From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 15 Nov 2025 19:46:18 +0000 (+0900)
Subject: nspawn: Prevent invalid UIDs propagating in bind mounts (#39729)
X-Git-Tag: v259-rc1~42
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c9fc7eb87e24b86bf6587985d076ff88e2fe4529;p=thirdparty%2Fsystemd.git

nspawn: Prevent invalid UIDs propagating in bind mounts (#39729)

Commit 88fce090263ba8944cf491346eae2e8022dfd88d modified the
mount_bind() function, causing it to perform arithmetic on the uid_shift
parameter. However, it performs this arithmetic even when uid_shift was
UID_INVALID, which was not intended. This typically occurred when
mount_custom() was called for a simple bind mount without user
namespaces (and thus no rootidmap mount option).

This arithmetic (e.g., uid_shift + m->destination_uid) then wraps
around, resulting in the invalid ID 4294967295 ((uid_t)-1).

This bug manifests for users running systemd-nspawn with
--link-journal=host and --volatile=yes (but without --private-users),
causing systemd-tmpfiles to fail.

Make mount_bind() robust by checking if uid_shift is valid before using
it in arithmetic. If it is UID_INVALID, it defaults to a shift of 0 for
the ownership calculation, restoring correct behavior for plain bind
mounts while preserving the intended logic for ID-mapped mounts.

Fixes: #39714
---

c9fc7eb87e24b86bf6587985d076ff88e2fe4529