From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 17 Mar 2025 22:34:03 +0000 (+0900)
Subject: nsresourced,vmspawn: allow unpriv "tap" based networking in vmspawn (#36688)
X-Git-Tag: v258-rc1~1062
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8e29a5b9b3ef8f36b6de1194bd02761ff8ca142f;p=thirdparty%2Fsystemd.git

nsresourced,vmspawn: allow unpriv "tap" based networking in vmspawn (#36688)

This extends nsresourced to also allow delegation of a network tap
device (in addition to veth) to unpriv clients, with a strictly enforced
naming scheme.

also tightens security on a couple of things:

* enforces polkit on all nsresourced ops too (though by default still
everything is allowed)
* put a limit on delegated network devices
* forcibly clean up delegated network devices when the userns goes away
---

8e29a5b9b3ef8f36b6de1194bd02761ff8ca142f