|
Ryan Wilson |
61c859 |
From 2641ff693f715dd5094c56c59e0e660b9b35c9e2 Mon Sep 17 00:00:00 2001
|
|
Ryan Wilson |
61c859 |
From: Ryan Wilson <ryantimwilson@meta.com>
|
|
Ryan Wilson |
61c859 |
Date: Thu, 5 Dec 2024 08:31:42 -0800
|
|
Ryan Wilson |
61c859 |
Subject: [PATCH] Temporary workaround: PrivateUsers=full implies
|
|
Ryan Wilson |
61c859 |
DelegateNamespaces=yes
|
|
Ryan Wilson |
61c859 |
|
|
Ryan Wilson |
61c859 |
---
|
|
Ryan Wilson |
61c859 |
src/core/exec-invoke.c | 5 ++++-
|
|
Ryan Wilson |
61c859 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
Ryan Wilson |
61c859 |
|
|
Ryan Wilson |
61c859 |
diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
|
|
Ryan Wilson |
61c859 |
index 8305bb2bcf..8c2a689d6e 100644
|
|
Ryan Wilson |
61c859 |
--- a/src/core/exec-invoke.c
|
|
Ryan Wilson |
61c859 |
+++ b/src/core/exec-invoke.c
|
|
Ryan Wilson |
61c859 |
@@ -4061,6 +4061,9 @@ static bool exec_context_need_unprivileged_private_users(
|
|
Ryan Wilson |
61c859 |
assert(context);
|
|
Ryan Wilson |
61c859 |
assert(params);
|
|
Ryan Wilson |
61c859 |
|
|
Ryan Wilson |
61c859 |
+ if (context->private_users == PRIVATE_USERS_FULL)
|
|
Ryan Wilson |
61c859 |
+ return true;
|
|
Ryan Wilson |
61c859 |
+
|
|
Ryan Wilson |
61c859 |
/* These options require PrivateUsers= when used in user units, as we need to be in a user namespace
|
|
Ryan Wilson |
61c859 |
* to have permission to enable them when not running as root. If we have effective CAP_SYS_ADMIN
|
|
Ryan Wilson |
61c859 |
* (system manager) then we have privileges and don't need this. */
|
|
Ryan Wilson |
61c859 |
@@ -5015,7 +5018,7 @@ int exec_invoke(
|
|
Ryan Wilson |
61c859 |
|
|
Ryan Wilson |
61c859 |
/* The kernel requires /proc/pid/setgroups be set to "deny" prior to writing /proc/pid/gid_map in
|
|
Ryan Wilson |
61c859 |
* unprivileged user namespaces. */
|
|
Ryan Wilson |
61c859 |
- r = setup_private_users(pu, saved_uid, saved_gid, uid, gid, /* allow_setgroups= */ false);
|
|
Ryan Wilson |
61c859 |
+ r = setup_private_users(pu, saved_uid, saved_gid, uid, gid, /* allow_setgroups= */ params->runtime_scope != RUNTIME_SCOPE_USER);
|
|
Ryan Wilson |
61c859 |
/* If it was requested explicitly and we can't set it up, fail early. Otherwise, continue and let
|
|
Ryan Wilson |
61c859 |
* the actual requested operations fail (or silently continue). */
|
|
Ryan Wilson |
61c859 |
if (r < 0 && context->private_users != PRIVATE_USERS_NO) {
|
|
Ryan Wilson |
61c859 |
--
|
|
Ryan Wilson |
61c859 |
2.43.5
|
|
Ryan Wilson |
61c859 |
|