mirror of
https://github.com/systemd/systemd.git
synced 2025-01-25 10:04:04 +03:00
8aee931e7a
This adds a small, socket-activated Varlink daemon that can delegate UID ranges for user namespaces to clients asking for it. The primary call is AllocateUserRange() where the user passes in an uninitialized userns fd, which is then set up. There are other calls that allow assigning a mount fd to a userns allocated that way, to set up permissions for a cgroup subtree, and to allocate a veth for such a user namespace. Since the UID assignments are supposed to be transitive, i.e. not permanent, care is taken to ensure that users cannot create inodes owned by these UIDs, so that persistancy cannot be acquired. This is implemented via a BPF-LSM module that ensures that any member of a userns allocated that way cannot create files unless the mount it operates on is owned by the userns itself, or is explicitly allowelisted. BPF LSM program with contributions from Alexei Starovoitov.
32 lines
1.0 KiB
SYSTEMD
32 lines
1.0 KiB
SYSTEMD
# SPDX-License-Identifier: MIT-0
|
|
#
|
|
# This config file is installed as part of systemd.
|
|
# It may be freely copied and edited (following the MIT No Attribution license).
|
|
#
|
|
# To make local modifications, one of the following methods may be used:
|
|
# 1. add a drop-in file that extends this file by creating the
|
|
# /etc/systemd/network/80-namespace-ns.network.d/ directory and creating a
|
|
# new .conf file there.
|
|
# 2. copy this file into /etc/systemd/network or one of the other paths checked
|
|
# by systemd-networkd and edit it there.
|
|
# This file should not be edited in place, because it'll be overwritten on upgrades.
|
|
|
|
# This network file matches the host-side of the virtual Ethernet link
|
|
# created by systemd-nsresourced's network support. See systemd-nsresourced(1) for
|
|
# details.
|
|
|
|
[Match]
|
|
Kind=veth
|
|
Name=ns-*
|
|
|
|
[Network]
|
|
# Default to using a /28 prefix, giving up to 13 addresses per namespace
|
|
Address=0.0.0.0/28
|
|
LinkLocalAddressing=yes
|
|
DHCPServer=yes
|
|
IPMasquerade=both
|
|
LLDP=yes
|
|
EmitLLDP=customer-bridge
|
|
IPv6AcceptRA=no
|
|
IPv6SendRA=yes
|