homed: when setting up an idmapping map foreign UID range on itself

Now that nspawn can run unprivileged off directory trees owned by
the new "foreign" UID range let's make sure homed actually allows
files owned by that range in the home directories.

This is not enough to make nspawn just work in homed home dirs
unfortunately though. that's because homed applies an idmapping, and
nspawn would need to then to take that idmapped mount and apply another
one, and the kernel simply doesn't support stacked idmapped mounts.
There's work ongoing to address that in the kernel.

However, this is a first step, and should be enough to make things just
work should the kernel eventually support stacked idmapped mounts.

diff --git a/src/home/homework-mount.c b/src/home/homework-mount.c
index 0907a96e473230f22af294781785f11e41c5ce1d..8d32adb2707ddf5ddae1f57870f299a6fa41caab 100644 (file)
--- a/src/home/homework-mount.c
+++ b/src/home/homework-mount.c
@@ -220,6 +220,11 @@ static int make_home_userns(uid_t stored_uid, uid_t exposed_uid) {
         if (r < 0)
                 return log_oom();
 
+        /* Map the foreign range 1:1. After all  what is foreign should remain foreign. */
+        r = append_identity_range(&text, FOREIGN_UID_MIN, FOREIGN_UID_MAX+1, stored_uid);
+        if (r < 0)
+                return log_oom();
+
         /* Map nspawn's mapped root UID as identity mapping so that people can run nspawn uidmap mounted
          * containers off $HOME, if they want. */
         r = strextendf(&text, UID_FMT " " UID_FMT " " UID_FMT "\n", UID_MAPPED_ROOT, UID_MAPPED_ROOT, 1u);