machined: in --user mode, restrict register access to our own UID, and that's it

This is a follow-up for 119d332d9c2cf1974b235c8d9e4e3ad821cf436a and
ensures the check only is applied to the system instance of machined. It
doesn't really apply to the per-user instance, because we never want to
permit differently privileged clients access anyway.

(The process_is_owned_by_uid() call might fail if invoked unpriv, hence
there's value in not calling it if machined runs in --user mode, it's
what makes machined actually work)

src/basic/cgroup-util.h

@@ -216,7 +216,7 @@ static inline int cg_pidref_get_unit(const PidRef *pidref, char **ret_unit) {
 }
 int cg_pid_get_user_unit_full(pid_t pid, char **ret_unit, char **ret_subgroup);
 static inline int cg_pid_get_user_unit(pid_t pid, char **ret_unit) {
-        return cg_pid_get_unit_full(pid, ret_unit, NULL);
+        return cg_pid_get_user_unit_full(pid, ret_unit, NULL);
 }
 int cg_pidref_get_user_unit_full(const PidRef *pidref, char **ret_unit, char **ret_subgroup);
 static inline int cg_pidref_get_user_unit(const PidRef *pidref, char **ret_unit) {

src/core/exec-invoke.c

@@ -4607,7 +4607,7 @@ static int setup_delegated_namespaces(
                 bool delegate,
                 const char *memory_pressure_path,
                 uid_t uid,
-                uid_t gid,
+                gid_t gid,
                 const ExecCommand *command,
                 bool needs_sandboxing,
                 bool have_cap_sys_admin,

src/libsystemd/sd-login/test-login.c

@@ -59,6 +59,9 @@ TEST(login) {
         log_info("sd_pid_get_user_unit(0, …) → %s / \"%s\"", e(r), strnull(user_unit));
         assert_se(IN_SET(r, 0, -ENODATA));
 
+        /* Coverage for https://github.com/systemd/systemd/issues/39949 */
+        assert_se(!unit || !user_unit || !streq(unit, user_unit));
+
         r = sd_pid_get_slice(0, &slice);
         log_info("sd_pid_get_slice(0, …) → %s / \"%s\"", e(r), strnull(slice));
         assert_se(IN_SET(r, 0, -ENODATA));

src/machine/machined-dbus.c

@@ -270,12 +270,33 @@ static int machine_add_from_params(
                 return r;
 
         /* Ensure an unprivileged user cannot claim any process they don't control as their own machine */
-        if (uid != 0) {
+        switch (manager->runtime_scope) {
+
+        case RUNTIME_SCOPE_SYSTEM:
+                /* In system mode root may register anything */
+                if (uid == 0)
+                        break;
+
+                /* And non-root may only register things if they own the userns */
                 r = process_is_owned_by_uid(leader_pidref, uid);
                 if (r < 0)
                         return r;
-                if (r == 0)
+                if (r > 0)
+                        break;
+
+                /* Nothing else may */
                 return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Only root may register machines for other users");
+
+        case RUNTIME_SCOPE_USER:
+                /* In user mode the user owning our instance may register anything. */
+                if (uid == getuid())
+                        break;
+
+                /* Nothing else may */
+                return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Other users may not register machines with us, sorry.");
+
+        default:
+                assert_not_reached();
         }
 
         if (manager->runtime_scope != RUNTIME_SCOPE_USER) {