Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-21 07:23:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
14f3db5542
linux/fs
History
Christian Brauner 14f3db5542
ext4: support idmapped mounts 
Enable idmapped mounts for ext4. All dedicated helpers we need for this
exist. So this basically just means we're passing down the
user_namespace argument from the VFS methods to the relevant helpers.

Let's create simple example where we idmap an ext4 filesystem:

 root@f2-vm:~# truncate -s 5G ext4.img

 root@f2-vm:~# mkfs.ext4 ./ext4.img
 mke2fs 1.45.5 (07-Jan-2020)
 Discarding device blocks: done
 Creating filesystem with 1310720 4k blocks and 327680 inodes
 Filesystem UUID: 3fd91794-c6ca-4b0f-9964-289a000919cf
 Superblock backups stored on blocks:
         32768, 98304, 163840, 229376, 294912, 819200, 884736

 Allocating group tables: done
 Writing inode tables: done
 Creating journal (16384 blocks): done
 Writing superblocks and filesystem accounting information: done

 root@f2-vm:~# losetup -f --show ./ext4.img
 /dev/loop0

 root@f2-vm:~# mount /dev/loop0 /mnt

 root@f2-vm:~# ls -al /mnt/
 total 24
 drwxr-xr-x  3 root root  4096 Oct 28 13:34 .
 drwxr-xr-x 30 root root  4096 Oct 28 13:22 ..
 drwx------  2 root root 16384 Oct 28 13:34 lost+found

 # Let's create an idmapped mount at /idmapped1 where we map uid and gid
 # 0 to uid and gid 1000
 root@f2-vm:/# ./mount-idmapped --map-mount b:0:1000:1 /mnt/ /idmapped1/

 root@f2-vm:/# ls -al /idmapped1/
 total 24
 drwxr-xr-x  3 ubuntu ubuntu  4096 Oct 28 13:34 .
 drwxr-xr-x 30 root   root    4096 Oct 28 13:22 ..
 drwx------  2 ubuntu ubuntu 16384 Oct 28 13:34 lost+found

 # Let's create an idmapped mount at /idmapped2 where we map uid and gid
 # 0 to uid and gid 2000
 root@f2-vm:/# ./mount-idmapped --map-mount b:0:2000:1 /mnt/ /idmapped2/

 root@f2-vm:/# ls -al /idmapped2/
 total 24
 drwxr-xr-x  3 2000 2000  4096 Oct 28 13:34 .
 drwxr-xr-x 31 root root  4096 Oct 28 13:39 ..
 drwx------  2 2000 2000 16384 Oct 28 13:34 lost+found

Let's create another example where we idmap the rootfs filesystem
without a mapping for uid 0 and gid 0:

 # Create an idmapped mount of for a full POSIX range of rootfs under
 # /mnt but without a mapping for uid 0 to reduce attack surface

 root@f2-vm:/# ./mount-idmapped --map-mount b:1:1:65536 / /mnt/

 # Since we don't have a mapping for uid and gid 0 all files owned by
 # uid and gid 0 should show up as uid and gid 65534:
 root@f2-vm:/# ls -al /mnt/
 total 664
 drwxr-xr-x 31 nobody nogroup   4096 Oct 28 13:39 .
 drwxr-xr-x 31 root   root      4096 Oct 28 13:39 ..
 lrwxrwxrwx  1 nobody nogroup      7 Aug 25 07:44 bin -> usr/bin
 drwxr-xr-x  4 nobody nogroup   4096 Oct 28 13:17 boot
 drwxr-xr-x  2 nobody nogroup   4096 Aug 25 07:48 dev
 drwxr-xr-x 81 nobody nogroup   4096 Oct 28 04:00 etc
 drwxr-xr-x  4 nobody nogroup   4096 Oct 28 04:00 home
 lrwxrwxrwx  1 nobody nogroup      7 Aug 25 07:44 lib -> usr/lib
 lrwxrwxrwx  1 nobody nogroup      9 Aug 25 07:44 lib32 -> usr/lib32
 lrwxrwxrwx  1 nobody nogroup      9 Aug 25 07:44 lib64 -> usr/lib64
 lrwxrwxrwx  1 nobody nogroup     10 Aug 25 07:44 libx32 -> usr/libx32
 drwx------  2 nobody nogroup  16384 Aug 25 07:47 lost+found
 drwxr-xr-x  2 nobody nogroup   4096 Aug 25 07:44 media
 drwxr-xr-x 31 nobody nogroup   4096 Oct 28 13:39 mnt
 drwxr-xr-x  2 nobody nogroup   4096 Aug 25 07:44 opt
 drwxr-xr-x  2 nobody nogroup   4096 Apr 15  2020 proc
 drwx--x--x  6 nobody nogroup   4096 Oct 28 13:34 root
 drwxr-xr-x  2 nobody nogroup   4096 Aug 25 07:46 run
 lrwxrwxrwx  1 nobody nogroup      8 Aug 25 07:44 sbin -> usr/sbin
 drwxr-xr-x  2 nobody nogroup   4096 Aug 25 07:44 srv
 drwxr-xr-x  2 nobody nogroup   4096 Apr 15  2020 sys
 drwxrwxrwt 10 nobody nogroup   4096 Oct 28 13:19 tmp
 drwxr-xr-x 14 nobody nogroup   4096 Oct 20 13:00 usr
 drwxr-xr-x 12 nobody nogroup   4096 Aug 25 07:45 var

 # Since we do have a mapping for uid and gid 1000 all files owned by
 # uid and gid 1000 should simply show up as uid and gid 1000:
 root@f2-vm:/# ls -al /mnt/home/ubuntu/
 total 40
 drwxr-xr-x 3 ubuntu ubuntu  4096 Oct 28 00:43 .
 drwxr-xr-x 4 nobody nogroup 4096 Oct 28 04:00 ..
 -rw------- 1 ubuntu ubuntu  2936 Oct 28 12:26 .bash_history
 -rw-r--r-- 1 ubuntu ubuntu   220 Feb 25  2020 .bash_logout
 -rw-r--r-- 1 ubuntu ubuntu  3771 Feb 25  2020 .bashrc
 -rw-r--r-- 1 ubuntu ubuntu   807 Feb 25  2020 .profile
 -rw-r--r-- 1 ubuntu ubuntu     0 Oct 16 16:11 .sudo_as_admin_successful
 -rw------- 1 ubuntu ubuntu  1144 Oct 28 00:43 .viminfo

Link: https://lore.kernel.org/r/20210121131959.646623-39-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-ext4@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2021-01-24 14:43:46 +01:00
..
9p fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
adfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
affs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
afs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
autofs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
befs
bfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
btrfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
cachefiles namei: prepare for idmapped mounts 2021-01-24 14:27:18 +01:00
ceph fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
cifs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
coda fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
configfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
cramfs
crypto inode: make init and permission helpers idmapped mount aware 2021-01-24 14:27:16 +01:00
debugfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
devpts
dlm
ecryptfs ecryptfs: do not mount on top of idmapped mounts 2021-01-24 14:27:20 +01:00
efivarfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
efs
erofs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
exfat fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
exportfs exportfs: Add a function to return the raw output from fh_to_dentry() 2020-12-09 09:39:38 -05:00
ext2 fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
ext4 ext4: support idmapped mounts 2021-01-24 14:43:46 +01:00
f2fs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
fat fat: handle idmapped mounts 2021-01-24 14:43:46 +01:00
freevxfs
fscache
fuse fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
gfs2 fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
hfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
hfsplus fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
hostfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
hpfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
hugetlbfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
iomap mm: memcontrol: Use helpers to read page's memcg data 2020-12-02 18:28:05 -08:00
isofs
jbd2 jbd2: add a helper to find out number of fast commit blocks 2020-12-17 13:30:45 -05:00
jffs2 fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
jfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
kernfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
lockd fs/lockd: convert comma to semicolon 2020-12-16 07:57:37 -05:00
minix fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
nfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
nfs_common nfs_common: need lock during iterate through the list 2020-12-09 09:38:34 -05:00
nfsd nfs: do not export idmapped mounts 2021-01-24 14:29:33 +01:00
nilfs2 fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
nls
notify fs: add file and path permissions helpers 2021-01-24 14:27:16 +01:00
ntfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
ocfs2 fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
omfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
openpromfs
orangefs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
overlayfs overlayfs: do not mount on top of idmapped mounts 2021-01-24 14:27:20 +01:00
proc fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
pstore Tracing updates for 5.11 2020-12-17 13:22:17 -08:00
qnx4
qnx6
quota \n 2020-12-17 11:00:37 -08:00
ramfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
reiserfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
romfs
squashfs
sysfs
sysv fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
tracefs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
ubifs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
udf fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
ufs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
unicode
vboxsf fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
verity fs: add file and path permissions helpers 2021-01-24 14:27:16 +01:00
xfs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
zonefs fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
aio.c Merge branch 'akpm' (patches from Andrew) 2020-12-15 12:53:37 -08:00
anon_inodes.c
attr.c ima: handle idmapped mounts 2021-01-24 14:27:20 +01:00
bad_inode.c fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-12-15 19:29:43 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c block: pre-initialize struct block_device in bdev_alloc_inode 2021-01-07 20:57:53 -07:00
buffer.c for-5.11/block-2020-12-14 2020-12-16 12:57:51 -08:00
char_dev.c
compat_binfmt_elf.c
coredump.c open: handle idmapped mounts in do_truncate() 2021-01-24 14:27:18 +01:00
d_path.c
dax.c mm: simplify follow_pte{,pmd} 2020-12-15 22:46:19 -08:00
dcache.c fs: Kill DCACHE_DONTCACHE dentry even if DCACHE_REFERENCED is set 2020-12-10 17:33:17 -05:00
dcookies.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c epoll: add syscall epoll_pwait2 2020-12-19 11:18:38 -08:00
exec.c exec: handle idmapped mounts 2021-01-24 14:27:19 +01:00
fcntl.c fcntl: handle idmapped mounts 2021-01-24 14:27:19 +01:00
fhandle.c
file_table.c
file.c kernel/io_uring: cancel io_uring before task works 2020-12-30 19:36:54 -07:00
filesystems.c
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c writeback: don't warn on an unregistered BDI in __mark_inode_dirty 2020-12-16 11:56:02 +01:00
fsopen.c
init.c init: handle idmapped mounts 2021-01-24 14:27:19 +01:00
inode.c open: handle idmapped mounts in do_truncate() 2021-01-24 14:27:18 +01:00
internal.h namei: handle idmapped mounts in may_*() helpers 2021-01-24 14:27:17 +01:00
io_uring.c io_uring: ensure finish_wait() is always called in __io_uring_task_cancel() 2021-01-15 16:04:23 -07:00
io-wq.c io-wq: kill now unused io_wq_cancel_all() 2020-12-20 10:47:42 -07:00
io-wq.h io-wq: kill now unused io_wq_cancel_all() 2020-12-20 10:47:42 -07:00
ioctl.c
Kconfig
Kconfig.binfmt
kernel_read_file.c
libfs.c fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
locks.c Merge branch 'exec-for-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2020-12-15 19:29:43 -08:00
Makefile
mbcache.c
mount.h mount: make {lock,unlock}_mount_hash() static 2021-01-24 14:29:34 +01:00
mpage.c
namei.c ima: handle idmapped mounts 2021-01-24 14:27:20 +01:00
namespace.c fs: introduce MOUNT_ATTR_IDMAP 2021-01-24 14:43:45 +01:00
no-block.c
nsfs.c
open.c open: handle idmapped mounts 2021-01-24 14:27:18 +01:00
pipe.c
pnode.c
pnode.h fs/namespace.c: WARN if mnt_count has become negative 2020-12-10 17:33:17 -05:00
posix_acl.c fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
proc_namespace.c fs: introduce MOUNT_ATTR_IDMAP 2021-01-24 14:43:45 +01:00
read_write.c
readdir.c
remap_range.c ioctl: handle idmapped mounts 2021-01-24 14:27:19 +01:00
select.c poll: fix performance regression due to out-of-line __put_user() 2021-01-08 11:06:29 -08:00
seq_file.c
signalfd.c
splice.c
stack.c
stat.c fs: make helpers idmap mount aware 2021-01-24 14:27:20 +01:00
statfs.c
super.c
sync.c
timerfd.c
userfaultfd.c userfaultfd: add user-mode only option to unprivileged_userfaultfd sysctl knob 2020-12-15 12:13:46 -08:00
utimes.c utimes: handle idmapped mounts 2021-01-24 14:27:18 +01:00
xattr.c namei: handle idmapped mounts in may_*() helpers 2021-01-24 14:27:17 +01:00