summaryrefslogtreecommitdiffstats
path: root/src/shared/mount-util.h
diff options
context:
space:
mode:
authorQuentin Deslandes <qdeslandes@naccy.de>2022-09-04 20:30:58 +0200
committerQuentin Deslandes <qd@naccy.de>2022-09-05 18:23:28 +0200
commit2b2777eda96af054817f00b88a7ba80ab2578d47 (patch)
tree036c41ca85cc3bff57afedf8b0dea0e11e343ca2 /src/shared/mount-util.h
parentnspawn: rename RemountIdmapFlags enum to RemountIdmapping (diff)
downloadsystemd-2b2777eda96af054817f00b88a7ba80ab2578d47.tar.xz
systemd-2b2777eda96af054817f00b88a7ba80ab2578d47.zip
nspawn: add support for rootidmap bind option
rootidmap bind option will map the root user from the container to the owner of the mounted directory on the filesystem. This will ensure files and directories created by the root user in the container will be owned by the directory owner on the filesystem. All other user will remain unmapped.
Diffstat (limited to '')
-rw-r--r--src/shared/mount-util.h6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h
index b40687a99c..8b07611ec8 100644
--- a/src/shared/mount-util.h
+++ b/src/shared/mount-util.h
@@ -128,11 +128,15 @@ typedef enum RemountIdmapping {
* to add inodes to file systems mapped this way should set this flag, but given it comes with
* certain security implications defaults to off, and requires explicit opt-in. */
REMOUNT_IDMAPPING_HOST_ROOT,
+ /* Define a mapping from root user within the container to the owner of the bind mounted directory.
+ * This ensure no root-owned files will be written in a bind-mounted directory owned by a different
+ * user. No other users are mapped. */
+ REMOUNT_IDMAPPING_HOST_OWNER,
_REMOUNT_IDMAPPING_MAX,
_REMOUNT_IDMAPPING_INVALID = -EINVAL,
} RemountIdmapping;
-int remount_idmap(const char *p, uid_t uid_shift, uid_t uid_range, RemountIdmapping idmapping);
+int remount_idmap(const char *p, uid_t uid_shift, uid_t uid_range, uid_t owner, RemountIdmapping idmapping);
/* Creates a mount point (not parents) based on the source path or stat - ie, a file or a directory */
int make_mount_point_inode_from_stat(const struct stat *st, const char *dest, mode_t mode);