shiftfs: check permissions towards source during parse_source() instead of marking
With filesystem contexts we have the ability to break up the
mount into stages, and a more privileged context can do some of
the setup for a mount fd and then pass the fd to a lesser
privileged context for mounting.
Make use of this to eliminate the need for marking filesystems in
shiftfs. Mounting with shiftfs will now look more like this:
/* Parent user namespace */
fsfd = fsopen("shiftfs, ...);
write(fsfd, "s /path/to/source");
/* Pass sfd to process in container ... */
/* Child user namespace */
write(fsfd, "x create");
mfd = fsmount(sfd, ...);
move_mount(mfd, ...);
A check is done for CAP_SYS_ADMIN in src_dentry->d_sb->s_user_ns
when the source path is written, "blessing" the source path for
id-shifted mounting within the container. Such a user is
privileged towards all kuids in s_user_ns and therefore can be
allowed to permit shifting of those ids.
The target user namespace for id shifts is current_user_ns() at
the time the mount is created, i.e. when "x create" is written to
the fd. This requires manipulation by shiftfs of the namespace in
the filesystem context, as normally s_user_ns is the current user
namespace at the time the filesystem context is created.
Note that while removing the now uneeded code in
shiftfs_fill_super(), the check for CAP_SYS_ADMIN in
current_user_ns() was also removed. This check was never
necessary as that is always required to mount a FS_USERNS_MOUNT
filesystem.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
1 file changed