mirror of
https://github.com/systemd/systemd.git
synced 2025-01-10 05:18:17 +03:00
build-sys: make the dynamic UID range, and the container UID range configurable
Also, export these ranges in our pkg-config files.
This commit is contained in:
parent
6a483c5b2f
commit
87d5e4f286
24
meson.build
24
meson.build
@ -614,9 +614,6 @@ conf.set('SYSTEM_UID_MAX', system_uid_max)
|
||||
substs.set('systemuidmax', system_uid_max)
|
||||
message('maximum system UID is @0@'.format(system_uid_max))
|
||||
|
||||
conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
|
||||
conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
|
||||
|
||||
system_gid_max = get_option('system-gid-max')
|
||||
if system_gid_max == ''
|
||||
system_gid_max = run_command(
|
||||
@ -629,6 +626,23 @@ conf.set('SYSTEM_GID_MAX', system_gid_max)
|
||||
substs.set('systemgidmax', system_gid_max)
|
||||
message('maximum system GID is @0@'.format(system_gid_max))
|
||||
|
||||
dynamic_uid_min = get_option('dynamic-uid-min').to_int()
|
||||
dynamic_uid_max = get_option('dynamic-uid-max').to_int()
|
||||
conf.set('DYNAMIC_UID_MIN', dynamic_uid_min)
|
||||
conf.set('DYNAMIC_UID_MAX', dynamic_uid_max)
|
||||
substs.set('dynamicuidmin', dynamic_uid_min)
|
||||
substs.set('dynamicuidmax', dynamic_uid_max)
|
||||
|
||||
container_uid_base_min = get_option('container-uid-base-min').to_int()
|
||||
container_uid_base_max = get_option('container-uid-base-max').to_int()
|
||||
conf.set('CONTAINER_UID_BASE_MIN', container_uid_base_min)
|
||||
conf.set('CONTAINER_UID_BASE_MAX', container_uid_base_max)
|
||||
substs.set('containeruidbasemin', container_uid_base_min)
|
||||
substs.set('containeruidbasemax', container_uid_base_max)
|
||||
|
||||
conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
|
||||
conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
|
||||
|
||||
tty_gid = get_option('tty-gid')
|
||||
conf.set('TTY_GID', tty_gid)
|
||||
substs.set('TTY_GID', tty_gid)
|
||||
@ -2506,6 +2520,10 @@ status = [
|
||||
'users GID: @0@'.format(users_gid),
|
||||
'maximum system UID: @0@'.format(system_uid_max),
|
||||
'maximum system GID: @0@'.format(system_gid_max),
|
||||
'minimum dynamic UID: @0@'.format(dynamic_uid_min),
|
||||
'maximum dynamic UID: @0@'.format(dynamic_uid_max),
|
||||
'minimum container UID base: @0@'.format(container_uid_base_min),
|
||||
'maximum container UID base: @0@'.format(container_uid_base_max),
|
||||
'/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')),
|
||||
'render group access mode: @0@'.format(get_option('group-render-mode')),
|
||||
'certificate root directory: @0@'.format(get_option('certificate-root')),
|
||||
|
@ -147,6 +147,18 @@ option('system-uid-max', type : 'string',
|
||||
description : 'maximum system UID')
|
||||
option('system-gid-max', type : 'string',
|
||||
description : 'maximum system GID')
|
||||
option('dynamic-uid-min', type : 'string',
|
||||
description : 'minimum dynamic UID',
|
||||
value : '61184') # That's → 0x0000EF00 in hex
|
||||
option('dynamic-uid-max', type : 'string',
|
||||
description : 'maximum dynamic UID',
|
||||
value : '65519') # That's → 0x0000FFEF in hex
|
||||
option('container-uid-base-min', type : 'string',
|
||||
description : 'minimum container UID base',
|
||||
value : '524288') # That's → 0x00080000 in hex
|
||||
option('container-uid-base-max', type : 'string',
|
||||
description : 'maximum container UID base',
|
||||
value : '1878982656') # That's → 0x6FFF0000 in hex
|
||||
option('tty-gid', type : 'string',
|
||||
description : 'the numeric GID of the "tty" group',
|
||||
value : '5')
|
||||
|
@ -60,13 +60,6 @@ int take_etc_passwd_lock(const char *root);
|
||||
#define UID_INVALID ((uid_t) -1)
|
||||
#define GID_INVALID ((gid_t) -1)
|
||||
|
||||
/* Let's pick a UIDs within the 16bit range, so that we are compatible with containers using 16bit
|
||||
* user namespacing. At least on Fedora normal users are allocated until UID 60000, hence do not
|
||||
* allocate from below this. Also stay away from the upper end of the range as that is often used
|
||||
* for overflow/nobody users. */
|
||||
#define DYNAMIC_UID_MIN ((uid_t) UINT32_C(0x0000EF00))
|
||||
#define DYNAMIC_UID_MAX ((uid_t) UINT32_C(0x0000FFEF))
|
||||
|
||||
static inline bool uid_is_dynamic(uid_t uid) {
|
||||
return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX;
|
||||
}
|
||||
|
@ -29,6 +29,10 @@ modulesloaddir=@modulesloaddir@
|
||||
catalogdir=@catalogdir@
|
||||
systemuidmax=@systemuidmax@
|
||||
systemgidmax=@systemgidmax@
|
||||
dynamicuidmin=@dynamicuidmin@
|
||||
dynamicuidmax=@dynamicuidmax@
|
||||
containeruidbasemin=@containeruidbasemin@
|
||||
containeruidbasemax=@containeruidbasemax@
|
||||
|
||||
Name: systemd
|
||||
Description: systemd System and Service Manager
|
||||
|
@ -21,12 +21,6 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
/* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit
|
||||
* UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems
|
||||
* may have their own allocation ranges too. */
|
||||
#define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000))
|
||||
#define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000))
|
||||
|
||||
/* While we are chmod()ing a directory tree, we set the top-level UID base to this "busy" base, so that we can always
|
||||
* recognize trees we are were chmod()ing recursively and got interrupted in */
|
||||
#define UID_BUSY_BASE ((uid_t) UINT32_C(0xFFFE0000))
|
||||
|
@ -2862,7 +2862,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
|
||||
if (--n_tries <= 0)
|
||||
return -EBUSY;
|
||||
|
||||
if (candidate < UID_SHIFT_PICK_MIN || candidate > UID_SHIFT_PICK_MAX)
|
||||
if (candidate < CONTAINER_UID_BASE_MIN || candidate > CONTAINER_UID_BASE_MAX)
|
||||
goto next;
|
||||
if ((candidate & UINT32_C(0xFFFF)) != 0)
|
||||
goto next;
|
||||
@ -2904,7 +2904,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
|
||||
} else
|
||||
random_bytes(&candidate, sizeof(candidate));
|
||||
|
||||
candidate = (candidate % (UID_SHIFT_PICK_MAX - UID_SHIFT_PICK_MIN)) + UID_SHIFT_PICK_MIN;
|
||||
candidate = (candidate % (CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN)) + CONTAINER_UID_BASE_MIN;
|
||||
candidate &= (uid_t) UINT32_C(0xFFFF0000);
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user