diff options
| author | Benjamin Franzke <benjaminfranzke@googlemail.com> | 2023-11-17 08:03:57 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-02-15 11:49:54 +0100 |
| commit | 614d09a37dc468d126df40ae649092f927196863 (patch) | |
| tree | 5a729e36da950ef815bcc0bc5983feeb666a8d59 /src/shared/mount-util.h | |
| parent | log: reorder arguments of internal macro (diff) | |
| download | systemd-614d09a37dc468d126df40ae649092f927196863.tar.xz systemd-614d09a37dc468d126df40ae649092f927196863.zip | |
nspawn: add support for owneridmap bind option
owneridmap bind option will map the target directory owner from inside the
container to the owner of the directory bound from the host filesystem.
This will ensure files and directories created in the container will be owned
by the directory owner of the host filesystem. All other users will remain
unmapped. Files to be written as other users in the container will not be
allowed.
Resolves: #27037
Diffstat (limited to 'src/shared/mount-util.h')
| -rw-r--r-- | src/shared/mount-util.h | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h index ef31104900..2f9f394ab0 100644 --- a/src/shared/mount-util.h +++ b/src/shared/mount-util.h @@ -116,16 +116,19 @@ typedef enum RemountIdmapping { * certain security implications defaults to off, and requires explicit opt-in. */ REMOUNT_IDMAPPING_HOST_ROOT, /* Define a mapping from root user within the container to the owner of the bind mounted directory. - * This ensure no root-owned files will be written in a bind-mounted directory owned by a different + * This ensures no root-owned files will be written in a bind-mounted directory owned by a different * user. No other users are mapped. */ REMOUNT_IDMAPPING_HOST_OWNER, + /* Define a mapping from bind-target owner within the container to the host owner of the bind mounted + * directory. No other users are mapped. */ + REMOUNT_IDMAPPING_HOST_OWNER_TO_TARGET_OWNER, _REMOUNT_IDMAPPING_MAX, _REMOUNT_IDMAPPING_INVALID = -EINVAL, } RemountIdmapping; -int make_userns(uid_t uid_shift, uid_t uid_range, uid_t owner, RemountIdmapping idmapping); +int make_userns(uid_t uid_shift, uid_t uid_range, uid_t host_owner, uid_t dest_owner, RemountIdmapping idmapping); int remount_idmap_fd(char **p, int userns_fd); -int remount_idmap(char **p, uid_t uid_shift, uid_t uid_range, uid_t owner, RemountIdmapping idmapping); +int remount_idmap(char **p, uid_t uid_shift, uid_t uid_range, uid_t host_owner, uid_t dest_owner, RemountIdmapping idmapping); int bind_mount_submounts( const char *source, |