ext4: Add support for unprivileged mounts from user namespaces

Support unprivileged mounting of ext4 volumes from user
namespaces. This requires the following changes:

 - Perform all uid, gid, and projid conversions to/from disk
   relative to s_user_ns. In many cases this will already be
   handled by the vfs helper functions. This also requires
   updates to handle cases where ids may not map into s_user_ns.
   A new helper, projid_valid_eq(), is added to help with this.

 - Update most capability checks to check for capabilities in
   s_user_ns rather than init_user_ns. These mostly reflect
   changes to the filesystem that a user in s_user_ns could
   already make externally by virtue of having write access to
   the backing device.

 - Restrict unsafe options in either the mount options or the
   ext4 superblock. Currently the only concerning option is
   errors=panic, and this is made to require CAP_SYS_ADMIN in
   init_user_ns.

 - Verify that unprivileged users have the required access to the
   journal device at the path passed via the journal_path mount
   option.

   Note that for the journal_path and the journal_dev mount
   options, and for external journal devices specified in the
   ext4 superblock, devcgroup restrictions will be enforced by
   __blkdev_get(), (via blkdev_get_by_dev()), ensuring that the
   user has been granted appropriate access to the block device.

 - Set the FS_USERNS_MOUNT flag on the filesystem types supported
   by ext4.

sysfs attributes for ext4 mounts remain writable only by real
root.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
9 files changed