From 90d7464d8300aec62799805e21eda7546b5843aa Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 7 Dec 2017 11:35:02 +0100
Subject: [PATCH] manager: taint the manager if the overflowuid/overflowgid
 aren't set to 65534

---
 src/core/manager.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/core/manager.c b/src/core/manager.c
index 4e0f73f4f80..a773c1e94ba 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3853,7 +3853,7 @@ int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t re
 }
 
 char *manager_taint_string(Manager *m) {
-        _cleanup_free_ char *destination = NULL;
+        _cleanup_free_ char *destination = NULL, *overflowuid = NULL, *overflowgid = NULL;
         char *buf, *e;
         int r;
 
@@ -3864,7 +3864,9 @@ char *manager_taint_string(Manager *m) {
                                "local-hwclock:"
                                "var-run-bad:"
                                "weird-nobody-user:"
-                               "weird-nobody-group:"));
+                               "weird-nobody-group:"
+                               "overflowuid-not-65534:"
+                               "overflowgid-not-65534:"));
         if (!buf)
                 return NULL;
 
@@ -3889,6 +3891,14 @@ char *manager_taint_string(Manager *m) {
         if (!streq(NOBODY_GROUP_NAME, "nobody"))
                 e = stpcpy(e, "weird-nobody-group:");
 
+        r = read_one_line_file("/proc/sys/kernel/overflowuid", &overflowuid);
+        if (r >= 0 && !streq(overflowuid, "65534"))
+                e = stpcpy(e, "overflowuid-not-65534:");
+
+        r = read_one_line_file("/proc/sys/kernel/overflowgid", &overflowgid);
+        if (r >= 0 && !streq(overflowgid, "65534"))
+                e = stpcpy(e, "overflowgid-not-65534:");
+
         /* remove the last ':' */
         if (e != buf)
                 e[-1] = 0;
-- 
2.47.3