git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Mon, 10 Mar 2025 10:24:59 +0000 (11:24 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 17 Mar 2025 15:03:18 +0000 (16:03 +0100)
commit	6431c34b8a8487fb50c9cb850bd7d3bf81ad9e2a
tree	ba237a59849114a4e3711501217ff29c21bb827f	tree \| snapshot
parent	0201114bb7f347015ed4d85256637921dc304fe0	commit \| diff

namespace-util: make "setgroups" users property writable via userns_acquire()

Unprivileged namespaces are only allowed if the "setgroups" file is set
to "deny" for processes. And we need to write it before writing the
gidmap. Hence add a parameter for that.

Then, also patch all current users to actually enable this. The usecase
generally don't need it (because they don't care about unprivileged
userns), but it doesn't hurt to enable the concept anyway in all current
users (none of them actually runs complex userspace in them, but they
mostly use userns_acquire() for idmapped mounts and similar).

Let's anyway make this option explicit in the function call, to indicate
that the concept exists and is applied.

src/basic/namespace-util.c		diff \| blob \| blame \| history
src/basic/namespace-util.h		diff \| blob \| blame \| history
src/core/namespace.c		diff \| blob \| blame \| history
src/home/homework-mount.c		diff \| blob \| blame \| history
src/mountfsd/mountwork.c		diff \| blob \| blame \| history
src/nsresourced/test-userns-restrict.c		diff \| blob \| blame \| history
src/shared/mount-util.c		diff \| blob \| blame \| history
src/test/test-namespace.c		diff \| blob \| blame \| history