13935887515

Committed 18 Mar 2025 07:10PM UTC coverage: 71.913% (-0.03%) from 71.946%

Build # 13935887515

Build Type

push

github

Committed by

web-flow

Commit Message

Several fixes and cleanups around sd_listen_fds() (#36788)

Coverage Stats

15 of 24 new or added lines in 5 files covered. (62.5%)

993 existing lines in 54 files now uncovered.

296157 of 411825 relevant lines covered (71.91%)

710024.94 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

82.25

/src/nspawn/nspawn-bind-user.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "chase.h"
#include "fd-util.h"
#include "fileio.h"
#include "format-util.h"
#include "json-util.h"
#include "nspawn.h"
#include "nspawn-bind-user.h"
#include "path-util.h"
#include "user-util.h"
#include "userdb.h"

static int check_etc_passwd_collisions(
                const char *directory,
                const char *name,
                uid_t uid) {

        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(directory);
        assert(name || uid_is_valid(uid));

        r = chase_and_fopen_unlocked("/etc/passwd", directory, CHASE_PREFIX_ROOT, "re", NULL, &f);
        if (r == -ENOENT)
                return 0; /* no user database? then no user, hence no collision */
        if (r < 0)
                return log_error_errno(r, "Failed to open /etc/passwd of container: %m");

        for (;;) {
                struct passwd *pw;

                r = fgetpwent_sane(f, &pw);
                if (r < 0)
                        return log_error_errno(r, "Failed to iterate through /etc/passwd of container: %m");
                if (r == 0) /* EOF */
                        return 0; /* no collision */

                if (name && streq_ptr(pw->pw_name, name))
                        return 1; /* name collision */
                if (uid_is_valid(uid) && pw->pw_uid == uid)
                        return 1; /* UID collision */
        }
}

static int check_etc_group_collisions(
                const char *directory,
                const char *name,
                gid_t gid) {

        _cleanup_fclose_ FILE *f = NULL;
        int r;

        assert(directory);
        assert(name || gid_is_valid(gid));

        r = chase_and_fopen_unlocked("/etc/group", directory, CHASE_PREFIX_ROOT, "re", NULL, &f);
        if (r == -ENOENT)
                return 0; /* no group database? then no group, hence no collision */
        if (r < 0)
                return log_error_errno(r, "Failed to open /etc/group of container: %m");

        for (;;) {
                struct group *gr;

                r = fgetgrent_sane(f, &gr);
                if (r < 0)
                        return log_error_errno(r, "Failed to iterate through /etc/group of container: %m");
                if (r == 0)
                        return 0; /* no collision */

                if (name && streq_ptr(gr->gr_name, name))
                        return 1; /* name collision */
                if (gid_is_valid(gid) && gr->gr_gid == gid)
                        return 1; /* gid collision */
        }
}

static int convert_user(
                const char *directory,
                UserRecord *u,
                GroupRecord *g,
                uid_t allocate_uid,
                UserRecord **ret_converted_user,
                GroupRecord **ret_converted_group) {

        _cleanup_(group_record_unrefp) GroupRecord *converted_group = NULL;
        _cleanup_(user_record_unrefp) UserRecord *converted_user = NULL;
        _cleanup_free_ char *h = NULL;
        sd_json_variant *p, *hp = NULL, *ssh = NULL;
        int r;

        assert(u);
        assert(g);
        assert(user_record_gid(u) == g->gid);

        r = check_etc_passwd_collisions(directory, u->user_name, UID_INVALID);
        if (r < 0)
                return r;
        if (r > 0)
                return log_error_errno(SYNTHETIC_ERRNO(EBUSY),
                                       "Sorry, the user '%s' already exists in the container.", u->user_name);

        r = check_etc_group_collisions(directory, g->group_name, GID_INVALID);
        if (r < 0)
                return r;
        if (r > 0)
                return log_error_errno(SYNTHETIC_ERRNO(EBUSY),
                                       "Sorry, the group '%s' already exists in the container.", g->group_name);

        h = path_join("/run/host/home/", u->user_name);
        if (!h)
                return log_oom();

        /* Acquire the source hashed password array as-is, so that it retains the JSON_VARIANT_SENSITIVE flag */
        p = sd_json_variant_by_key(u->json, "privileged");
        if (p) {
                hp = sd_json_variant_by_key(p, "hashedPassword");
                ssh = sd_json_variant_by_key(p, "sshAuthorizedKeys");
        }

        r = user_record_build(
                        &converted_user,
                        SD_JSON_BUILD_OBJECT(
                                        SD_JSON_BUILD_PAIR("userName", SD_JSON_BUILD_STRING(u->user_name)),
                                        SD_JSON_BUILD_PAIR("uid", SD_JSON_BUILD_UNSIGNED(allocate_uid)),
                                        SD_JSON_BUILD_PAIR("gid", SD_JSON_BUILD_UNSIGNED(allocate_uid)),
                                        SD_JSON_BUILD_PAIR_CONDITION(u->disposition >= 0, "disposition", SD_JSON_BUILD_STRING(user_disposition_to_string(u->disposition))),
                                        SD_JSON_BUILD_PAIR("homeDirectory", SD_JSON_BUILD_STRING(h)),
                                        SD_JSON_BUILD_PAIR("service", JSON_BUILD_CONST_STRING("io.systemd.NSpawn")),
                                        SD_JSON_BUILD_PAIR("privileged", SD_JSON_BUILD_OBJECT(
                                                                           SD_JSON_BUILD_PAIR_CONDITION(!strv_isempty(u->hashed_password), "hashedPassword", SD_JSON_BUILD_VARIANT(hp)),
                                                                           SD_JSON_BUILD_PAIR_CONDITION(!!ssh, "sshAuthorizedKeys", SD_JSON_BUILD_VARIANT(ssh))))));
        if (r < 0)
                return log_error_errno(r, "Failed to build container user record: %m");

        r = group_record_build(
                        &converted_group,
                        SD_JSON_BUILD_OBJECT(
                                        SD_JSON_BUILD_PAIR("groupName", SD_JSON_BUILD_STRING(g->group_name)),
                                        SD_JSON_BUILD_PAIR("gid", SD_JSON_BUILD_UNSIGNED(allocate_uid)),
                                        SD_JSON_BUILD_PAIR_CONDITION(g->disposition >= 0, "disposition", SD_JSON_BUILD_STRING(user_disposition_to_string(g->disposition))),
                                        SD_JSON_BUILD_PAIR("service", JSON_BUILD_CONST_STRING("io.systemd.NSpawn"))));
        if (r < 0)
                return log_error_errno(r, "Failed to build container group record: %m");

        *ret_converted_user = TAKE_PTR(converted_user);
        *ret_converted_group = TAKE_PTR(converted_group);

        return 0;
}

static int find_free_uid(const char *directory, uid_t max_uid, uid_t *current_uid) {
        int r;

        assert(directory);
        assert(current_uid);

        for (;; (*current_uid)++) {
                if (*current_uid > MAP_UID_MAX || *current_uid > max_uid)
                        return log_error_errno(
                                        SYNTHETIC_ERRNO(EBUSY),
                                        "No suitable available UID in range " UID_FMT "…" UID_FMT " in container detected, can't map user.",
                                        MAP_UID_MIN, MAP_UID_MAX);

                r = check_etc_passwd_collisions(directory, NULL, *current_uid);
                if (r < 0)
                        return r;
                if (r > 0) /* already used */
                        continue;

                /* We want to use the UID also as GID, hence check for it in /etc/group too */
                r = check_etc_group_collisions(directory, NULL, (gid_t) *current_uid);
                if (r <= 0)
                        return r;
        }
}

BindUserContext* bind_user_context_free(BindUserContext *c) {
        if (!c)
                return NULL;

        FOREACH_ARRAY(d, c->data, c->n_data) {
                user_record_unref(d->host_user);
                group_record_unref(d->host_group);
                user_record_unref(d->payload_user);
                group_record_unref(d->payload_group);
        }

        return mfree(c);
}

int bind_user_prepare(
                const char *directory,
                char **bind_user,
                uid_t uid_shift,
                uid_t uid_range,
                CustomMount **custom_mounts,
                size_t *n_custom_mounts,
                BindUserContext **ret) {

        _cleanup_(bind_user_context_freep) BindUserContext *c = NULL;
        uid_t current_uid = MAP_UID_MIN;
        int r;

        assert(custom_mounts);
        assert(n_custom_mounts);
        assert(ret);

        /* This resolves the users specified in 'bind_user', generates a minimalized JSON user + group record
         * for it to stick in the container, allocates a UID/GID for it, and updates the custom mount table,
         * to include an appropriate bind mount mapping.
         *
         * This extends the passed custom_mounts/n_custom_mounts with the home directories, and allocates a
         * new BindUserContext for the user records */

        if (strv_isempty(bind_user)) {
                *ret = NULL;
                return 0;
        }

        c = new0(BindUserContext, 1);
        if (!c)
                return log_oom();

        STRV_FOREACH(n, bind_user) {
                _cleanup_(user_record_unrefp) UserRecord *u = NULL, *cu = NULL;
                _cleanup_(group_record_unrefp) GroupRecord *g = NULL, *cg = NULL;
                _cleanup_free_ char *sm = NULL, *sd = NULL;

                r = userdb_by_name(*n, /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &u);
                if (r < 0)
                        return log_error_errno(r, "Failed to resolve user '%s': %m", *n);

                /* For now, let's refuse mapping the root/nobody users explicitly. The records we generate
                 * are strictly additive, nss-systemd is typically placed last in /etc/nsswitch.conf. Thus
                 * even if we wanted, we couldn't override the root or nobody user records. Note we also
                 * check for name conflicts in /etc/passwd + /etc/group later on, which would usually filter
                 * out root/nobody too, hence these checks might appear redundant — but they actually are
                 * not, as we want to support environments where /etc/passwd and /etc/group are non-existent,
                 * and the user/group databases fully synthesized at runtime. Moreover, the name of the
                 * user/group name of the "nobody" account differs between distros, hence a check by numeric
                 * UID is safer. */
                if (user_record_is_root(u))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mapping 'root' user not supported, sorry.");

                if (user_record_is_nobody(u))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mapping 'nobody' user not supported, sorry.");

                if (!uid_is_valid(u->uid))
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot bind user with no UID, refusing.");

                if (u->uid >= uid_shift && u->uid < uid_shift + uid_range)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "UID of user '%s' to map is already in container UID range, refusing.", u->user_name);

                r = groupdb_by_gid(user_record_gid(u), /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC|USERDB_DONT_SYNTHESIZE_FOREIGN, &g);
                if (r < 0)
                        return log_error_errno(r, "Failed to resolve group of user '%s': %m", u->user_name);

                if (g->gid >= uid_shift && g->gid < uid_shift + uid_range)
                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "GID of group '%s' to map is already in container GID range, refusing.", g->group_name);

                /* We want to synthesize exactly one user + group from the host into the container. This only
                 * makes sense if the user on the host has its own private group. We can't reasonably check
                 * this, so we just check of the name of user and group match.
                 *
                 * One of these days we might want to support users in a shared/common group too, but it's
                 * not clear to me how this would have to be mapped, precisely given that the common group
                 * probably already exists in the container. */
                if (!streq(u->user_name, g->group_name))
                        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
                                               "Sorry, mapping users without private groups is currently not supported.");

                r = find_free_uid(directory, uid_range, &current_uid);
                if (r < 0)
                        return r;

                r = convert_user(directory, u, g, current_uid, &cu, &cg);
                if (r < 0)
                        return r;

                if (!GREEDY_REALLOC(c->data, c->n_data + 1))
                        return log_oom();

                sm = strdup(user_record_home_directory(u));
                if (!sm)
                        return log_oom();

                sd = strdup(user_record_home_directory(cu));
                if (!sd)
                        return log_oom();

                if (!GREEDY_REALLOC(*custom_mounts, *n_custom_mounts + 1))
                        return log_oom();

                (*custom_mounts)[(*n_custom_mounts)++] = (CustomMount) {
                        .type = CUSTOM_MOUNT_BIND,
                        .source = TAKE_PTR(sm),
                        .destination = TAKE_PTR(sd),
                };

                c->data[c->n_data++] = (BindUserData) {
                        .host_user = TAKE_PTR(u),
                        .host_group = TAKE_PTR(g),
                        .payload_user = TAKE_PTR(cu),
                        .payload_group = TAKE_PTR(cg),
                };

                current_uid++;
        }

        *ret = TAKE_PTR(c);
        return 1;
}

static int write_and_symlink(
                const char *root,
                sd_json_variant *v,
                const char *name,
                uid_t uid,
                const char *suffix,
                WriteStringFileFlags extra_flags) {

        _cleanup_free_ char *j = NULL, *f = NULL, *p = NULL, *q = NULL;
        int r;

        assert(root);
        assert(v);
        assert(name);
        assert(uid_is_valid(uid));
        assert(suffix);

        r = sd_json_variant_format(v, SD_JSON_FORMAT_NEWLINE, &j);
        if (r < 0)
                return log_error_errno(r, "Failed to format user record JSON: %m");

        f = strjoin(name, suffix);
        if (!f)
                return log_oom();

        p = path_join(root, "/run/host/userdb/", f);
        if (!p)
                return log_oom();

        if (asprintf(&q, "%s/run/host/userdb/" UID_FMT "%s", root, uid, suffix) < 0)
                return log_oom();

        if (symlink(f, q) < 0)
                return log_error_errno(errno, "Failed to create symlink '%s': %m", q);

        r = userns_lchown(q, 0, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to adjust access mode of '%s': %m", q);

        r = write_string_file(p, j, WRITE_STRING_FILE_CREATE|extra_flags);
        if (r < 0)
                return log_error_errno(r, "Failed to write %s: %m", p);

        r = userns_lchown(p, 0, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to adjust access mode of '%s': %m", p);

        return 0;
}

int bind_user_setup(
                const BindUserContext *c,
                const char *root) {

        static const UserRecordLoadFlags strip_flags = /* Removes privileged info */
                USER_RECORD_REQUIRE_REGULAR|
                USER_RECORD_STRIP_PRIVILEGED|
                USER_RECORD_ALLOW_PER_MACHINE|
                USER_RECORD_ALLOW_BINDING|
                USER_RECORD_ALLOW_SIGNATURE|
                USER_RECORD_PERMISSIVE;
        static const UserRecordLoadFlags shadow_flags = /* Extracts privileged info */
                USER_RECORD_STRIP_REGULAR|
                USER_RECORD_ALLOW_PRIVILEGED|
                USER_RECORD_STRIP_PER_MACHINE|
                USER_RECORD_STRIP_BINDING|
                USER_RECORD_STRIP_SIGNATURE|
                USER_RECORD_EMPTY_OK|
                USER_RECORD_PERMISSIVE;
        int r;

        assert(root);

        if (!c || c->n_data == 0)
                return 0;

        r = make_run_host(root);
        if (r < 0)
                return r;

        r = userns_mkdir(root, "/run/host/home", 0755, 0, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to create /run/host/home: %m");

        r = userns_mkdir(root, "/run/host/userdb", 0755, 0, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to create /run/host/userdb: %m");

        FOREACH_ARRAY(d, c->data, c->n_data) {
                _cleanup_(group_record_unrefp) GroupRecord *stripped_group = NULL, *shadow_group = NULL;
                _cleanup_(user_record_unrefp) UserRecord *stripped_user = NULL, *shadow_user = NULL;

                /* First, write shadow (i.e. privileged) data for group record */
                r = group_record_clone(d->payload_group, shadow_flags, &shadow_group);
                if (r < 0)
                        return log_error_errno(r, "Failed to extract privileged information from group record: %m");

                if (!sd_json_variant_is_blank_object(shadow_group->json)) {
                        r = write_and_symlink(
                                        root,
                                        shadow_group->json,
                                        d->payload_group->group_name,
                                        d->payload_group->gid,
                                        ".group-privileged",
                                        WRITE_STRING_FILE_MODE_0600);
                        if (r < 0)
                                return r;
                }

                /* Second, write main part of group record. */
                r = group_record_clone(d->payload_group, strip_flags, &stripped_group);
                if (r < 0)
                        return log_error_errno(r, "Failed to strip privileged information from group record: %m");

                r = write_and_symlink(
                                root,
                                stripped_group->json,
                                d->payload_group->group_name,
                                d->payload_group->gid,
                                ".group",
                                0);
                if (r < 0)
                        return r;

                /* Third, write out user shadow data. i.e. extract privileged info from user record */
                r = user_record_clone(d->payload_user, shadow_flags, &shadow_user);
                if (r < 0)
                        return log_error_errno(r, "Failed to extract privileged information from user record: %m");

                if (!sd_json_variant_is_blank_object(shadow_user->json)) {
                        r = write_and_symlink(
                                        root,
                                        shadow_user->json,
                                        d->payload_user->user_name,
                                        d->payload_user->uid,
                                        ".user-privileged",
                                        WRITE_STRING_FILE_MODE_0600);
                        if (r < 0)
                                return r;
                }

                /* Finally write out the main part of the user record */
                r = user_record_clone(d->payload_user, strip_flags, &stripped_user);
                if (r < 0)
                        return log_error_errno(r, "Failed to strip privileged information from user record: %m");

                r = write_and_symlink(
                                root,
                                stripped_user->json,
                                d->payload_user->user_name,
                                d->payload_user->uid,
                                ".user",
                                0);
                if (r < 0)
                        return r;
        }

        return 1;
}

1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3	#include "chase.h"
4	#include "fd-util.h"
5	#include "fileio.h"
6	#include "format-util.h"
7	#include "json-util.h"
8	#include "nspawn.h"
9	#include "nspawn-bind-user.h"
10	#include "path-util.h"
11	#include "user-util.h"
12	#include "userdb.h"
13
14	static int check_etc_passwd_collisions(	28✔
15	const char *directory,
16	const char *name,
17	uid_t uid) {
18
19	_cleanup_fclose_ FILE *f = NULL;	28✔
20	int r;	28✔
21
22	assert(directory);	28✔
23	assert(name \|\| uid_is_valid(uid));	28✔
24
25	r = chase_and_fopen_unlocked("/etc/passwd", directory, CHASE_PREFIX_ROOT, "re", NULL, &f);	28✔
26	if (r == -ENOENT)	28✔
27	return 0; /* no user database? then no user, hence no collision */
28	if (r < 0)	24✔
29	return log_error_errno(r, "Failed to open /etc/passwd of container: %m");	×
30
31	for (;;) {	183✔
32	struct passwd *pw;	207✔
33
34	r = fgetpwent_sane(f, &pw);	207✔
35	if (r < 0)	207✔
36	return log_error_errno(r, "Failed to iterate through /etc/passwd of container: %m");	24✔
37	if (r == 0) /* EOF */	207✔
38	return 0; /* no collision */
39
40	if (name && streq_ptr(pw->pw_name, name))	184✔
41	return 1; /* name collision */
42	if (uid_is_valid(uid) && pw->pw_uid == uid)	183✔
43	return 1; /* UID collision */
44	}
45	}
46
47	static int check_etc_group_collisions(	27✔
48	const char *directory,
49	const char *name,
50	gid_t gid) {
51
52	_cleanup_fclose_ FILE *f = NULL;	27✔
53	int r;	27✔
54
55	assert(directory);	27✔
56	assert(name \|\| gid_is_valid(gid));	41✔
57
58	r = chase_and_fopen_unlocked("/etc/group", directory, CHASE_PREFIX_ROOT, "re", NULL, &f);	27✔
59	if (r == -ENOENT)	27✔
60	return 0; /* no group database? then no group, hence no collision */
61	if (r < 0)	27✔
62	return log_error_errno(r, "Failed to open /etc/group of container: %m");	×
63
64	for (;;) {	532✔
65	struct group *gr;	559✔
66
67	r = fgetgrent_sane(f, &gr);	559✔
68	if (r < 0)	559✔
69	return log_error_errno(r, "Failed to iterate through /etc/group of container: %m");	27✔
70	if (r == 0)	559✔
71	return 0; /* no collision */
72
73	if (name && streq_ptr(gr->gr_name, name))	533✔
74	return 1; /* name collision */
75	if (gid_is_valid(gid) && gr->gr_gid == gid)	532✔
76	return 1; /* gid collision */
77	}
78	}
79
80	static int convert_user(	14✔
81	const char *directory,
82	UserRecord *u,
83	GroupRecord *g,
84	uid_t allocate_uid,
85	UserRecord **ret_converted_user,
86	GroupRecord **ret_converted_group) {
87
88	_cleanup_(group_record_unrefp) GroupRecord *converted_group = NULL;	14✔
89	_cleanup_(user_record_unrefp) UserRecord *converted_user = NULL;	×
90	_cleanup_free_ char *h = NULL;	14✔
91	sd_json_variant p, hp = NULL, *ssh = NULL;	14✔
92	int r;	14✔
93
94	assert(u);	14✔
95	assert(g);	14✔
96	assert(user_record_gid(u) == g->gid);	14✔
97
98	r = check_etc_passwd_collisions(directory, u->user_name, UID_INVALID);	14✔
99	if (r < 0)	14✔
100	return r;
101	if (r > 0)	14✔
102	return log_error_errno(SYNTHETIC_ERRNO(EBUSY),	1✔
103	"Sorry, the user '%s' already exists in the container.", u->user_name);
104
105	r = check_etc_group_collisions(directory, g->group_name, GID_INVALID);	13✔
106	if (r < 0)	13✔
107	return r;
108	if (r > 0)	13✔
109	return log_error_errno(SYNTHETIC_ERRNO(EBUSY),	1✔
110	"Sorry, the group '%s' already exists in the container.", g->group_name);
111
112	h = path_join("/run/host/home/", u->user_name);	12✔
113	if (!h)	12✔
114	return log_oom();	×
115
116	/* Acquire the source hashed password array as-is, so that it retains the JSON_VARIANT_SENSITIVE flag */
117	p = sd_json_variant_by_key(u->json, "privileged");	12✔
118	if (p) {	12✔
119	hp = sd_json_variant_by_key(p, "hashedPassword");	12✔
120	ssh = sd_json_variant_by_key(p, "sshAuthorizedKeys");	12✔
121	}
122
123	r = user_record_build(	36✔
124	&converted_user,
125	SD_JSON_BUILD_OBJECT(	24✔
126	SD_JSON_BUILD_PAIR("userName", SD_JSON_BUILD_STRING(u->user_name)),
127	SD_JSON_BUILD_PAIR("uid", SD_JSON_BUILD_UNSIGNED(allocate_uid)),
128	SD_JSON_BUILD_PAIR("gid", SD_JSON_BUILD_UNSIGNED(allocate_uid)),
129	SD_JSON_BUILD_PAIR_CONDITION(u->disposition >= 0, "disposition", SD_JSON_BUILD_STRING(user_disposition_to_string(u->disposition))),
130	SD_JSON_BUILD_PAIR("homeDirectory", SD_JSON_BUILD_STRING(h)),
131	SD_JSON_BUILD_PAIR("service", JSON_BUILD_CONST_STRING("io.systemd.NSpawn")),
132	SD_JSON_BUILD_PAIR("privileged", SD_JSON_BUILD_OBJECT(
133	SD_JSON_BUILD_PAIR_CONDITION(!strv_isempty(u->hashed_password), "hashedPassword", SD_JSON_BUILD_VARIANT(hp)),
134	SD_JSON_BUILD_PAIR_CONDITION(!!ssh, "sshAuthorizedKeys", SD_JSON_BUILD_VARIANT(ssh))))));
135	if (r < 0)	12✔
136	return log_error_errno(r, "Failed to build container user record: %m");	×
137
138	r = group_record_build(	36✔
139	&converted_group,
140	SD_JSON_BUILD_OBJECT(	12✔
141	SD_JSON_BUILD_PAIR("groupName", SD_JSON_BUILD_STRING(g->group_name)),
142	SD_JSON_BUILD_PAIR("gid", SD_JSON_BUILD_UNSIGNED(allocate_uid)),
143	SD_JSON_BUILD_PAIR_CONDITION(g->disposition >= 0, "disposition", SD_JSON_BUILD_STRING(user_disposition_to_string(g->disposition))),
144	SD_JSON_BUILD_PAIR("service", JSON_BUILD_CONST_STRING("io.systemd.NSpawn"))));
145	if (r < 0)	12✔
146	return log_error_errno(r, "Failed to build container group record: %m");	×
147
148	*ret_converted_user = TAKE_PTR(converted_user);	12✔
149	*ret_converted_group = TAKE_PTR(converted_group);	12✔
150
151	return 0;	12✔
152	}
153
154	static int find_free_uid(const char directory, uid_t max_uid, uid_t current_uid) {	14✔
155	int r;	14✔
156
157	assert(directory);	14✔
158	assert(current_uid);	14✔
159
160	for (;; (*current_uid)++) {	×
161	if (current_uid > MAP_UID_MAX \|\| current_uid > max_uid)	14✔
162	return log_error_errno(	×
163	SYNTHETIC_ERRNO(EBUSY),
164	"No suitable available UID in range " UID_FMT "…" UID_FMT " in container detected, can't map user.",
165	MAP_UID_MIN, MAP_UID_MAX);
166
167	r = check_etc_passwd_collisions(directory, NULL, *current_uid);	14✔
168	if (r < 0)	14✔
169	return r;
170	if (r > 0) /* already used */	14✔
171	continue;	×
172
173	/* We want to use the UID also as GID, hence check for it in /etc/group too */
174	r = check_etc_group_collisions(directory, NULL, (gid_t) *current_uid);	14✔
175	if (r <= 0)	14✔
176	return r;
177	}
178	}
179
180	BindUserContext* bind_user_context_free(BindUserContext *c) {	6✔
181	if (!c)	6✔
182	return NULL;
183
184	FOREACH_ARRAY(d, c->data, c->n_data) {	13✔
185	user_record_unref(d->host_user);	7✔
186	group_record_unref(d->host_group);	7✔
187	user_record_unref(d->payload_user);	7✔
188	group_record_unref(d->payload_group);	7✔
189	}
190
191	return mfree(c);	6✔
192	}
193
194	int bind_user_prepare(	280✔
195	const char *directory,
196	char **bind_user,
197	uid_t uid_shift,
198	uid_t uid_range,
199	CustomMount **custom_mounts,
200	size_t *n_custom_mounts,
201	BindUserContext **ret) {
202
203	_cleanup_(bind_user_context_freep) BindUserContext *c = NULL;	280✔
204	uid_t current_uid = MAP_UID_MIN;	280✔
205	int r;	280✔
206
207	assert(custom_mounts);	280✔
208	assert(n_custom_mounts);	280✔
209	assert(ret);	280✔
210
211	/* This resolves the users specified in 'bind_user', generates a minimalized JSON user + group record
212	* for it to stick in the container, allocates a UID/GID for it, and updates the custom mount table,
213	* to include an appropriate bind mount mapping.
214	*
215	* This extends the passed custom_mounts/n_custom_mounts with the home directories, and allocates a
216	* new BindUserContext for the user records */
217
218	if (strv_isempty(bind_user)) {	280✔
219	*ret = NULL;	270✔
220	return 0;	270✔
221	}
222
223	c = new0(BindUserContext, 1);	10✔
224	if (!c)	10✔
225	return log_oom();	×
226
227	STRV_FOREACH(n, bind_user) {	22✔
228	_cleanup_(user_record_unrefp) UserRecord u = NULL, cu = NULL;	14✔
229	_cleanup_(group_record_unrefp) GroupRecord g = NULL, cg = NULL;	14✔
230	_cleanup_free_ char sm = NULL, sd = NULL;	14✔
231
232	r = userdb_by_name(n, / match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC\|USERDB_DONT_SYNTHESIZE_FOREIGN, &u);	14✔
233	if (r < 0)	14✔
234	return log_error_errno(r, "Failed to resolve user '%s': %m", *n);	×
235
236	/* For now, let's refuse mapping the root/nobody users explicitly. The records we generate
237	* are strictly additive, nss-systemd is typically placed last in /etc/nsswitch.conf. Thus
238	* even if we wanted, we couldn't override the root or nobody user records. Note we also
239	* check for name conflicts in /etc/passwd + /etc/group later on, which would usually filter
240	* out root/nobody too, hence these checks might appear redundant — but they actually are
241	* not, as we want to support environments where /etc/passwd and /etc/group are non-existent,
242	* and the user/group databases fully synthesized at runtime. Moreover, the name of the
243	* user/group name of the "nobody" account differs between distros, hence a check by numeric
244	* UID is safer. */
245	if (user_record_is_root(u))	14✔
246	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mapping 'root' user not supported, sorry.");	×
247
248	if (user_record_is_nobody(u))	14✔
UNCOV 249	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Mapping 'nobody' user not supported, sorry.");	×
250
251	if (!uid_is_valid(u->uid))	14✔
UNCOV 252	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot bind user with no UID, refusing.");	×
253
254	if (u->uid >= uid_shift && u->uid < uid_shift + uid_range)	14✔
255	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "UID of user '%s' to map is already in container UID range, refusing.", u->user_name);	×
256
257	r = groupdb_by_gid(user_record_gid(u), /* match= */ NULL, USERDB_DONT_SYNTHESIZE_INTRINSIC\|USERDB_DONT_SYNTHESIZE_FOREIGN, &g);	14✔
258	if (r < 0)	14✔
UNCOV 259	return log_error_errno(r, "Failed to resolve group of user '%s': %m", u->user_name);	×
260
261	if (g->gid >= uid_shift && g->gid < uid_shift + uid_range)	14✔
UNCOV 262	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "GID of group '%s' to map is already in container GID range, refusing.", g->group_name);	×
263
264	/* We want to synthesize exactly one user + group from the host into the container. This only
265	* makes sense if the user on the host has its own private group. We can't reasonably check
266	* this, so we just check of the name of user and group match.
267	*
268	* One of these days we might want to support users in a shared/common group too, but it's
269	* not clear to me how this would have to be mapped, precisely given that the common group
270	* probably already exists in the container. */
271	if (!streq(u->user_name, g->group_name))	14✔
UNCOV 272	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),	×
273	"Sorry, mapping users without private groups is currently not supported.");
274
275	r = find_free_uid(directory, uid_range, &current_uid);	14✔
276	if (r < 0)	14✔
277	return r;
278
279	r = convert_user(directory, u, g, current_uid, &cu, &cg);	14✔
280	if (r < 0)	14✔
281	return r;
282
283	if (!GREEDY_REALLOC(c->data, c->n_data + 1))	12✔
284	return log_oom();	×
285
286	sm = strdup(user_record_home_directory(u));	12✔
287	if (!sm)	12✔
288	return log_oom();	×
289
290	sd = strdup(user_record_home_directory(cu));	12✔
291	if (!sd)	12✔
UNCOV 292	return log_oom();	×
293
294	if (!GREEDY_REALLOC(custom_mounts, n_custom_mounts + 1))	12✔
UNCOV 295	return log_oom();	×
296
297	(custom_mounts)[(n_custom_mounts)++] = (CustomMount) {	12✔
298	.type = CUSTOM_MOUNT_BIND,
299	.source = TAKE_PTR(sm),	12✔
300	.destination = TAKE_PTR(sd),	12✔
301	};
302
303	c->data[c->n_data++] = (BindUserData) {	12✔
304	.host_user = TAKE_PTR(u),	12✔
305	.host_group = TAKE_PTR(g),	12✔
306	.payload_user = TAKE_PTR(cu),	12✔
307	.payload_group = TAKE_PTR(cg),	12✔
308	};
309
310	current_uid++;	12✔
311	}
312
313	*ret = TAKE_PTR(c);	8✔
314	return 1;	8✔
315	}
316
317	static int write_and_symlink(	30✔
318	const char *root,
319	sd_json_variant *v,
320	const char *name,
321	uid_t uid,
322	const char *suffix,
323	WriteStringFileFlags extra_flags) {
324
325	_cleanup_free_ char j = NULL, f = NULL, p = NULL, q = NULL;	30✔
326	int r;	30✔
327
328	assert(root);	30✔
329	assert(v);	30✔
330	assert(name);	30✔
331	assert(uid_is_valid(uid));	30✔
332	assert(suffix);	30✔
333
334	r = sd_json_variant_format(v, SD_JSON_FORMAT_NEWLINE, &j);	30✔
335	if (r < 0)	30✔
336	return log_error_errno(r, "Failed to format user record JSON: %m");	×
337
338	f = strjoin(name, suffix);	30✔
339	if (!f)	30✔
340	return log_oom();	×
341
342	p = path_join(root, "/run/host/userdb/", f);	30✔
343	if (!p)	30✔
UNCOV 344	return log_oom();	×
345
346	if (asprintf(&q, "%s/run/host/userdb/" UID_FMT "%s", root, uid, suffix) < 0)	30✔
UNCOV 347	return log_oom();	×
348
349	if (symlink(f, q) < 0)	30✔
350	return log_error_errno(errno, "Failed to create symlink '%s': %m", q);	×
351
352	r = userns_lchown(q, 0, 0);	30✔
353	if (r < 0)	30✔
354	return log_error_errno(r, "Failed to adjust access mode of '%s': %m", q);	×
355
356	r = write_string_file(p, j, WRITE_STRING_FILE_CREATE\|extra_flags);	30✔
357	if (r < 0)	30✔
358	return log_error_errno(r, "Failed to write %s: %m", p);	×
359
360	r = userns_lchown(p, 0, 0);	30✔
361	if (r < 0)	30✔
UNCOV 362	return log_error_errno(r, "Failed to adjust access mode of '%s': %m", p);	×
363
364	return 0;
365	}
366
367	int bind_user_setup(	278✔
368	const BindUserContext *c,
369	const char *root) {
370
371	static const UserRecordLoadFlags strip_flags = /* Removes privileged info */	278✔
372	USER_RECORD_REQUIRE_REGULAR\|
373	USER_RECORD_STRIP_PRIVILEGED\|
374	USER_RECORD_ALLOW_PER_MACHINE\|
375	USER_RECORD_ALLOW_BINDING\|
376	USER_RECORD_ALLOW_SIGNATURE\|
377	USER_RECORD_PERMISSIVE;
378	static const UserRecordLoadFlags shadow_flags = /* Extracts privileged info */	278✔
379	USER_RECORD_STRIP_REGULAR\|
380	USER_RECORD_ALLOW_PRIVILEGED\|
381	USER_RECORD_STRIP_PER_MACHINE\|
382	USER_RECORD_STRIP_BINDING\|
383	USER_RECORD_STRIP_SIGNATURE\|
384	USER_RECORD_EMPTY_OK\|
385	USER_RECORD_PERMISSIVE;
386	int r;	278✔
387
388	assert(root);	278✔
389
390	if (!c \|\| c->n_data == 0)	278✔
391	return 0;
392
393	r = make_run_host(root);	8✔
394	if (r < 0)	8✔
395	return r;
396
397	r = userns_mkdir(root, "/run/host/home", 0755, 0, 0);	8✔
398	if (r < 0)	8✔
399	return log_error_errno(r, "Failed to create /run/host/home: %m");	×
400
401	r = userns_mkdir(root, "/run/host/userdb", 0755, 0, 0);	8✔
402	if (r < 0)	8✔
UNCOV 403	return log_error_errno(r, "Failed to create /run/host/userdb: %m");	×
404
405	FOREACH_ARRAY(d, c->data, c->n_data) {	18✔
406	_cleanup_(group_record_unrefp) GroupRecord stripped_group = NULL, shadow_group = NULL;	10✔
407	_cleanup_(user_record_unrefp) UserRecord stripped_user = NULL, shadow_user = NULL;	10✔
408
409	/* First, write shadow (i.e. privileged) data for group record */
410	r = group_record_clone(d->payload_group, shadow_flags, &shadow_group);	10✔
411	if (r < 0)	10✔
UNCOV 412	return log_error_errno(r, "Failed to extract privileged information from group record: %m");	×
413
414	if (!sd_json_variant_is_blank_object(shadow_group->json)) {	10✔
415	r = write_and_symlink(	×
416	root,
UNCOV 417	shadow_group->json,	×
418	d->payload_group->group_name,	×
UNCOV 419	d->payload_group->gid,	×
420	".group-privileged",
421	WRITE_STRING_FILE_MODE_0600);
UNCOV 422	if (r < 0)	×
423	return r;
424	}
425
426	/* Second, write main part of group record. */
427	r = group_record_clone(d->payload_group, strip_flags, &stripped_group);	10✔
428	if (r < 0)	10✔
UNCOV 429	return log_error_errno(r, "Failed to strip privileged information from group record: %m");	×
430
431	r = write_and_symlink(	20✔
432	root,
433	stripped_group->json,	10✔
434	d->payload_group->group_name,	10✔
435	d->payload_group->gid,	10✔
436	".group",
437	0);
438	if (r < 0)	10✔
439	return r;
440
441	/* Third, write out user shadow data. i.e. extract privileged info from user record */
442	r = user_record_clone(d->payload_user, shadow_flags, &shadow_user);	10✔
443	if (r < 0)	10✔
UNCOV 444	return log_error_errno(r, "Failed to extract privileged information from user record: %m");	×
445
446	if (!sd_json_variant_is_blank_object(shadow_user->json)) {	10✔
447	r = write_and_symlink(	20✔
448	root,
449	shadow_user->json,	10✔
450	d->payload_user->user_name,	10✔
451	d->payload_user->uid,	10✔
452	".user-privileged",
453	WRITE_STRING_FILE_MODE_0600);
454	if (r < 0)	10✔
455	return r;
456	}
457
458	/* Finally write out the main part of the user record */
459	r = user_record_clone(d->payload_user, strip_flags, &stripped_user);	10✔
460	if (r < 0)	10✔
UNCOV 461	return log_error_errno(r, "Failed to strip privileged information from user record: %m");	×
462
463	r = write_and_symlink(	20✔
464	root,
465	stripped_user->json,	10✔
466	d->payload_user->user_name,	10✔
467	d->payload_user->uid,	10✔
468	".user",
469	0);
470	if (r < 0)	10✔
471	return r;
472	}
473
474	return 1;
475	}

systemd / systemd / 13935887515

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous