morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity
79,049 Commits 1 Branch 0 Tags
d6f8e1ae879ed1676406b61b6f4dba1bdd3749ae
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Lennart Poettering d6f8e1ae87 mntfsd: add api to mount dirs for containers 
systemd-mountfsd so far provided a MountImage() API call for mounting a
disk image and returning a set of mount fds. This complements the API
with a new MountDirectory() API call, that operates on a directory
instead of an image file. Now, what makes this interesting is that it
applies an idmapping from the foreign UID range to the provided target
userns – and in which case unpriveleged operation is allowed (well,
under some conditions: in particular the client must own a parent dir of
the provided path).

This allows container managers to run fully unprivileged from
directories – as long as those directories are owned by the foreign UID
range. Basic operation is like this:

1. acquire a transient userns from systemd-nsresourced with 64K users
2. ask systemd-mountfsd for an idmapped mount of the container dir
   matching that userns
3. join the userns and bind the mount fd as root.

Note that we have to drop various sandboxing knobs from the mountfsd
service file for this to work, since the kernel's security checks that
try to ensure than an obstructed /proc/ cannot be circumvented via
mounting a new procfs will otherwise prohibit mountfsd to duplicate the
mounts properly.
2025-01-23 21:48:02 +01:00
.clusterfuzzlite
.github
mkosi: Add back --preserve-env when running integrationt tests
2025-01-23 12:18:21 +01:00
.obs
OBS: switch to new top-level namespace
2025-01-22 20:34:04 +00:00
.semaphore
Revert "semaphore: skip some tests"
2024-12-13 23:43:28 +00:00
catalog
catalog: update Polish translation
2024-11-28 13:03:31 +01:00
coccinelle
coccinelle: add .gitignore for cache files
2025-01-19 08:27:47 +09:00
docs
docs: mention the two other userdb services we ship these days
2025-01-23 21:13:41 +01:00
factory
hwdb.d
meson: add install tags for udev and hwdb
2025-01-10 15:15:13 +09:00
LICENSES
boot: Add HWID calculation from SMBIOS strings and matching against a built-in list
2024-11-05 22:29:58 +03:00
man
creds: permit interactive polkit auth when encrypting/decrypting through IPC
2025-01-24 05:08:12 +09:00
mime
mkosi.conf.d
mkosi: Don't set -O ^orphan_file in centos stream 9 tools tree
2025-01-21 10:57:29 +01:00
mkosi.coverage
mkosi: Make sure the /coverage directory exists
2024-12-05 22:03:07 +01:00
mkosi.extra
mkosi: move drop-in config for sanitizers
2024-12-10 09:46:29 +09:00
mkosi.extra.common
mkosi: disable multipathd by default
2025-01-16 00:57:07 +09:00
mkosi.images
mkosi: update fedora commit reference
2025-01-16 23:40:04 +01:00
mkosi.repart
mkosi: switch rootfs to ext4
2025-01-22 22:50:52 +00:00
mkosi.sanitizers
mkosi: drop wrapper for unshare
2024-12-14 17:30:01 +09:00
mkosi.uki-profiles
Rework TEST-86-MULTI-PROFILE-UKI
2024-10-21 17:24:14 +02:00
modprobe.d
network
po
po: Translated using Weblate (French)
2025-01-22 23:43:34 +09:00
presets
profile.d
profile.d: don't bail if $SHELL_* variables are unset
2024-12-11 18:33:41 +00:00
rules.d
udev: add systemd tag to devices tagged with security-device
2025-01-22 21:43:44 +01:00
shell-completion
creds: permit interactive polkit auth when encrypting/decrypting through IPC
2025-01-24 05:08:12 +09:00
src
mntfsd: add api to mount dirs for containers
2025-01-23 21:48:02 +01:00
sysctl.d
sysusers.d
udev: set clock group for PTP and RTC devices
2025-01-16 21:12:47 +01:00
test
test: add test cases for OWNER=/GROUP= with non-system user/group
2025-01-24 02:33:18 +09:00
tmpfiles.d
Revert "link README.logs from tmpfiles.d/legacy.conf only if available"
2024-11-29 14:18:15 +01:00
tools
meson: enable -Wzero-as-null-pointer-constant
2025-01-16 02:26:56 +01:00
units
mntfsd: add api to mount dirs for containers
2025-01-23 21:48:02 +01:00
xorg
.clang-format
.ctags
.dir-locals.el
.editorconfig
.gitattributes
.gitignore
Add .venv to gitignore
2024-12-20 15:33:32 +00:00
.mailmap
mailmap: fix entries for Tobias Klauser
2024-12-11 13:55:07 +00:00
.packit.yml
packit: Simplify configuration
2025-01-07 15:18:50 +01:00
.pylintrc
.vimrc
.ycm_extra_conf.py
LICENSE.GPL2
LICENSE.LGPL2.1
meson_options.txt
udev: set clock group for PTP and RTC devices
2025-01-16 21:12:47 +01:00
meson.build
build: fail the build if we accidentally drop a "const" qualifier on a parameter
2025-01-20 21:44:23 +01:00
meson.version
meson: update version to 258~devel
2024-12-10 19:30:06 +00:00
mkosi.clangd
mkosi.clangd: Fail on command errors
2024-12-20 20:09:36 +01:00
mkosi.clean
mkosi: Add missing SPDX line
2024-09-22 15:23:08 +02:00
mkosi.conf
mkosi: replace deprecated settings and command with new ones
2025-01-06 12:00:43 +01:00
mkosi.functions
mkosi: Move copying packages to the output directory to the postinst script
2024-10-29 11:28:47 +01:00
mkosi.postinst.chroot
mkosi: Fix authselect systemd-homed feature name
2024-12-21 21:03:03 +01:00
mypy.ini
Move mypy.ini and ruff.toml to top level
2024-11-24 16:47:20 +01:00
NEWS
NEWS: mention OWNER=/GROUP= in udev rules now refuses non-system user/group
2025-01-24 02:33:18 +09:00
README
README: add sgx to list of required groups
2025-01-16 22:22:38 +01:00
README.md
OBS: switch to new top-level namespace
2025-01-22 20:34:04 +00:00
ruff.toml
Move mypy.ini and ruff.toml to top level
2024-11-24 16:47:20 +01:00
TODO
update TODO
2025-01-21 23:06:55 +01:00

README.md

Systemd

System and Service Manager

OBS Packages Status
Semaphore CI 2.0 Build Status
Coverity Scan Status
OSS-Fuzz Status
CIFuzz
CII Best Practices
Fossies codespell report
Weblate
Coverage Status
Packaging status
OpenSSF Scorecard

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list, join our IRC channel #systemd on libera.chat or Matrix channel

Stable branches with backported patches are available in the stable repo.

We have a security bug bounty program sponsored by the Sovereign Tech Fund hosted on YesWeHack

Repositories with distribution packages built from git main are available on OBS

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 321 MiB
Languages
C 89%
Python 5.1%
Shell 4.5%
Meson 1.2%