morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 16:37:19 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
705cc82938b67fa110f2f6f5d28bfb9ec2f339c0
systemd/src/core
History
Ryan Wilson 705cc82938 core: Add PrivateUsers=full 
Recently, PrivateUsers=identity was added to support mapping the first
65536 UIDs/GIDs from parent to the child namespace and mapping the other
UID/GIDs to the nobody user.

However, there are use cases where users have UIDs/GIDs > 65536 and need
to do a similar identity mapping. Moreover, in some of those cases, users
want a full identity mapping from 0 -> UID_MAX.

Note to differentiate ourselves from the init user namespace, we need to
set up the uid_map/gid_map like:
```
0 0 1
1 1 UINT32_MAX - 1
```

as the init user namedspace uses `0 0 UINT32_MAX` and some applications -
like systemd itself - determine if its a non-init user namespace based on
uid_map/gid_map files. Note systemd will remove this heuristic in
running_in_userns() in version 258 and uses namespace inode. But some users
may be running a container image with older systemd < 258 so we keep this
hack until version 259.

To support this, we add PrivateUsers=full that does identity mapping for
all available UID/GIDs.

Fixes: #35168
2024-12-05 10:34:32 -08:00
..
bpf
bpf-socket-bind: fix unexpected behavior with either 0 allow or deny rules
2024-03-24 11:08:58 +00:00
all-units.h
apparmor-setup.c
apparmor-setup.h
audit-fd.c
audit-fd.h
automount.c
core/manager: introduce manager_add_job_full() which takes extra TransactionAddFlags
2024-10-27 20:02:46 +01:00
automount.h
bpf-devices.c
basic/linux: update kernel headers from v6.10-rc3
2024-06-20 02:35:35 +09:00
bpf-devices.h
cgroup: turn device cgroup controller "rwm" strings into proper flags
2023-10-17 23:27:01 +01:00
bpf-firewall.c
core/cgroup: call bpf_firewall_close in cgroup_runtime_free
2024-06-28 15:38:56 +02:00
bpf-firewall.h
core/cgroup: call bpf_firewall_close in cgroup_runtime_free
2024-06-28 15:38:56 +02:00
bpf-foreign.c
core: split out cgroup specific state fields from Unit → CGroupRuntime
2024-02-16 10:17:40 +01:00
bpf-foreign.h
bpf-restrict-fs.c
bpf: add helper to translate kernel error codes from libbpf
2024-05-29 08:29:47 +02:00
bpf-restrict-fs.h
core: split out cgroup specific state fields from Unit → CGroupRuntime
2024-02-16 10:17:40 +01:00
bpf-restrict-ifaces.c
fdset: optionally, close remaining fds asynchronously
2024-10-17 09:48:05 +02:00
bpf-restrict-ifaces.h
core: rename restrict-ifaces.[ch] → bpf-restrict-ifaces.[ch]
2024-01-25 16:11:33 +01:00
bpf-socket-bind.c
fdset: optionally, close remaining fds asynchronously
2024-10-17 09:48:05 +02:00
bpf-socket-bind.h
bpf-socket-bind: rename bpf_serialize_socket_bind() → bpf_socket_bind_serialize()
2024-01-25 16:11:33 +01:00
bpf-util.c
tree-wise: several cleanups for logging
2024-05-01 04:41:06 +09:00
bpf-util.h
cgroup.c
core/cgroup: rename CGROUP_PRESSURE_WATCH_ON/OFF -> CGROUP_PRESSURE_WATCH_YES/NO
2024-10-27 03:04:35 +09:00
cgroup.h
core/cgroup: rename CGROUP_PRESSURE_WATCH_ON/OFF -> CGROUP_PRESSURE_WATCH_YES/NO
2024-10-27 03:04:35 +09:00
clock-warp.c
manager: add structured log message about clock bump
2024-06-15 16:54:37 +02:00
clock-warp.h
manager: apply clock epoch on updates too
2024-06-15 16:20:16 +02:00
core-varlink.c
cgroup: Add ManagedOOMMemoryPressureDurationSec= override setting for units
2024-10-16 20:12:38 -07:00
core-varlink.h
core: reliably check if varlink socket has been deserialized
2024-07-23 19:38:57 +02:00
crash-handler.c
crash-handler: Add back notice log message
2024-08-26 16:36:39 +02:00
crash-handler.h
dbus-automount.c
dbus-automount.h
dbus-cgroup.c
Merge pull request #34787 from yuwata/core-ip-address-allow-deny
2024-10-21 16:35:49 +02:00
dbus-cgroup.h
dbus-device.c
dbus-device.h
dbus-execute.c
core: Introduce PrivatePIDs=
2024-11-05 05:32:02 -08:00
dbus-execute.h
manager: switch service unit type over to using new handoff timestamping logic
2024-04-25 13:40:41 +02:00
dbus-job.c
core: switch j->unit->manager to j->manager
2024-04-18 20:25:39 +08:00
dbus-job.h
dbus-kill.c
dbus-kill.h
dbus-manager.c
dbus-manager: add missing word 'unit' to PK message
2024-11-12 23:09:01 +01:00
dbus-manager.h
dbus-mount.c
core: cast ignored retval of unit_realize_cgroup to void
2024-06-28 15:43:21 +02:00
dbus-mount.h
dbus-path.c
tree-wide: add path_simplify_alloc() and use it
2023-09-22 08:13:34 +02:00
dbus-path.h
dbus-scope.c
core: cast ignored retval of unit_realize_cgroup to void
2024-06-28 15:43:21 +02:00
dbus-scope.h
dbus-service.c
core: move debug logging from _can_live_mount() functions to caller
2024-10-16 10:50:15 +02:00
dbus-service.h
dbus-slice.c
core: cast ignored retval of unit_realize_cgroup to void
2024-06-28 15:43:21 +02:00
dbus-slice.h
dbus-socket.c
core: Use RateLimit struct to store ratelimits
2024-08-14 14:18:40 +02:00
dbus-socket.h
dbus-swap.c
core: cast ignored retval of unit_realize_cgroup to void
2024-06-28 15:43:21 +02:00
dbus-swap.h
dbus-target.c
dbus-target.h
dbus-timer.c
timer: introduce DeferReactivation setting
2024-10-11 22:54:16 +02:00
dbus-timer.h
dbus-unit.c
core/manager: introduce manager_add_job_full() which takes extra TransactionAddFlags
2024-10-27 20:02:46 +01:00
dbus-unit.h
dbus-util.c
core/dbus: add assertions
2024-10-09 06:57:11 +09:00
dbus-util.h
core/dbus: introduce bus_verify_manage_units_async_impl()
2024-10-09 06:55:32 +09:00
dbus.c
core/manager: introduce manager_add_job_full() which takes extra TransactionAddFlags
2024-10-27 20:02:46 +01:00
dbus.h
core/dbus: move bus_verify_xyz() to dbus-util.c
2024-10-09 06:54:45 +09:00
device.c
core/device: ignore ID_PROCESSING udev property on enumerate
2024-11-25 15:33:48 +09:00
device.h
core/device: prefix DEVICE_FOUND_MASK with '_'
2024-07-21 22:48:52 +02:00
dynamic-user.c
Drop support for nscd
2024-06-28 18:51:56 +02:00
dynamic-user.h
exec-invoke: don't double-close FDs on error
2023-10-28 16:56:25 +02:00
efi-random.c
efivars: Remove STRINGIFY() helper macros
2024-11-02 23:20:57 +01:00
efi-random.h
emergency-action.c
terminal-util: split out color macros/helpers into its own header
2024-07-19 11:44:04 +02:00
emergency-action.h
core: refuse invalid emergency actions for SuccessAction= and friends in user service manager
2024-05-18 02:51:34 +09:00
exec-credential.c
core/dbus-service: refuse bind mounting over /run/credentials/
2024-08-17 18:16:20 +02:00
exec-credential.h
core/dbus-service: refuse bind mounting over /run/credentials/
2024-08-17 18:16:20 +02:00
exec-invoke.c
core: Add PrivateUsers=full
2024-12-05 10:34:32 -08:00
exec-invoke.h
core: move code from execute.c to exec-invoke.c
2023-10-12 15:01:51 +01:00
execute-serialize.c
core: Introduce PrivatePIDs=
2024-11-05 05:32:02 -08:00
execute-serialize.h
core: add serialization/deserialization for CGroupContext
2023-10-12 14:57:38 +01:00
execute.c
execute: free syscall_log hashmap when done
2024-11-28 16:45:02 +01:00
execute.h
core: Introduce PrivatePIDs=
2024-11-05 05:32:02 -08:00
executor.c
core: clean up ambient capability logging
2024-07-31 21:40:28 +02:00
fuzz-execute-serialize.c
Add ExtraFileDescriptor property to StartTransientUnit dbus API
2024-10-07 09:01:48 -07:00
fuzz-manager-serialize.c
fuzz: unify logging setup
2023-10-19 10:05:20 +01:00
fuzz-manager-serialize.options
fuzz: limit size for fuzz-manager-serialize
2023-10-02 14:23:34 +01:00
fuzz-unit-file.c
fuzz: unify logging setup
2023-10-19 10:05:20 +01:00
fuzz-unit-file.options
generator-setup.c
generator-setup: use RET_GATHER()
2024-05-29 11:52:40 +02:00
generator-setup.h
ima-setup.c
ima-setup.h
import-creds.c
core/import-creds: use proc_cmdline_get_bool()
2024-07-13 22:58:23 +02:00
import-creds.h
ipe-setup.c
core: load IPE policy on boot
2024-10-02 18:29:43 +02:00
ipe-setup.h
core: load IPE policy on boot
2024-10-02 18:29:43 +02:00
job.c
core: make refuse_late_merge a proper attr of Job and introduce TRANSACTION_REENQUEUE_ANCHOR
2024-10-27 20:02:47 +01:00
job.h
core: make refuse_late_merge a proper attr of Job and introduce TRANSACTION_REENQUEUE_ANCHOR
2024-10-27 20:02:47 +01:00
kill.c
Fix confusion between killer and prey
2024-06-19 16:22:23 +02:00
kill.h
various: move const ptr indicator to return value
2024-06-19 16:28:28 +02:00
kmod-setup.c
use FOREACH_ELEMENT
2024-04-18 17:39:34 +02:00
kmod-setup.h
load-dropin.c
tree-wide: use strv_extend_strv_consume() where appropriate
2024-09-21 00:53:50 +02:00
load-dropin.h
core/unit: do not use unit path cache in unit_need_daemon_reload()
2024-08-09 19:25:42 +09:00
load-fragment-gperf-nulstr.awk
load-fragment-gperf.gperf.in
core: Introduce PrivatePIDs=
2024-11-05 05:32:02 -08:00
load-fragment.c
core: Introduce PrivatePIDs=
2024-11-05 05:32:02 -08:00
load-fragment.h
core: Introduce PrivatePIDs=
2024-11-05 05:32:02 -08:00
main.c
pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else
2024-11-15 13:34:06 +00:00
main.h
core: Add systemd.crash_action= kernel command line argument
2024-04-29 14:34:22 +02:00
manager-dump.c
meson: Start adding devel and rc suffixes to the project version
2024-02-14 15:36:34 +01:00
manager-dump.h
core: dump jobs list on sigrtmin+18 with 0x500
2023-09-11 12:24:23 +01:00
manager-serialize.c
core/manager-serialize: drop serialization for Manager.ready_sent
2024-10-11 10:36:08 +02:00
manager-serialize.h
manager.c
core/manager: silence false-positive warning by coverity
2024-11-06 13:47:33 +00:00
manager.h
core: Introduce PrivatePIDs=
2024-11-05 05:32:02 -08:00
meson.build
core: load IPE policy on boot
2024-10-02 18:29:43 +02:00
mount.c
core/service: preserve RuntimeDirectory= even if oneshot service exits
2024-12-02 10:57:45 +01:00
mount.h
Revert "core/credential,mount: re-read /proc/self/mountinfo before invoking umount command"
2024-06-12 00:54:26 +01:00
namespace.c
core: Add PrivateUsers=full
2024-12-05 10:34:32 -08:00
namespace.h
core: Add PrivateUsers=full
2024-12-05 10:34:32 -08:00
org.freedesktop.systemd1.conf
org.freedesktop.systemd1.policy.in
org.freedesktop.systemd1.service
path.c
core/manager: introduce manager_add_job_full() which takes extra TransactionAddFlags
2024-10-27 20:02:46 +01:00
path.h
scope.c
core: do BindMount/MountImage operations in async control process
2024-08-29 12:48:55 +01:00
scope.h
core: split out cgroup specific state fields from Unit → CGroupRuntime
2024-02-16 10:17:40 +01:00
selinux-access.c
core/selinux-access: use empty_to_na where appropriate
2024-05-02 13:36:52 +08:00
selinux-access.h
selinux-setup.c
selinux: kill mac_selinux_free()
2024-06-12 15:21:21 +02:00
selinux-setup.h
service.c
core/service: preserve RuntimeDirectory= even if oneshot service exits
2024-12-02 10:57:45 +01:00
service.h
core/service: place occurrences of SERVICE_MOUNTING closer to reload states
2024-10-22 19:19:47 +02:00
show-status.c
pid1: use $COLUMNS info in status_vprintf()
2024-07-19 11:44:05 +02:00
show-status.h
slice.c
core/slice: simplify slice_freezer_action a bit
2024-07-17 17:25:23 +02:00
slice.h
core: split out cgroup specific state fields from Unit → CGroupRuntime
2024-02-16 10:17:40 +01:00
smack-setup.c
smack-setup.h
socket.c
core/service: preserve RuntimeDirectory= even if oneshot service exits
2024-12-02 10:57:45 +01:00
socket.h
core: honor FileDescriptorName= too for Accept=yes sockets
2024-08-26 15:40:15 +02:00
swap.c
core/service: preserve RuntimeDirectory= even if oneshot service exits
2024-12-02 10:57:45 +01:00
swap.h
core: split out cgroup specific state fields from Unit → CGroupRuntime
2024-02-16 10:17:40 +01:00
system.conf.in
core: Add systemd.crash_action= kernel command line argument
2024-04-29 14:34:22 +02:00
systemd.pc.in
systemd.pc: Keep support for rootprefix and root_prefix (#30115)
2023-11-21 12:51:08 +00:00
taint.c
taint: Add taint_strv() to get taints as an array
2024-08-14 14:18:40 +02:00
taint.h
taint: Add taint_strv() to get taints as an array
2024-08-14 14:18:40 +02:00
target.c
core: use FOREACH_ARRAY at 3 more places
2024-04-10 23:40:53 +08:00
target.h
timer.c
core/manager: introduce manager_add_job_full() which takes extra TransactionAddFlags
2024-10-27 20:02:46 +01:00
timer.h
timer: introduce DeferReactivation setting
2024-10-11 22:54:16 +02:00
transaction.c
core: make refuse_late_merge a proper attr of Job and introduce TRANSACTION_REENQUEUE_ANCHOR
2024-10-27 20:02:47 +01:00
transaction.h
core: make refuse_late_merge a proper attr of Job and introduce TRANSACTION_REENQUEUE_ANCHOR
2024-10-27 20:02:47 +01:00
unit-dependency-atom.c
core: drop effectively unused UNIT_ATOM_PROPAGATE_RESTART
2024-10-27 20:02:46 +01:00
unit-dependency-atom.h
core: drop effectively unused UNIT_ATOM_PROPAGATE_RESTART
2024-10-27 20:02:46 +01:00
unit-printf.c
core: use strdup_to()
2024-03-20 15:18:21 +01:00
unit-printf.h
unit-serialize.c
tree-wide: replace for loop with FOREACH_ELEMENT or FOREACH_ARRAY macros (#34893)
2024-10-26 07:10:22 +09:00
unit-serialize.h
core: add serialization/deserialization for ExecContext
2023-10-12 14:56:23 +01:00
unit.c
core/service: preserve RuntimeDirectory= even if oneshot service exits
2024-12-02 10:57:45 +01:00
unit.h
core/service: preserve RuntimeDirectory= even if oneshot service exits
2024-12-02 10:57:45 +01:00
user.conf.in
config files: update their header to reflect that they can be installed in /usr
2023-09-21 18:54:39 +02:00