Also, export these ranges in our pkg-config files.
substs.set('systemuidmax', system_uid_max)
message('maximum system UID is @0@'.format(system_uid_max))
-conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
-conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
-
system_gid_max = get_option('system-gid-max')
if system_gid_max == ''
system_gid_max = run_command(
substs.set('systemgidmax', system_gid_max)
message('maximum system GID is @0@'.format(system_gid_max))
+dynamic_uid_min = get_option('dynamic-uid-min').to_int()
+dynamic_uid_max = get_option('dynamic-uid-max').to_int()
+conf.set('DYNAMIC_UID_MIN', dynamic_uid_min)
+conf.set('DYNAMIC_UID_MAX', dynamic_uid_max)
+substs.set('dynamicuidmin', dynamic_uid_min)
+substs.set('dynamicuidmax', dynamic_uid_max)
+
+container_uid_base_min = get_option('container-uid-base-min').to_int()
+container_uid_base_max = get_option('container-uid-base-max').to_int()
+conf.set('CONTAINER_UID_BASE_MIN', container_uid_base_min)
+conf.set('CONTAINER_UID_BASE_MAX', container_uid_base_max)
+substs.set('containeruidbasemin', container_uid_base_min)
+substs.set('containeruidbasemax', container_uid_base_max)
+
+conf.set_quoted('NOBODY_USER_NAME', get_option('nobody-user'))
+conf.set_quoted('NOBODY_GROUP_NAME', get_option('nobody-group'))
+
tty_gid = get_option('tty-gid')
conf.set('TTY_GID', tty_gid)
substs.set('TTY_GID', tty_gid)
'users GID: @0@'.format(users_gid),
'maximum system UID: @0@'.format(system_uid_max),
'maximum system GID: @0@'.format(system_gid_max),
+ 'minimum dynamic UID: @0@'.format(dynamic_uid_min),
+ 'maximum dynamic UID: @0@'.format(dynamic_uid_max),
+ 'minimum container UID base: @0@'.format(container_uid_base_min),
+ 'maximum container UID base: @0@'.format(container_uid_base_max),
'/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')),
'render group access mode: @0@'.format(get_option('group-render-mode')),
'certificate root directory: @0@'.format(get_option('certificate-root')),
description : 'maximum system UID')
option('system-gid-max', type : 'string',
description : 'maximum system GID')
+option('dynamic-uid-min', type : 'string',
+ description : 'minimum dynamic UID',
+ value : '61184') # That's → 0x0000EF00 in hex
+option('dynamic-uid-max', type : 'string',
+ description : 'maximum dynamic UID',
+ value : '65519') # That's → 0x0000FFEF in hex
+option('container-uid-base-min', type : 'string',
+ description : 'minimum container UID base',
+ value : '524288') # That's → 0x00080000 in hex
+option('container-uid-base-max', type : 'string',
+ description : 'maximum container UID base',
+ value : '1878982656') # That's → 0x6FFF0000 in hex
option('tty-gid', type : 'string',
description : 'the numeric GID of the "tty" group',
value : '5')
#define UID_INVALID ((uid_t) -1)
#define GID_INVALID ((gid_t) -1)
-/* Let's pick a UIDs within the 16bit range, so that we are compatible with containers using 16bit
- * user namespacing. At least on Fedora normal users are allocated until UID 60000, hence do not
- * allocate from below this. Also stay away from the upper end of the range as that is often used
- * for overflow/nobody users. */
-#define DYNAMIC_UID_MIN ((uid_t) UINT32_C(0x0000EF00))
-#define DYNAMIC_UID_MAX ((uid_t) UINT32_C(0x0000FFEF))
-
static inline bool uid_is_dynamic(uid_t uid) {
return DYNAMIC_UID_MIN <= uid && uid <= DYNAMIC_UID_MAX;
}
catalogdir=@catalogdir@
systemuidmax=@systemuidmax@
systemgidmax=@systemgidmax@
+dynamicuidmin=@dynamicuidmin@
+dynamicuidmax=@dynamicuidmax@
+containeruidbasemin=@containeruidbasemin@
+containeruidbasemax=@containeruidbasemax@
Name: systemd
Description: systemd System and Service Manager
#include <sys/types.h>
-/* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit
- * UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems
- * may have their own allocation ranges too. */
-#define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000))
-#define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000))
-
/* While we are chmod()ing a directory tree, we set the top-level UID base to this "busy" base, so that we can always
* recognize trees we are were chmod()ing recursively and got interrupted in */
#define UID_BUSY_BASE ((uid_t) UINT32_C(0xFFFE0000))
if (--n_tries <= 0)
return -EBUSY;
- if (candidate < UID_SHIFT_PICK_MIN || candidate > UID_SHIFT_PICK_MAX)
+ if (candidate < CONTAINER_UID_BASE_MIN || candidate > CONTAINER_UID_BASE_MAX)
goto next;
if ((candidate & UINT32_C(0xFFFF)) != 0)
goto next;
} else
random_bytes(&candidate, sizeof(candidate));
- candidate = (candidate % (UID_SHIFT_PICK_MAX - UID_SHIFT_PICK_MIN)) + UID_SHIFT_PICK_MIN;
+ candidate = (candidate % (CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN)) + CONTAINER_UID_BASE_MIN;
candidate &= (uid_t) UINT32_C(0xFFFF0000);
}
}