build-sys: make the dynamic UID range, and the container UID range configurable

Also, export these ranges in our pkg-config files.

diff --git a/meson.build b/meson.build
index edfa02afbb46574562c4432ed15cb2b1c816894a..ea13dff44a772675b1e98851a65f440e488d54ac 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -614,9 +614,6 @@ conf.set('SYSTEM_UID_MAX', system_uid_max)
 substs.set('systemuidmax', system_uid_max)
 message('maximum system UID is @0@'.format(system_uid_max))
 
-conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
-conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
-
 system_gid_max = get_option('system-gid-max')
 if system_gid_max == ''
         system_gid_max = run_command(
@@ -629,6 +626,23 @@ conf.set('SYSTEM_GID_MAX', system_gid_max)
 substs.set('systemgidmax', system_gid_max)
 message('maximum system GID is @0@'.format(system_gid_max))
 
+dynamic_uid_min = get_option('dynamic-uid-min').to_int()
+dynamic_uid_max = get_option('dynamic-uid-max').to_int()
+conf.set('DYNAMIC_UID_MIN', dynamic_uid_min)
+conf.set('DYNAMIC_UID_MAX', dynamic_uid_max)
+substs.set('dynamicuidmin', dynamic_uid_min)
+substs.set('dynamicuidmax', dynamic_uid_max)
+
+container_uid_base_min = get_option('container-uid-base-min').to_int()
+container_uid_base_max = get_option('container-uid-base-max').to_int()
+conf.set('CONTAINER_UID_BASE_MIN', container_uid_base_min)
+conf.set('CONTAINER_UID_BASE_MAX', container_uid_base_max)
+substs.set('containeruidbasemin', container_uid_base_min)
+substs.set('containeruidbasemax', container_uid_base_max)
+
+conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
+conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
+
 tty_gid = get_option('tty-gid')
 conf.set('TTY_GID', tty_gid)
 substs.set('TTY_GID', tty_gid)
@@ -2506,6 +2520,10 @@ status = [
         'users GID:                         @0@'.format(users_gid),
         'maximum system UID:                @0@'.format(system_uid_max),
         'maximum system GID:                @0@'.format(system_gid_max),
+        'minimum dynamic UID:               @0@'.format(dynamic_uid_min),
+        'maximum dynamic UID:               @0@'.format(dynamic_uid_max),
+        'minimum container UID base:        @0@'.format(container_uid_base_min),
+        'maximum container UID base:        @0@'.format(container_uid_base_max),
         '/dev/kvm access mode:              @0@'.format(get_option('dev-kvm-mode')),
         'render group access mode:          @0@'.format(get_option('group-render-mode')),
         'certificate root directory:        @0@'.format(get_option('certificate-root')),

diff --git a/meson_options.txt b/meson_options.txt
index 8c03b0c6dec292453c117eb3ada32c270d042937..f0c0506ff1b994652826eae3dacd32e27375a936 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -147,6 +147,18 @@ option('system-uid-max', type : 'string',
        description : 'maximum system UID')
 option('system-gid-max', type : 'string',
        description : 'maximum system GID')
+option('dynamic-uid-min', type : 'string',
+       description : 'minimum dynamic UID',
+       value : '61184') # That's → 0x0000EF00 in hex
+option('dynamic-uid-max', type : 'string',
+       description : 'maximum dynamic UID',
+       value : '65519') # That's → 0x0000FFEF in hex
+option('container-uid-base-min', type : 'string',
+       description : 'minimum container UID base',
+       value : '524288') # That's → 0x00080000 in hex
+option('container-uid-base-max', type : 'string',
+       description : 'maximum container UID base',
+       value : '1878982656') # That's → 0x6FFF0000 in hex
 option('tty-gid', type : 'string',
        description : 'the numeric GID of the "tty" group',
        value : '5')

diff --git a/src/basic/user-util.h b/src/basic/user-util.h
index f13367893e4d57e7ead030b345a7625bda0a135a..855813cc769776788eb941d9f5789e16c9b81cb3 100644 (file)
--- a/src/basic/user-util.h
+++ b/src/basic/user-util.h
@@ -60,13 +60,6 @@ int take_etc_passwd_lock(const char *root);
 #define UID_INVALID ((uid_t) -1)
 #define GID_INVALID ((gid_t) -1)
 
-/* Let's pick a UIDs within the 16bit range, so that we are compatible with containers using 16bit
- * user namespacing. At least on Fedora normal users are allocated until UID 60000, hence do not
- * allocate from below this. Also stay away from the upper end of the range as that is often used
- * for overflow/nobody users. */
-#define DYNAMIC_UID_MIN ((uid_t) UINT32_C(0x0000EF00))
-#define DYNAMIC_UID_MAX ((uid_t) UINT32_C(0x0000FFEF))
-
 static inline bool uid_is_dynamic(uid_t uid) {
         return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX;
 }

diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
index 22e8cbda8b6680f4e32197c919f531e6af350456..655773ea8a97df2d4207e5510b8630fbffc02483 100644 (file)
--- a/src/core/systemd.pc.in
+++ b/src/core/systemd.pc.in
@@ -29,6 +29,10 @@ modulesloaddir=@modulesloaddir@
 catalogdir=@catalogdir@
 systemuidmax=@systemuidmax@
 systemgidmax=@systemgidmax@
+dynamicuidmin=@dynamicuidmin@
+dynamicuidmax=@dynamicuidmax@
+containeruidbasemin=@containeruidbasemin@
+containeruidbasemax=@containeruidbasemax@
 
 Name: systemd
 Description: systemd System and Service Manager

diff --git a/src/nspawn/nspawn-def.h b/src/nspawn/nspawn-def.h
index fc3c94064ca18b25e2e389fd59e079f0bc307e4e..43a19d84f5ca90c054c69151e4278c499727fcef 100644 (file)
--- a/src/nspawn/nspawn-def.h
+++ b/src/nspawn/nspawn-def.h
@@ -21,12 +21,6 @@
 
 #include <sys/types.h>
 
-/* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit
- * UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems
- * may have their own allocation ranges too. */
-#define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000))
-#define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000))
-
 /* While we are chmod()ing a directory tree, we set the top-level UID base to this "busy" base, so that we can always
  * recognize trees we are were chmod()ing recursively and got interrupted in */
 #define UID_BUSY_BASE ((uid_t) UINT32_C(0xFFFE0000))

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index ccf5418ceb67372714d11463dd5fc7dd8e81d948..4b82345d08e1c6f324c38ad82fcb38dc1655c4a1 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2862,7 +2862,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
                 if (--n_tries <= 0)
                         return -EBUSY;
 
-                if (candidate < UID_SHIFT_PICK_MIN || candidate > UID_SHIFT_PICK_MAX)
+                if (candidate < CONTAINER_UID_BASE_MIN || candidate > CONTAINER_UID_BASE_MAX)
                         goto next;
                 if ((candidate & UINT32_C(0xFFFF)) != 0)
                         goto next;
@@ -2904,7 +2904,7 @@ static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
                 } else
                         random_bytes(&candidate, sizeof(candidate));
 
-                candidate = (candidate % (UID_SHIFT_PICK_MAX - UID_SHIFT_PICK_MIN)) + UID_SHIFT_PICK_MIN;
+                candidate = (candidate % (CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN)) + CONTAINER_UID_BASE_MIN;
                 candidate &= (uid_t) UINT32_C(0xFFFF0000);
         }
 }