007,6 +1007,10 @@ manpages = [
  ['systemd-networkd.service', '8', ['systemd-networkd'], 'ENABLE_NETWORKD'],
  ['systemd-notify', '1', [], ''],
  ['systemd-nspawn', '1', [], ''],
+ ['systemd-nsresourced.service',
+  '8',
+  ['systemd-nsresourced'],
+  'ENABLE_NSRESOURCED'],
  ['systemd-oomd.service', '8', ['systemd-oomd'], 'ENABLE_OOMD'],
  ['systemd-path', '1', [], ''],
  ['systemd-pcrlock',