From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 10 Jan 2025 12:49:11 +0000 (+0100)
Subject: userdb: define new 64K "foreign UID" range (#35932)
X-Git-Tag: v258-rc1~1643
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fa8b70f2c8c57904a75d23837df8d86265b913a6;p=thirdparty%2Fsystemd.git

userdb: define new 64K "foreign UID" range (#35932)

This is establish the basic concepts for #35685, in the hope to get this
merged first.

This defines a special, fixed 64K UID range that is supposed to be used
by directory container images on disk, that is mapped to a dynamic UID
range at runtime (via idmapped mounts).

This enables a world where each container can run with a dynamic UID
range, but this in no way leaks onto the disk, thus making supposedly
dynamic, transient UID range assignments persistent.

This is infrastructure later used for the primary part of #35685: unpriv
container execution with directory images inside user's home dirs, that
are assigned to this special "foreign UID range".

This PR only defines the ranges, synthesizes NSS records for them via
userdb, and then exposes them in a new "systemd-dissect --shift" command
that can re-chown a container directory tree into this range (and in
fact any range).

This comes with docs. But no tests. There are tests in #35685 that cover
all this, but they are more comprehensive and also test nspawn's hook-up
with this, hence are excluded from this PR.
---

fa8b70f2c8c57904a75d23837df8d86265b913a6