shiftfs: check permissions towards source during parse_source() instead of marking

With filesystem contexts we have the ability to break up the
mount into stages, and a more privileged context can do some of
the setup for a mount fd and then pass the fd to a lesser
privileged context for mounting.

Make use of this to eliminate the need for marking filesystems in
shiftfs. Mounting with shiftfs will now look more like this:

    /* Parent user namespace */
    fsfd = fsopen("shiftfs, ...);
    write(fsfd, "s /path/to/source");
    /* Pass sfd to process in container ... */

    /* Child user namespace */
    write(fsfd, "x create");
    mfd = fsmount(sfd, ...);
    move_mount(mfd, ...);

A check is done for CAP_SYS_ADMIN in src_dentry->d_sb->s_user_ns
when the source path is written, "blessing" the source path for
id-shifted mounting within the container. Such a user is
privileged towards all kuids in s_user_ns and therefore can be
allowed to permit shifting of those ids.

The target user namespace for id shifts is current_user_ns() at
the time the mount is created, i.e. when "x create" is written to
the fd. This requires manipulation by shiftfs of the namespace in
the filesystem context, as normally s_user_ns is the current user
namespace at the time the filesystem context is created.

Note that while removing the now uneeded code in
shiftfs_fill_super(), the check for CAP_SYS_ADMIN in
current_user_ns() was also removed. This check was never
necessary as that is always required to mount a FS_USERNS_MOUNT
filesystem.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
1 file changed