Merging upstream version 4.23.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 78 insertions, 0 deletions

diff --git a/upstream/fedora-rawhide/man8/systemd-nsresourced.service.8 b/upstream/fedora-rawhide/man8/systemd-nsresourced.service.8
new file mode 100644
index 00000000..c4c80865
--- /dev/null
+++ b/upstream/fedora-rawhide/man8/systemd-nsresourced.service.8
@@ -0,0 +1,78 @@
+'\" t
+.TH "SYSTEMD\-NSRESOURCED\&.SERVICE" "8" "" "systemd 256~rc3" "systemd-nsresourced.service"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+systemd-nsresourced.service, systemd-nsresourced \- User Namespace Resource Delegation Service
+.SH "SYNOPSIS"
+.PP
+systemd\-nsresourced\&.service
+.PP
+/usr/lib/systemd/systemd\-nsresourced
+.SH "DESCRIPTION"
+.PP
+\fBsystemd\-nsresourced\fR
+is a system service that permits transient delegation of a a UID/GID range to a user namespace (see
+\fBuser_namespaces\fR(7)) allocated by a client, via a Varlink IPC API\&.
+.PP
+Unprivileged clients may allocate a user namespace, and then request a UID/GID range to be assigned to it via this service\&. The user namespace may then be used to run containers and other sandboxes, and/or apply it to an id\-mapped mount\&.
+.PP
+Allocations of UIDs/GIDs this way are transient: when a user namespace goes away, its UID/GID range is returned to the pool of available ranges\&. In order to ensure that clients cannot gain persistency in their transient UID/GID range a BPF\-LSM based policy is enforced that ensures that user namespaces set up this way can only write to file systems they allocate themselves or that are explicitly allowlisted via
+\fBsystemd\-nsresourced\fR\&.
+.PP
+\fBsystemd\-nsresourced\fR
+automatically ensures that any registered UID ranges show up in the system\*(Aqs NSS database via the
+\m[blue]\fBUser/Group Record Lookup API via Varlink\fR\m[]\&\s-2\u[1]\d\s+2\&.
+.PP
+Currently, only UID/GID ranges consisting of either exactly 1 or exactly 65536 UIDs/GIDs can be registered with this service\&. Moreover, UIDs and GIDs are always allocated together, and symmetrically\&.
+.PP
+The service provides API calls to allowlist mounts (referenced via their mount file descriptors as per Linux
+\fBfsmount()\fR
+API), to pass ownership of a cgroup subtree to the user namespace and to delegate a virtual Ethernet device pair to the user namespace\&. When used in combination this is sufficient to implement fully unprivileged container environments, as implemented by
+\fBsystemd-nspawn\fR(1), fully unprivileged
+\fIRootImage=\fR
+(see
+\fBsystemd.exec\fR(5)) or fully unprivileged disk image tools such as
+\fBsystemd-dissect\fR(1)\&.
+.PP
+This service provides one
+\m[blue]\fBVarlink\fR\m[]\&\s-2\u[2]\d\s+2
+service:
+\fBio\&.systemd\&.NamespaceResource\fR
+allows registering user namespaces, and assign mounts, cgroups and network interfaces to it\&.
+.SH "SEE ALSO"
+.PP
+\fBsystemd\fR(1),
+\fBsystemd-mountfsd.service\fR(8),
+\fBsystemd-nspawn\fR(1),
+\fBsystemd.exec\fR(5),
+\fBsystemd-dissect\fR(1),
+\fBuser_namespaces\fR(7)
+.SH "NOTES"
+.IP " 1." 4
+User/Group Record Lookup API via Varlink
+.RS 4
+\%https://systemd.io/USER_GROUP_API
+.RE
+.IP " 2." 4
+Varlink
+.RS 4
+\%https://varlink.org/
+.RE