1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00

Merge pull request #21135 from poettering/homed-uidmap

homed: make use of uidmap'ped mounts for avoiding recursive chown()
This commit is contained in:
Lennart Poettering 2021-10-28 19:18:18 +02:00 committed by GitHub
commit 5433d425b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 346 additions and 371 deletions

2
TODO
View File

@ -1279,8 +1279,6 @@ Features:
- support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
- maybe pre-create ~/.cache as subvol so that it can have separate quota
easily?
- if kernel 5.12 uid mapping mounts exist, use that instead of recursive
chowns.
- add a switch to homectl (maybe called --first-boot) where it will check if
any non-system users exist, and if not prompts interactively for basic user
info, mimicking systemd-firstboot. Then, place this in a service that runs

View File

@ -159,7 +159,7 @@ int home_activate_cifs(
assert_se(hdo = user_record_home_directory(h));
hd = strdupa_safe(hdo); /* copy the string out, since it might change later in the home record object */
r = home_setup(h, 0, cache, setup, &header_home);
r = home_setup(h, 0, setup, cache, &header_home);
if (r < 0)
return r;

View File

@ -74,7 +74,7 @@ int home_activate_directory(
assert_se(hdo = user_record_home_directory(h));
hd = strdupa_safe(hdo);
r = home_setup(h, 0, cache, setup, &header_home);
r = home_setup(h, 0, setup, cache, &header_home);
if (r < 0)
return r;
@ -259,8 +259,8 @@ int home_create_directory_or_subvolume(UserRecord *h, HomeSetup *setup, UserReco
int home_resize_directory(
UserRecord *h,
HomeSetupFlags flags,
PasswordCache *cache,
HomeSetup *setup,
PasswordCache *cache,
UserRecord **ret_home) {
_cleanup_(user_record_unrefp) UserRecord *embedded_home = NULL, *new_home = NULL;
@ -271,7 +271,7 @@ int home_resize_directory(
assert(ret_home);
assert(IN_SET(user_record_storage(h), USER_DIRECTORY, USER_SUBVOLUME, USER_FSCRYPT));
r = home_setup(h, flags, cache, setup, NULL);
r = home_setup(h, flags, setup, cache, NULL);
if (r < 0)
return r;

View File

@ -7,4 +7,4 @@
int home_setup_directory(UserRecord *h, HomeSetup *setup);
int home_activate_directory(UserRecord *h, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);
int home_create_directory_or_subvolume(UserRecord *h, HomeSetup *setup, UserRecord **ret_home);
int home_resize_directory(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
int home_resize_directory(UserRecord *h, HomeSetupFlags flags, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);

View File

@ -282,8 +282,8 @@ static int fscrypt_setup(
int home_setup_fscrypt(
UserRecord *h,
const PasswordCache *cache,
HomeSetup *setup) {
HomeSetup *setup,
const PasswordCache *cache) {
_cleanup_(erase_and_freep) void *volume_key = NULL;
struct fscrypt_policy policy = {};

View File

@ -4,7 +4,7 @@
#include "homework.h"
#include "user-record.h"
int home_setup_fscrypt(UserRecord *h, const PasswordCache *cache, HomeSetup *setup);
int home_setup_fscrypt(UserRecord *h, HomeSetup *setup, const PasswordCache *cache);
int home_create_fscrypt(UserRecord *h, HomeSetup *setup, char **effective_passwords, UserRecord **ret_home);

File diff suppressed because it is too large Load Diff

View File

@ -5,24 +5,24 @@
#include "homework.h"
#include "user-record.h"
int home_setup_luks(UserRecord *h, HomeSetupFlags flags, const char *force_image_path, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_luks_home);
int home_setup_luks(UserRecord *h, HomeSetupFlags flags, const char *force_image_path, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_luks_home);
int home_activate_luks(UserRecord *h, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);
int home_deactivate_luks(UserRecord *h);
int home_deactivate_luks(UserRecord *h, HomeSetup *setup);
int home_trim_luks(UserRecord *h);
int home_store_header_identity_luks(UserRecord *h, HomeSetup *setup, UserRecord *old_home);
int home_create_luks(UserRecord *h, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
int home_create_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords, UserRecord **ret_home);
int home_get_state_luks(UserRecord *h, HomeSetup *setup);
int home_resize_luks(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_home);
int home_resize_luks(UserRecord *h, HomeSetupFlags flags, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_home);
int home_passwd_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);
int home_lock_luks(UserRecord *h);
int home_unlock_luks(UserRecord *h, const PasswordCache *cache);
int home_lock_luks(UserRecord *h, HomeSetup *setup);
int home_unlock_luks(UserRecord *h, HomeSetup *setup, const PasswordCache *cache);
static inline uint64_t luks_volume_key_size_convert(struct crypt_device *cd) {
int k;

View File

@ -84,7 +84,17 @@ int home_unshare_and_mount(const char *node, const char *fstype, bool discard, u
if (r < 0)
return r;
return home_mount_node(node, fstype, discard, flags);
r = home_mount_node(node, fstype, discard, flags);
if (r < 0)
return r;
r = mount_nofollow_verbose(LOG_ERR, NULL, HOME_RUNTIME_WORK_DIR, NULL, MS_PRIVATE, NULL);
if (r < 0) {
(void) umount_verbose(LOG_ERR, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW);
return r;
}
return 0;
}
int home_move_mount(const char *mount_suffix, const char *target) {
@ -111,9 +121,9 @@ int home_move_mount(const char *mount_suffix, const char *target) {
if (r < 0)
return r;
r = umount_verbose(LOG_ERR, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW);
r = umount_recursive(HOME_RUNTIME_WORK_DIR, 0);
if (r < 0)
return r;
return log_error_errno(r, "Failed to unmount %s: %m", HOME_RUNTIME_WORK_DIR);
log_info("Moving to final mount point %s completed.", target);
return 0;

View File

@ -306,14 +306,46 @@ int home_setup_undo_mount(HomeSetup *setup, int level) {
if (!setup->undo_mount)
return 0;
r = umount_verbose(level, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW);
if (r < 0)
return r;
r = umount_recursive(HOME_RUNTIME_WORK_DIR, 0);
if (r < 0) {
if (level >= LOG_DEBUG) /* umount_recursive() does debug level logging anyway, no need to
* repeat that here */
return r;
/* If a higher log level is requested, the generate a non-debug mesage here too. */
return log_full_errno(level, r, "Failed to unmount mount tree below %s: %m", HOME_RUNTIME_WORK_DIR);
}
setup->undo_mount = false;
return 1;
}
int home_setup_undo_dm(HomeSetup *setup, int level) {
int r, ret;
assert(setup);
if (setup->undo_dm) {
assert(setup->crypt_device);
assert(setup->dm_name);
r = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0);
if (r < 0)
return log_full_errno(level, r, "Failed to deactivate LUKS device: %m");
setup->undo_dm = false;
ret = 1;
} else
ret = 0;
if (setup->crypt_device) {
sym_crypt_free(setup->crypt_device);
setup->crypt_device = NULL;
}
return ret;
}
int home_setup_done(HomeSetup *setup) {
int r = 0, q;
@ -336,11 +368,9 @@ int home_setup_done(HomeSetup *setup) {
if (q < 0)
r = q;
if (setup->undo_dm && setup->crypt_device && setup->dm_name) {
q = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0);
if (q < 0)
r = q;
}
q = home_setup_undo_dm(setup, LOG_DEBUG);
if (q < 0)
r = q;
if (setup->image_fd >= 0) {
if (setup->do_offline_fallocate) {
@ -358,6 +388,14 @@ int home_setup_done(HomeSetup *setup) {
setup->image_fd = safe_close(setup->image_fd);
}
if (setup->temporary_image_path) {
if (unlink(setup->temporary_image_path) < 0)
log_debug_errno(errno, "Failed to remove temporary image file '%s', ignoring: %m",
setup->temporary_image_path);
setup->temporary_image_path = mfree(setup->temporary_image_path);
}
setup->undo_mount = false;
setup->undo_dm = false;
setup->do_offline_fitrim = false;
@ -368,10 +406,6 @@ int home_setup_done(HomeSetup *setup) {
setup->dm_node = mfree(setup->dm_node);
setup->loop = loop_device_unref(setup->loop);
if (setup->crypt_device) {
sym_crypt_free(setup->crypt_device);
setup->crypt_device = NULL;
}
setup->volume_key = erase_and_free(setup->volume_key);
setup->volume_key_size = 0;
@ -387,8 +421,8 @@ int home_setup_done(HomeSetup *setup) {
int home_setup(
UserRecord *h,
HomeSetupFlags flags,
PasswordCache *cache,
HomeSetup *setup,
PasswordCache *cache,
UserRecord **ret_header_home) {
int r;
@ -409,7 +443,7 @@ int home_setup(
switch (user_record_storage(h)) {
case USER_LUKS:
return home_setup_luks(h, flags, NULL, cache, setup, ret_header_home);
return home_setup_luks(h, flags, NULL, setup, cache, ret_header_home);
case USER_SUBVOLUME:
case USER_DIRECTORY:
@ -417,7 +451,7 @@ int home_setup(
break;
case USER_FSCRYPT:
r = home_setup_fscrypt(h, cache, setup);
r = home_setup_fscrypt(h, setup, cache);
break;
case USER_CIFS:
@ -883,6 +917,7 @@ static int home_activate(UserRecord *h, UserRecord **ret_home) {
}
static int home_deactivate(UserRecord *h, bool force) {
_cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT;
bool done = false;
int r;
@ -919,7 +954,7 @@ static int home_deactivate(UserRecord *h, bool force) {
log_info("Directory %s is already unmounted.", user_record_home_directory(h));
if (user_record_storage(h) == USER_LUKS) {
r = home_deactivate_luks(h);
r = home_deactivate_luks(h, &setup);
if (r < 0)
return r;
if (r > 0)
@ -1279,7 +1314,7 @@ static int home_create(UserRecord *h, UserRecord **ret_home) {
switch (user_record_storage(h)) {
case USER_LUKS:
r = home_create_luks(h, &cache, effective_passwords, &new_home);
r = home_create_luks(h, &setup, &cache, effective_passwords, &new_home);
break;
case USER_DIRECTORY:
@ -1500,7 +1535,7 @@ static int home_update(UserRecord *h, UserRecord **ret) {
if (r < 0)
return r;
r = home_setup(h, flags, &cache, &setup, &header_home);
r = home_setup(h, flags, &setup, &cache, &header_home);
if (r < 0)
return r;
@ -1558,12 +1593,12 @@ static int home_resize(UserRecord *h, UserRecord **ret) {
switch (user_record_storage(h)) {
case USER_LUKS:
return home_resize_luks(h, flags, &cache, &setup, ret);
return home_resize_luks(h, flags, &setup, &cache, ret);
case USER_DIRECTORY:
case USER_SUBVOLUME:
case USER_FSCRYPT:
return home_resize_directory(h, flags, &cache, &setup, ret);
return home_resize_directory(h, flags, &setup, &cache, ret);
default:
return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Resizing home directories of type '%s' currently not supported.", user_storage_to_string(user_record_storage(h)));
@ -1592,7 +1627,7 @@ static int home_passwd(UserRecord *h, UserRecord **ret_home) {
if (r < 0)
return r;
r = home_setup(h, flags, &cache, &setup, &header_home);
r = home_setup(h, flags, &setup, &cache, &header_home);
if (r < 0)
return r;
@ -1662,7 +1697,7 @@ static int home_inspect(UserRecord *h, UserRecord **ret_home) {
if (r < 0)
return r;
r = home_setup(h, flags, &cache, &setup, &header_home);
r = home_setup(h, flags, &setup, &cache, &header_home);
if (r < 0)
return r;
@ -1685,6 +1720,7 @@ static int home_inspect(UserRecord *h, UserRecord **ret_home) {
}
static int home_lock(UserRecord *h) {
_cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT;
int r;
assert(h);
@ -1700,7 +1736,7 @@ static int home_lock(UserRecord *h) {
if (r != USER_TEST_MOUNTED)
return log_error_errno(SYNTHETIC_ERRNO(ENOEXEC), "Home directory of %s is not mounted, can't lock.", h->user_name);
r = home_lock_luks(h);
r = home_lock_luks(h, &setup);
if (r < 0)
return r;
@ -1709,6 +1745,7 @@ static int home_lock(UserRecord *h) {
}
static int home_unlock(UserRecord *h) {
_cleanup_(home_setup_done) HomeSetup setup = HOME_SETUP_INIT;
_cleanup_(password_cache_free) PasswordCache cache = {};
int r;
@ -1726,7 +1763,7 @@ static int home_unlock(UserRecord *h) {
if (r < 0)
return r;
r = home_unlock_luks(h, &cache);
r = home_unlock_luks(h, &setup, &cache);
if (r < 0)
return r;

View File

@ -39,6 +39,8 @@ typedef struct HomeSetup {
uint64_t partition_size;
char *mount_suffix; /* The directory to use as home dir is this path below /run/systemd/user-home-mount */
char *temporary_image_path;
} HomeSetup;
typedef struct PasswordCache {
@ -76,8 +78,9 @@ typedef enum HomeSetupFlags {
int home_setup_done(HomeSetup *setup);
int home_setup_undo_mount(HomeSetup *setup, int level);
int home_setup_undo_dm(HomeSetup *setup, int level);
int home_setup(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_header_home);
int home_setup(UserRecord *h, HomeSetupFlags flags, HomeSetup *setup, PasswordCache *cache, UserRecord **ret_header_home);
int home_refresh(UserRecord *h, HomeSetup *setup, UserRecord *header_home, PasswordCache *cache, struct statfs *ret_statfs, UserRecord **ret_new_home);