This adds a small, socket-activated Varlink daemon that can delegate UID
ranges for user namespaces to clients asking for it.
The primary call is AllocateUserRange() where the user passes in an
uninitialized userns fd, which is then set up.
There are other calls that allow assigning a mount fd to a userns
allocated that way, to set up permissions for a cgroup subtree, and to
allocate a veth for such a user namespace.
Since the UID assignments are supposed to be transitive, i.e. not
permanent, care is taken to ensure that users cannot create inodes owned
by these UIDs, so that persistancy cannot be acquired. This is
implemented via a BPF-LSM module that ensures that any member of a
userns allocated that way cannot create files unless the mount it
operates on is owned by the userns itself, or is explicitly
allowelisted.
BPF LSM program with contributions from Alexei Starovoitov.
Spotted randomly when going through CI logs:
systemd-udevd[658]: /usr/lib/systemd/network/80-6rd-tunnel.link:21: Unknown section 'Network'. Ignoring.
Follow-up for 658169e6d3.
This is a follow-up for #30786 and uses it to assign
ID_NET_MANAGED_BY=io.systemd.Network to all all network interfaces that
we consider ours to manage. This should hopefully have the effect that
other well-behaving managers won't fight for these devices.
This doesn't bother with network interfaces we match inside containers,
since udev is not available there anyway.
I started working on integrating this in the Fedora package and realized that
the example files should be installed regardless of the renamed files when
default-network=true is used. This is because the renamed files become part of
a different package, and we want to have the other files which are used as
documentation in the main package anyway.
networkd ignores errors in reading driver through ethtool. The kind of
network interface is retrieved through netlink, and networkd checks
checks many failures. So, using Kind= should be safer.
No functional change, just for safety.
Also this renames 80-ethernet.network.example -> 89-ethernet.network.example,
to make it have lower precedence over other default .network files for
Ethernet interfaces.
Closes#29765.
This is name ".network.example" for now, to match the existing
80-ethernet.network file.
I think it would make sense to actually install this by default if told
so via a meson file (and then hopefully this would happen even on
Fedora, though in a split off RPM or so). However, we aren't there yet,
hence for now, just ship the .network files as example, like the others.
Arguably, CC0 is just fine for examples since they are not code. But it's
easier to be consistent and just use MIT-0 for all "documentation". Thus,
the license is changed similarly code examples under man/.
Based on 'git shortlog -ns network/*' and 'git log -p', the following folks
should ack this:
Zbigniew Jędrzejewski-Szmek
Lennart Poettering
Tom Gundersen
Yu Watanabe
Daan De Meyer
Marc-André Lureau
The file has instructions how to "enable" it by symlinking into the
appropriate place. If we create a different mechanism to do enablement
later on, we can always adjust the instructions.
Closes#3998.
Same justification as the previous commit.
$ for i in network/*-*; do git blame $i;done | less
shows that those files were written by Tom Gundersen, Lennart Poettering, Yu
Watanabe, me, and Marc-André Lureau.
This matches what we have for example programs under man/, and is nice
because it allows people to copy the files as they wish without worrying
about copyright. The files are too trivial to copyright anyway.
