rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
a10s
systemd/0581-dissect-add-new-shift-command.patch
Jan Macku 363d20f6ec systemd-257-23 
Resolves: RHEL-106795, RHEL-143036, RHEL-143034, RHEL-53112, RHEL-95219
2026-02-17 15:53:20 +01:00

200 lines
9.2 KiB
Diff
Raw Permalink Blame History

From 9bda47d0ed718f7f7fe928dc0098ca13f139834e Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 12 Nov 2024 09:44:48 +0100
Subject: [PATCH] dissect: add new --shift command
(cherry picked from commit 55e4946f9ca75c35e87ff7f0c0d871e0d80e8ca0)
Related: RHEL-143036
---
man/systemd-dissect.xml | 24 ++++++++++++++++++++
src/dissect/dissect.c | 49 +++++++++++++++++++++++++++++++++++++++--
2 files changed, 71 insertions(+), 2 deletions(-)
diff --git a/man/systemd-dissect.xml b/man/systemd-dissect.xml
index b65a2c39f1..7ff1be31bd 100644
--- a/man/systemd-dissect.xml
+++ b/man/systemd-dissect.xml
@@ -62,6 +62,9 @@
<cmdsynopsis>
<command>systemd-dissect</command> <arg choice="opt" rep="repeat">OPTIONS</arg> <arg>--validate</arg> <arg choice="plain"><replaceable>IMAGE</replaceable></arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-dissect</command> <arg choice="opt" rep="repeat">OPTIONS</arg> <arg>--shift</arg> <arg choice="plain"><replaceable>IMAGE</replaceable></arg> <arg choice="plain"><replaceable>UIDBASE</replaceable></arg>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsect1>
@@ -350,6 +353,27 @@
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--shift</option></term>
+
+ <listitem><para>Recursively iterates through all inodes of the specified image and shifts the UIDs
+ and GIDs the inodes are owned by into the specified UID range. Takes an image path and a UID base as
+ parameter. The UID base can be specified numerically (in which case it must be a multiple of 65536,
+ and either 0 or within the container or foreign UID range, as per <ulink
+ url="https://systemd.io/UIDS-GIDS/">Users, Groups, UIDs and GIDs on systemd Systems</ulink>), or as
+ the symbolic identifier <literal>foreign</literal> which is shorthand to the foreign UID base. This
+ command is useful for preparing directory container images for unprivileged use. Note that this
+ command is intended for images that use the 16bit UIDs/GIDs range only, and it always ignores the
+ upper 16bit of the current UID/GID ownership, combining the lower 16 bit with the target UID
+ base.</para>
+
+ <para>Use <command>systemd-dissect --shift /some/container/tree foreign</command> to shift a
+ container image into the foreign UID range, or <command>systemd-dissect --shift /some/container/tree
+ 0</command> to shift it to host UID range.</para>
+
+ <xi:include href="version-info.xml" xpointer="v258"/></listitem>
+ </varlistentry>
+
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
</variablelist>
diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c
index 84e836027a..d3d3b3b195 100644
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@@ -45,6 +45,7 @@
#include "process-util.h"
#include "recurse-dir.h"
#include "sha256.h"
+#include "shift-uid.h"
#include "stat-util.h"
#include "string-util.h"
#include "strv.h"
@@ -68,6 +69,7 @@ static enum {
ACTION_DISCOVER,
ACTION_VALIDATE,
ACTION_MAKE_ARCHIVE,
+ ACTION_SHIFT,
} arg_action = ACTION_DISSECT;
static char *arg_image = NULL;
static char *arg_root = NULL;
@@ -95,6 +97,7 @@ static char *arg_loop_ref = NULL;
static ImagePolicy *arg_image_policy = NULL;
static bool arg_mtree_hash = true;
static bool arg_via_service = false;
+static uid_t arg_uid_base = UID_INVALID;
STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
STATIC_DESTRUCTOR_REGISTER(arg_root, freep);
@@ -127,6 +130,7 @@ static int help(void) {
"%1$s [OPTIONS...] --make-archive IMAGE [TARGET]\n"
"%1$s [OPTIONS...] --discover\n"
"%1$s [OPTIONS...] --validate IMAGE\n"
+ "%1$s [OPTIONS...] --shift IMAGE UIDBASE\n"
"\n%5$sDissect a Discoverable Disk Image (DDI).%6$s\n\n"
"%3$sOptions:%4$s\n"
" --no-pager Do not pipe output into a pager\n"
@@ -169,6 +173,7 @@ static int help(void) {
" --make-archive Convert the DDI to an archive file\n"
" --discover Discover DDIs in well known directories\n"
" --validate Validate image and image policy\n"
+ " --shift Shift UID range to selected base\n"
"\nSee the %2$s for details.\n",
program_invocation_short_name,
link,
@@ -274,6 +279,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_VALIDATE,
ARG_MTREE_HASH,
ARG_MAKE_ARCHIVE,
+ ARG_SHIFT,
};
static const struct option options[] = {
@@ -307,6 +313,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "validate", no_argument, NULL, ARG_VALIDATE },
{ "mtree-hash", required_argument, NULL, ARG_MTREE_HASH },
{ "make-archive", no_argument, NULL, ARG_MAKE_ARCHIVE },
+ { "shift", no_argument, NULL, ARG_SHIFT },
{}
};
@@ -539,6 +546,9 @@ static int parse_argv(int argc, char *argv[]) {
arg_action = ACTION_MAKE_ARCHIVE;
break;
+ case ARG_SHIFT:
+ arg_action = ACTION_SHIFT;
+ break;
case '?':
return -EINVAL;
@@ -704,6 +714,33 @@ static int parse_argv(int argc, char *argv[]) {
arg_flags &= ~(DISSECT_IMAGE_PIN_PARTITION_DEVICES|DISSECT_IMAGE_ADD_PARTITION_DEVICES);
break;
+ case ACTION_SHIFT:
+ if (optind + 2 != argc)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Expected an image path and a UID base as only argument.");
+
+ r = parse_image_path_argument(argv[optind], &arg_root, &arg_image);
+ if (r < 0)
+ return r;
+
+ if (streq(argv[optind + 1], "foreign"))
+ arg_uid_base = FOREIGN_UID_BASE;
+ else {
+ r = parse_uid(argv[optind + 1], &arg_uid_base);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse UID base: %s", argv[optind + 1]);
+
+ if ((arg_uid_base & 0xFFFF) != 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected UID base not a multiple of 64K: " UID_FMT, arg_uid_base);
+ if (arg_uid_base != 0 &&
+ !uid_is_container(arg_uid_base) &&
+ !uid_is_foreign(arg_uid_base))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected UID range is not in the container range, nor the foreign one, refusing.");
+ }
+
+ arg_flags |= DISSECT_IMAGE_REQUIRE_ROOT;
+ break;
+
default:
assert_not_reached();
}
@@ -1417,7 +1454,7 @@ static int action_list_or_mtree_or_copy_or_make_archive(DissectedImage *m, LoopD
const char *root;
int r;
- assert(IN_SET(arg_action, ACTION_LIST, ACTION_MTREE, ACTION_COPY_FROM, ACTION_COPY_TO, ACTION_MAKE_ARCHIVE));
+ assert(IN_SET(arg_action, ACTION_LIST, ACTION_MTREE, ACTION_COPY_FROM, ACTION_COPY_TO, ACTION_MAKE_ARCHIVE, ACTION_SHIFT));
if (arg_image) {
assert(m);
@@ -1673,6 +1710,13 @@ static int action_list_or_mtree_or_copy_or_make_archive(DissectedImage *m, LoopD
#endif
}
+ case ACTION_SHIFT:
+ r = path_patch_uid(root, arg_uid_base, 0x10000);
+ if (r < 0)
+ return log_error_errno(r, "Failed to shift UID base: %m");
+
+ return 0;
+
default:
assert_not_reached();
}
@@ -2082,7 +2126,7 @@ static int run(int argc, char *argv[]) {
else
r = loop_device_make_by_path(arg_image, open_flags, /* sector_size= */ UINT32_MAX, loop_flags, LOCK_SH, &d);
if (r < 0) {
- if (!ERRNO_IS_PRIVILEGE(r) || !IN_SET(arg_action, ACTION_DISSECT, ACTION_LIST, ACTION_MTREE, ACTION_COPY_FROM, ACTION_COPY_TO))
+ if (!ERRNO_IS_PRIVILEGE(r) || !IN_SET(arg_action, ACTION_DISSECT, ACTION_LIST, ACTION_MTREE, ACTION_COPY_FROM, ACTION_COPY_TO, ACTION_SHIFT))
return log_error_errno(r, "Failed to set up loopback device for %s: %m", arg_image);
log_debug_errno(r, "Lacking permissions to set up loopback block device for %s, using service: %m", arg_image);
@@ -2167,6 +2211,7 @@ static int run(int argc, char *argv[]) {
case ACTION_COPY_FROM:
case ACTION_COPY_TO:
case ACTION_MAKE_ARCHIVE:
+ case ACTION_SHIFT:
return action_list_or_mtree_or_copy_or_make_archive(m, d, userns_fd);
case ACTION_WITH:
Reference in New Issue View Git Blame Copy Permalink