dc3223919f
Linux kernel v4.18 (2018-08-12) added user-namespace support to FUSE, and bumped the FUSE version to 7.27 (see: da315f6e0398 (Merge tag 'fuse-update-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse, Linus Torvalds, 2018-06-07). This means that on such kernels it is safe to enable FUSE in nspawn containers. In outer_child(), before calling copy_devnodes(), check the FUSE version to decide whether enable (>=7.27) or disable (<7.27) FUSE in the container. We look at the FUSE version instead of the kernel version in order to enable FUSE support on older-versioned kernels that may have the mentioned patchset backported ([as requested by @poettering][1]). However, I am not sure that this is safe; user-namespace support is not a documented part of the FUSE protocol, which is what FUSE_KERNEL_VERSION/FUSE_KERNEL_MINOR_VERSION are meant to capture. While the same patchset - added FUSE_ABORT_ERROR (which is all that the 7.27 version bump is documented as including), - bumped FUSE_KERNEL_MINOR_VERSION from 26 to 27, and - added user-namespace support these 3 things are not inseparable; it is conceivable to me that a backport could include the first 2 of those things and exclude the 3rd; perhaps it would be safer to check the kernel version. Do note that our get_fuse_version() function uses the fsopen() family of syscalls, which were not added until Linux kernel v5.2 (2019-07-07); so if nothing has been backported, then the minimum kernel version for FUSE-in-nspawn is actually v5.2, not v4.18. Pass whether or not to enable FUSE to copy_devnodes(); have copy_devnodes() copy in /dev/fuse if enabled. Pass whether or not to enable FUSE back over fd_outer_socket to run_container() so that it can pass that to append_machine_properties() (via either register_machine() or allocate_scope()); have append_machine_properties() append "DeviceAllow=/dev/fuse rw" if enabled. For testing, simply check that /dev/fuse can be opened for reading and writing, but that actually reading from it fails with EPERM. The test assumes that if FUSE is supported (/dev/fuse exists), then the testsuite is running on a kernel with FUSE >= 7.27; I am unsure how to go about writing a test that validates that the version check disables FUSE on old kernels. [1]: https://github.com/systemd/systemd/issues/17607#issuecomment-745418835 Closes #17607
System and Service Manager
Details
Most documentation is available on systemd's web site.
Assorted, older, general information about systemd can be found in the systemd Wiki.
Information about build requirements is provided in the README file.
Consult our NEWS file for information about what's new in the most recent systemd versions.
Please see the Code Map for information about this repository's layout and content.
Please see the Hacking guide for information on how to hack on systemd and test your modifications.
Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.
When preparing patches for systemd, please follow our Coding Style Guidelines.
If you are looking for support, please contact our mailing list, join our IRC channel #systemd on libera.chat or Matrix channel
Stable branches with backported patches are available in the stable repo.
We have a security bug bounty program sponsored by the Sovereign Tech Fund hosted on YesWeHack