nspawn: fix user namespace support

We didn#t actually pass ownership of /run to the UID in the container
since some releases, let's fix that.

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index 1b1180ea353b909bb7e06e5f7999a8888528eafa..85e81b43fe27e147668517502f502f5920a6c5d9 100644 (file)
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -217,7 +217,8 @@ static int tmpfs_patch_options(
 }
 
 int mount_all(const char *dest,
-              bool userns, uid_t uid_shift, uid_t uid_range,
+              bool use_userns, bool in_userns,
+              uid_t uid_shift, uid_t uid_range,
               const char *selinux_apifs_context) {
 
         typedef struct MountPoint {
@@ -252,7 +253,7 @@ int mount_all(const char *dest,
                 _cleanup_free_ char *where = NULL, *options = NULL;
                 const char *o;
 
-                if (userns != mount_table[k].userns)
+                if (in_userns != mount_table[k].userns)
                         continue;
 
                 where = prefix_root(dest, mount_table[k].where);
@@ -278,7 +279,7 @@ int mount_all(const char *dest,
 
                 o = mount_table[k].options;
                 if (streq_ptr(mount_table[k].type, "tmpfs")) {
-                        r = tmpfs_patch_options(o, userns, uid_shift, uid_range, selinux_apifs_context, &options);
+                        r = tmpfs_patch_options(o, use_userns, uid_shift, uid_range, selinux_apifs_context, &options);
                         if (r < 0)
                                 return log_oom();
                         if (r > 0)

diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
index 5abd44cc4ba98fdb901a56d7fffb8c4b51f40173..da4986add0319797cc43ee48e8160c82673c6aa5 100644 (file)
--- a/src/nspawn/nspawn-mount.h
+++ b/src/nspawn/nspawn-mount.h
@@ -57,7 +57,7 @@ int tmpfs_mount_parse(CustomMount **l, unsigned *n, const char *s);
 
 int custom_mount_compare(const void *a, const void *b);
 
-int mount_all(const char *dest, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
+int mount_all(const char *dest, bool use_userns, bool in_userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
 
 int mount_cgroups(const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
 int mount_systemd_cgroup_writable(const char *dest, bool unified_requested);

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 8bf04d849baaa71dcee19062da2f2fc88c91f0ed..9f60f41b986bd06e0e2e3e32bf1d51f4d1ea977d 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2450,7 +2450,7 @@ static int inner_child(
                 }
         }
 
-        r = mount_all(NULL, true, arg_uid_shift, arg_uid_range, arg_selinux_apifs_context);
+        r = mount_all(NULL, arg_userns, true, arg_uid_shift, arg_uid_range, arg_selinux_apifs_context);
         if (r < 0)
                 return r;
 
@@ -2701,7 +2701,7 @@ static int outer_child(
                         return log_error_errno(r, "Failed to make tree read-only: %m");
         }
 
-        r = mount_all(directory, false, arg_uid_shift, arg_uid_range, arg_selinux_apifs_context);
+        r = mount_all(directory, arg_userns, false, arg_uid_shift, arg_uid_range, arg_selinux_apifs_context);
         if (r < 0)
                 return r;