mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-24 21:34:08 +03:00
Merge pull request #21135 from poettering/homed-uidmap
homed: make use of uidmap'ped mounts for avoiding recursive chown()
This commit is contained in:
commit
5433d425b4
2
TODO
2
TODO
@ -1279,8 +1279,6 @@ Features:
|
||||
- support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
|
||||
- maybe pre-create ~/.cache as subvol so that it can have separate quota
|
||||
easily?
|
||||
- if kernel 5.12 uid mapping mounts exist, use that instead of recursive
|
||||
chowns.
|
||||
- add a switch to homectl (maybe called --first-boot) where it will check if
|
||||
any non-system users exist, and if not prompts interactively for basic user
|
||||
info, mimicking systemd-firstboot. Then, place this in a service that runs
|
||||
|
@ -159,7 +159,7 @@ int home_activate_cifs(
|
||||
assert_se(hdo = user_record_home_directory(h));
|
||||
hd = strdupa_safe(hdo); /* copy the string out, since it might change later in the home record object */
|
||||
|
||||
r = home_setup(h, 0, cache, setup, &header_home);
|
||||
r = home_setup(h, 0, setup, cache, &header_home);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
@ -74,7 +74,7 @@ int home_activate_directory(
|
||||
assert_se(hdo = user_record_home_directory(h));
|
||||
hd = strdupa_safe(hdo);
|
||||
|
||||
r = home_setup(h, 0, cache, setup, &header_home);
|
||||
r = home_setup(h, 0, setup, cache, &header_home);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -259,8 +259,8 @@ int home_create_directory_or_subvolume(UserRecord *h, HomeSetup *setup, UserReco
|
||||
int home_resize_directory(
|
||||
UserRecord *h,
|
||||
HomeSetupFlags flags,
|
||||
PasswordCache *cache,
|
||||
HomeSetup *setup,
|
||||
PasswordCache *cache,
|
||||
UserRecord **ret_home) {
|
||||
|
||||
_cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *new_home = NULL;
|
||||
@ -271,7 +271,7 @@ int home_resize_directory(
|
||||
assert(ret_home);
|
||||
assert(IN_SET(user_record_storage(h), USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT));
|
||||
|
||||
r = home_setup(h, flags, cache, setup, NULL);
|
||||
r = home_setup(h, flags, setup, cache, NULL);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
@ -7,4 +7,4 @@
|
||||
int home_setup_directory(UserRecord *h, HomeSetup *setup);
|
||||
int home_activate_directory(UserRecord *h, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);
|
||||
int home_create_directory_or_subvolume(UserRecord *h, HomeSetup *setup, UserRecord **ret_home);
|
||||
int home_resize_directory(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
|
||||
int home_resize_directory(UserRecord *h, HomeSetupFlags flags, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);
|
||||
|
@ -282,8 +282,8 @@ static int fscrypt_setup(
|
||||
|
||||
int home_setup_fscrypt(
|
||||
UserRecord *h,
|
||||
const PasswordCache *cache,
|
||||
HomeSetup *setup) {
|
||||
HomeSetup *setup,
|
||||
const PasswordCache *cache) {
|
||||
|
||||
_cleanup_(erase_and_freep) void *volume_key = NULL;
|
||||
struct fscrypt_policy policy = {};
|
||||
|
@ -4,7 +4,7 @@
|
||||
#include "homework.h"
|
||||
#include "user-record.h"
|
||||
|
||||
int home_setup_fscrypt(UserRecord *h, const PasswordCache *cache, HomeSetup *setup);
|
||||
int home_setup_fscrypt(UserRecord *h, HomeSetup *setup, const PasswordCache *cache);
|
||||
|
||||
int home_create_fscrypt(UserRecord *h, HomeSetup *setup, char **effective_passwords, UserRecord **ret_home);
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -5,24 +5,24 @@
|
||||
#include "homework.h"
|
||||
#include "user-record.h"
|
||||
|
||||
int home_setup_luks(UserRecord *h, HomeSetupFlags flags, const char *force_image_path, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_luks_home);
|
||||
int home_setup_luks(UserRecord *h, HomeSetupFlags flags, const char *force_image_path, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_luks_home);
|
||||
|
||||
int home_activate_luks(UserRecord *h, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);
|
||||
int home_deactivate_luks(UserRecord *h);
|
||||
int home_deactivate_luks(UserRecord *h, HomeSetup *setup);
|
||||
int home_trim_luks(UserRecord *h);
|
||||
|
||||
int home_store_header_identity_luks(UserRecord *h, HomeSetup *setup, UserRecord *old_home);
|
||||
|
||||
int home_create_luks(UserRecord *h, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
|
||||
int home_create_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
|
||||
|
||||
int home_get_state_luks(UserRecord *h, HomeSetup *setup);
|
||||
|
||||
int home_resize_luks(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
|
||||
int home_resize_luks(UserRecord *h, HomeSetupFlags flags, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);
|
||||
|
||||
int home_passwd_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
|
||||
|
||||
int home_lock_luks(UserRecord *h);
|
||||
int home_unlock_luks(UserRecord *h, const PasswordCache *cache);
|
||||
int home_lock_luks(UserRecord *h, HomeSetup *setup);
|
||||
int home_unlock_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache);
|
||||
|
||||
static inline uint64_t luks_volume_key_size_convert(struct crypt_device *cd) {
|
||||
int k;
|
||||
|
@ -84,7 +84,17 @@ int home_unshare_and_mount(const char *node, const char *fstype, bool discard, u
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return home_mount_node(node, fstype, discard, flags);
|
||||
r = home_mount_node(node, fstype, discard, flags);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = mount_nofollow_verbose(LOG_ERR, NULL, HOME_RUNTIME_WORK_DIR, NULL, MS_PRIVATE, NULL);
|
||||
if (r < 0) {
|
||||
(void) umount_verbose(LOG_ERR, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW);
|
||||
return r;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int home_move_mount(const char *mount_suffix, const char *target) {
|
||||
@ -111,9 +121,9 @@ int home_move_mount(const char *mount_suffix, const char *target) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = umount_verbose(LOG_ERR, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW);
|
||||
r = umount_recursive(HOME_RUNTIME_WORK_DIR, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
return log_error_errno(r, "Failed to unmount %s: %m", HOME_RUNTIME_WORK_DIR);
|
||||
|
||||
log_info("Moving to final mount point %s completed.", target);
|
||||
return 0;
|
||||
|
@ -306,14 +306,46 @@ int home_setup_undo_mount(HomeSetup *setup, int level) {
|
||||
if (!setup->undo_mount)
|
||||
return 0;
|
||||
|
||||
r = umount_verbose(level, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW);
|
||||
if (r < 0)
|
||||
return r;
|
||||
r = umount_recursive(HOME_RUNTIME_WORK_DIR, 0);
|
||||
if (r < 0) {
|
||||
if (level >= LOG_DEBUG) /* umount_recursive() does debug level logging anyway, no need to
|
||||
* repeat that here */
|
||||
return r;
|
||||
|
||||
/* If a higher log level is requested, the generate a non-debug mesage here too. */
|
||||
return log_full_errno(level, r, "Failed to unmount mount tree below %s: %m", HOME_RUNTIME_WORK_DIR);
|
||||
}
|
||||
|
||||
setup->undo_mount = false;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int home_setup_undo_dm(HomeSetup *setup, int level) {
|
||||
int r, ret;
|
||||
|
||||
assert(setup);
|
||||
|
||||
if (setup->undo_dm) {
|
||||
assert(setup->crypt_device);
|
||||
assert(setup->dm_name);
|
||||
|
||||
r = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0);
|
||||
if (r < 0)
|
||||
return log_full_errno(level, r, "Failed to deactivate LUKS device: %m");
|
||||
|
||||
setup->undo_dm = false;
|
||||
ret = 1;
|
||||
} else
|
||||
ret = 0;
|
||||
|
||||
if (setup->crypt_device) {
|
||||
sym_crypt_free(setup->crypt_device);
|
||||
setup->crypt_device = NULL;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int home_setup_done(HomeSetup *setup) {
|
||||
int r = 0, q;
|
||||
|
||||
@ -336,11 +368,9 @@ int home_setup_done(HomeSetup *setup) {
|
||||
if (q < 0)
|
||||
r = q;
|
||||
|
||||
if (setup->undo_dm && setup->crypt_device && setup->dm_name) {
|
||||
q = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0);
|
||||
if (q < 0)
|
||||
r = q;
|
||||
}
|
||||
q = home_setup_undo_dm(setup, LOG_DEBUG);
|
||||
if (q < 0)
|
||||
r = q;
|
||||
|
||||
if (setup->image_fd >= 0) {
|
||||
if (setup->do_offline_fallocate) {
|
||||
@ -358,6 +388,14 @@ int home_setup_done(HomeSetup *setup) {
|
||||
setup->image_fd = safe_close(setup->image_fd);
|
||||
}
|
||||
|
||||
if (setup->temporary_image_path) {
|
||||
if (unlink(setup->temporary_image_path) < 0)
|
||||
log_debug_errno(errno, "Failed to remove temporary image file '%s', ignoring: %m",
|
||||
setup->temporary_image_path);
|
||||
|
||||
setup->temporary_image_path = mfree(setup->temporary_image_path);
|
||||
}
|
||||
|
||||
setup->undo_mount = false;
|
||||
setup->undo_dm = false;
|
||||
setup->do_offline_fitrim = false;
|
||||
@ -368,10 +406,6 @@ int home_setup_done(HomeSetup *setup) {
|
||||
setup->dm_node = mfree(setup->dm_node);
|
||||
|
||||
setup->loop = loop_device_unref(setup->loop);
|
||||
if (setup->crypt_device) {
|
||||
sym_crypt_free(setup->crypt_device);
|
||||
setup->crypt_device = NULL;
|
||||
}
|
||||
|
||||
setup->volume_key = erase_and_free(setup->volume_key);
|
||||
setup->volume_key_size = 0;
|
||||
@ -387,8 +421,8 @@ int home_setup_done(HomeSetup *setup) {
|
||||
int home_setup(
|
||||
UserRecord *h,
|
||||
HomeSetupFlags flags,
|
||||
PasswordCache *cache,
|
||||
HomeSetup *setup,
|
||||
PasswordCache *cache,
|
||||
UserRecord **ret_header_home) {
|
||||
|
||||
int r;
|
||||
@ -409,7 +443,7 @@ int home_setup(
|
||||
switch (user_record_storage(h)) {
|
||||
|
||||
case USER_LUKS:
|
||||
return home_setup_luks(h, flags, NULL, cache, setup, ret_header_home);
|
||||
return home_setup_luks(h, flags, NULL, setup, cache, ret_header_home);
|
||||
|
||||
case USER_SUBVOLUME:
|
||||
case USER_DIRECTORY:
|
||||
@ -417,7 +451,7 @@ int home_setup(
|
||||
break;
|
||||
|
||||
case USER_FSCRYPT:
|
||||
r = home_setup_fscrypt(h, cache, setup);
|
||||
r = home_setup_fscrypt(h, setup, cache);
|
||||
break;
|
||||
|
||||
case USER_CIFS:
|
||||
@ -883,6 +917,7 @@ static int home_activate(UserRecord *h, UserRecord **ret_home) {
|
||||
}
|
||||
|
||||
static int home_deactivate(UserRecord *h, bool force) {
|
||||
_cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT;
|
||||
bool done = false;
|
||||
int r;
|
||||
|
||||
@ -919,7 +954,7 @@ static int home_deactivate(UserRecord *h, bool force) {
|
||||
log_info("Directory %s is already unmounted.", user_record_home_directory(h));
|
||||
|
||||
if (user_record_storage(h) == USER_LUKS) {
|
||||
r = home_deactivate_luks(h);
|
||||
r = home_deactivate_luks(h, &setup);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r > 0)
|
||||
@ -1279,7 +1314,7 @@ static int home_create(UserRecord *h, UserRecord **ret_home) {
|
||||
switch (user_record_storage(h)) {
|
||||
|
||||
case USER_LUKS:
|
||||
r = home_create_luks(h, &cache, effective_passwords, &new_home);
|
||||
r = home_create_luks(h, &setup, &cache, effective_passwords, &new_home);
|
||||
break;
|
||||
|
||||
case USER_DIRECTORY:
|
||||
@ -1500,7 +1535,7 @@ static int home_update(UserRecord *h, UserRecord **ret) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = home_setup(h, flags, &cache, &setup, &header_home);
|
||||
r = home_setup(h, flags, &setup, &cache, &header_home);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -1558,12 +1593,12 @@ static int home_resize(UserRecord *h, UserRecord **ret) {
|
||||
switch (user_record_storage(h)) {
|
||||
|
||||
case USER_LUKS:
|
||||
return home_resize_luks(h, flags, &cache, &setup, ret);
|
||||
return home_resize_luks(h, flags, &setup, &cache, ret);
|
||||
|
||||
case USER_DIRECTORY:
|
||||
case USER_SUBVOLUME:
|
||||
case USER_FSCRYPT:
|
||||
return home_resize_directory(h, flags, &cache, &setup, ret);
|
||||
return home_resize_directory(h, flags, &setup, &cache, ret);
|
||||
|
||||
default:
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Resizing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
|
||||
@ -1592,7 +1627,7 @@ static int home_passwd(UserRecord *h, UserRecord **ret_home) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = home_setup(h, flags, &cache, &setup, &header_home);
|
||||
r = home_setup(h, flags, &setup, &cache, &header_home);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -1662,7 +1697,7 @@ static int home_inspect(UserRecord *h, UserRecord **ret_home) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = home_setup(h, flags, &cache, &setup, &header_home);
|
||||
r = home_setup(h, flags, &setup, &cache, &header_home);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -1685,6 +1720,7 @@ static int home_inspect(UserRecord *h, UserRecord **ret_home) {
|
||||
}
|
||||
|
||||
static int home_lock(UserRecord *h) {
|
||||
_cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT;
|
||||
int r;
|
||||
|
||||
assert(h);
|
||||
@ -1700,7 +1736,7 @@ static int home_lock(UserRecord *h) {
|
||||
if (r != USER_TEST_MOUNTED)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home directory of %s is not mounted, can't lock.", h->user_name);
|
||||
|
||||
r = home_lock_luks(h);
|
||||
r = home_lock_luks(h, &setup);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -1709,6 +1745,7 @@ static int home_lock(UserRecord *h) {
|
||||
}
|
||||
|
||||
static int home_unlock(UserRecord *h) {
|
||||
_cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT;
|
||||
_cleanup_(password_cache_free) PasswordCache cache = {};
|
||||
int r;
|
||||
|
||||
@ -1726,7 +1763,7 @@ static int home_unlock(UserRecord *h) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = home_unlock_luks(h, &cache);
|
||||
r = home_unlock_luks(h, &setup, &cache);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
@ -39,6 +39,8 @@ typedef struct HomeSetup {
|
||||
uint64_t partition_size;
|
||||
|
||||
char *mount_suffix; /* The directory to use as home dir is this path below /run/systemd/user-home-mount */
|
||||
|
||||
char *temporary_image_path;
|
||||
} HomeSetup;
|
||||
|
||||
typedef struct PasswordCache {
|
||||
@ -76,8 +78,9 @@ typedef enum HomeSetupFlags {
|
||||
int home_setup_done(HomeSetup *setup);
|
||||
|
||||
int home_setup_undo_mount(HomeSetup *setup, int level);
|
||||
int home_setup_undo_dm(HomeSetup *setup, int level);
|
||||
|
||||
int home_setup(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_header_home);
|
||||
int home_setup(UserRecord *h, HomeSetupFlags flags, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_header_home);
|
||||
|
||||
int home_refresh(UserRecord *h, HomeSetup *setup, UserRecord *header_home, PasswordCache *cache, struct statfs *ret_statfs, UserRecord **ret_new_home);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user