From: Sam Leonard Date: Mon, 4 Dec 2023 18:54:40 +0000 (+0000) Subject: vmspawn: add support for --private-users X-Git-Tag: v256-rc1~899^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c05ca33af3e81905b91bcb49c50339737a0f1d08;p=thirdparty%2Fsystemd.git vmspawn: add support for --private-users --- diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index 89dd1964275..def8eef73c7 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -67,6 +67,7 @@ static bool arg_qemu_gui = false; static QemuNetworkStack arg_network_stack = QEMU_NET_NONE; static int arg_secure_boot = -1; static MachineCredentialContext arg_credentials = {}; +static uid_t arg_uid_shift = UID_INVALID, arg_uid_range = 0x10000U; static SettingsMask arg_settings_mask = 0; static char *arg_firmware = NULL; static char *arg_runtime_directory = NULL; @@ -122,6 +123,10 @@ static int help(void) { " --firmware=PATH|list Select firmware definition file (or list available)\n" "\n%3$sSystem Identity:%4$s\n" " -M --machine=NAME Set the machine name for the virtual machine\n" + "\n%3$sUser Namespacing:%4$s\n" + " --private-users=UIDBASE[:NUIDS]\n" + " Configure the UID/GID range to map into the\n" + " virtiofsd namespace\n" "\n%3$sCredentials:%4$s\n" " --set-credential=ID:VALUE\n" " Pass a credential with literal value to the\n" @@ -155,6 +160,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_QEMU_GUI, ARG_NETWORK_USER_MODE, ARG_SECURE_BOOT, + ARG_PRIVATE_USERS, ARG_SET_CREDENTIAL, ARG_LOAD_CREDENTIAL, ARG_FIRMWARE, @@ -180,6 +186,7 @@ static int parse_argv(int argc, char *argv[]) { { "network-tap", no_argument, NULL, 'n' }, { "network-user-mode", no_argument, NULL, ARG_NETWORK_USER_MODE }, { "secure-boot", required_argument, NULL, ARG_SECURE_BOOT }, + { "private-users", required_argument, NULL, ARG_PRIVATE_USERS }, { "set-credential", required_argument, NULL, ARG_SET_CREDENTIAL }, { "load-credential", required_argument, NULL, ARG_LOAD_CREDENTIAL }, { "firmware", required_argument, NULL, ARG_FIRMWARE }, @@ -315,6 +322,12 @@ static int parse_argv(int argc, char *argv[]) { return log_error_errno(r, "Failed to parse --secure-boot=%s: %m", optarg); break; + case ARG_PRIVATE_USERS: + r = parse_userns_uid_range(optarg, &arg_uid_shift, &arg_uid_range); + if (r < 0) + return r; + break; + case ARG_SET_CREDENTIAL: { r = machine_credential_set(&arg_credentials, optarg); if (r < 0) @@ -724,6 +737,24 @@ static int start_virtiofsd(sd_bus *bus, const char *scope, const char *directory if (!ssp.exec_start) return log_oom(); + if (arg_uid_shift != UID_INVALID) { + r = strv_extend(&ssp.exec_start, "--uid-map"); + if (r < 0) + return log_oom(); + + r = strv_extendf(&ssp.exec_start, ":0:" UID_FMT ":" UID_FMT ":", arg_uid_shift, arg_uid_range); + if (r < 0) + return log_oom(); + + r = strv_extend(&ssp.exec_start, "--gid-map"); + if (r < 0) + return log_oom(); + + r = strv_extendf(&ssp.exec_start, ":0:" GID_FMT ":" GID_FMT ":", arg_uid_shift, arg_uid_range); + if (r < 0) + return log_oom(); + } + r = start_socket_service_pair(bus, scope, &ssp); if (r < 0) return r;