uid-classification: properly classify *all* container UIDs

A bit confusingly CONTAINER_UID_BASE_MAX is just the maximum *base* UID
for a container. Thus, with the usual 64K UID assignments, the last
actual container UID is CONTAINER_UID_BASE_MAX+0xFFFF.

To make this less confusing define CONTAINER_UID_MIN/MAX that add the
missing extra space.

Also adjust two uses where this was mishandled so far, due to this
confusion.

With this change the UID ranges we default to should properly match what
is documented on https://systemd.io/UIDS-GIDS/.

diff --git a/src/basic/uid-classification.h b/src/basic/uid-classification.h
index 5badde148a564daf3dee56d4f31bc3b16c84ce7e..0932123d5ccd6175c7fc7afe3fb72c15df19434f 100644 (file)
--- a/src/basic/uid-classification.h
+++ b/src/basic/uid-classification.h
@@ -4,6 +4,14 @@
 #include <stdbool.h>
 #include <sys/types.h>
 
+/* The container base should have the last 16 bit set to zero */
+assert_cc((CONTAINER_UID_BASE_MIN & 0xFFFFU) == 0);
+assert_cc((CONTAINER_UID_BASE_MAX & 0xFFFFU) == 0);
+
+/* Given we assign 64K UIDs to containers, the last container UID is 0xFFFF larger than the base */
+#define CONTAINER_UID_MIN (CONTAINER_UID_BASE_MIN)
+#define CONTAINER_UID_MAX (CONTAINER_UID_BASE_MAX + 0xFFFFU)
+
 bool uid_is_system(uid_t uid);
 bool gid_is_system(gid_t gid);
 
@@ -16,7 +24,7 @@ static inline bool gid_is_dynamic(gid_t gid) {
 }
 
 static inline bool uid_is_container(uid_t uid) {
-        return CONTAINER_UID_BASE_MIN <= uid && uid <= CONTAINER_UID_BASE_MAX;
+        return CONTAINER_UID_MIN <= uid && uid <= CONTAINER_UID_MAX;
 }
 
 static inline bool gid_is_container(gid_t gid) {

diff --git a/src/home/homework-mount.c b/src/home/homework-mount.c
index 28f09b939feeca0891926c66c2d9af06ed428174..0907a96e473230f22af294781785f11e41c5ce1d 100644 (file)
--- a/src/home/homework-mount.c
+++ b/src/home/homework-mount.c
@@ -20,6 +20,7 @@
 #include "namespace-util.h"
 #include "path-util.h"
 #include "string-util.h"
+#include "uid-classification.h"
 #include "user-util.h"
 
 static const char *mount_options_for_fstype(const char *fstype) {
@@ -215,7 +216,7 @@ static int make_home_userns(uid_t stored_uid, uid_t exposed_uid) {
         /* Also map the container range. People can use that to place containers owned by high UIDs in their
          * home directories if they really want. We won't manage this UID range for them but pass it through
          * 1:1, and it will lose its meaning once migrated between hosts. */
-        r = append_identity_range(&text, CONTAINER_UID_BASE_MIN, CONTAINER_UID_BASE_MAX+1, stored_uid);
+        r = append_identity_range(&text, CONTAINER_UID_MIN, CONTAINER_UID_MAX+1, stored_uid);
         if (r < 0)
                 return log_oom();
 

diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c
index 16c8f385d696bb6694dc7ebace8191126a390e05..cbbd9b10b5e66ee1b5c30da02028f269b6ddaff7 100644 (file)
--- a/src/userdb/userdbctl.c
+++ b/src/userdb/userdbctl.c
@@ -17,6 +17,7 @@
 #include "socket-util.h"
 #include "strv.h"
 #include "terminal-util.h"
+#include "uid-classification.h"
 #include "uid-range.h"
 #include "user-record-show.h"
 #include "user-util.h"
@@ -156,8 +157,8 @@ static const struct {
                 .disposition = USER_DYNAMIC,
         },
         {
-                .first = CONTAINER_UID_BASE_MIN,
-                .last = CONTAINER_UID_BASE_MAX,
+                .first = CONTAINER_UID_MIN,
+                .last = CONTAINER_UID_MAX,
                 .name = "container",
                 .disposition = USER_CONTAINER,
         },