| Message ID | 20221024191552.55951-1-michael.weiss@aisec.fraunhofer.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp655083wru;
Mon, 24 Oct 2022 14:14:15 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM4EjcHjdPSQBf+0Unau7g7aiyY2NFKoc6UueOPnMLKUfulAqrQUCWSzzdgRGa4jpQ7fqHLO
X-Received: by 2002:a17:907:868c:b0:78d:f741:7fa7 with SMTP id
qa12-20020a170907868c00b0078df7417fa7mr29368330ejc.648.1666646055799;
Mon, 24 Oct 2022 14:14:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666646055; cv=none;
d=google.com; s=arc-20160816;
b=qNA+ajjPqV2bKocAKKU80ZsziTUvMPmmAk4zqDFKDcE0pSsN3bzD+i8WYs6124C1Q2
5mt1fss3SkxY1b1isdY3ZlDjGqQ1djNAYrB8MIJ0zw7w5Kv63tjCMYAuvM7UBZ2KJivs
nS3DK3evUx1UxiTohZR/H03tiVlZBT4RO0A02+y5QNh6VxucOU4ll42O9RgKQmsoCkC7
apEO7ZM79DXkNfbb1a5jo5fRymMdrTn6oEAPRFpgBrHqbWvdYJpH9ZVBSfzXp+FCspdf
bUIOsGysDUP/1ZB61kzpWm00CQ8D56Nr4n+8SpQX5j1511aERVilskh1sRMBBu17Cckf
N+kQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=gW/vRIwMtcvxwNa1/LIWzCmyl1nfl1nrf+stJ4qVK5o=;
b=nUP8yWlB/ph6Ue5t3Ky7VBwLqEHypl1CUjaDqqlVO8+V6yc8daDyL1sHcqvmq3WnmH
6QA8KYESgoR895UV5YqVmT8ONqYdCG0QYBWZULxoHxniFtFQw4q3Z51zb9P5G2jmW0AD
hdVlTIIlt7GllH1M0hsCCsssrmx4UOSCd8PQLikqVtFwm2woWzdhRlrH2V+1hzUUz4f7
yDxjzL9BB3auZRUaES4tsgpBBcuKbGgdxOa6qHUe6QF4mKaagohZ2e0Sq7d2HvmeLasp
jmecdhZNDCimTskmpaBn2bLcgiG5ADyCv++ZGouNlch7bPDuE94sEA7FiG6N3Te774Ks
qdOQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ec28-20020a0564020d5c00b004571a669230si605370edb.469.2022.10.24.14.13.52;
Mon, 24 Oct 2022 14:14:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231579AbiJXVMS (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
Mon, 24 Oct 2022 17:12:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55230 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229919AbiJXVLe (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 24 Oct 2022 17:11:34 -0400
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D44E75F9BF
for <linux-kernel@vger.kernel.org>;
Mon, 24 Oct 2022 12:18:01 -0700 (PDT)
Received: from weisslap.fritz.box ([31.19.218.61]) by mrelayeu.kundenserver.de
(mreue108 [212.227.15.183]) with ESMTPSA (Nemesis) id
1M7JrG-1ojlfn3uQ8-007kSm; Mon, 24 Oct 2022 21:16:00 +0200
From: =?utf-8?q?Michael_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>
To: Phillip Lougher <phillip@squashfs.org.uk>,
Christian Brauner <brauner@kernel.org>
Cc: linux-kernel@vger.kernel.org,
=?utf-8?q?Michael_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>
Subject: [PATCH 1/1] squashfs: enable idmapped mounts
Date: Mon, 24 Oct 2022 21:15:52 +0200
Message-Id: <20221024191552.55951-1-michael.weiss@aisec.fraunhofer.de>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:GS8PANgE7Dfklhd8gVLd+uEzsWvaG0dtuKC/+aY6eN5NekbFeTJ
KX6ESI4Kifr40Y5GMDg2hiBjnYPjMy3hj3VVt0S7TLwYyB9lLdvmm3usHbJNg1URQ1FQKKw
arSZc/Phg+qpGiMoPpp0wWkz1RWNwUkIyzNGURusy5u7KH9zE/6JVs4WOLbumt3yo2g4qgg
SPSStrV4pKpCHX56yFTkg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:pK+tZBCwFdo=:OTmz4XuzG3Syg00L5YHUzK
kTPY2BZnwjHcXdv0Jhe5YzvtYeEjdRSXNwvBH3V7j8tHD1NEqcIqeQuhqmA6Eg2PzaY2Tu66u
uPe3x7Uf7C6j3omK9qzuBrI1R19qwvOEapBIQH/biaiQFKLlWS7TGwg4+G6Yl3DXI2VjPJt8e
rHibxcpbHR2eu0wn9apzc985zRJn8Qt6HYr7o4bRYLsiS0h801uSl5E2qwfgTU4HLe5y8fEuZ
pr4+6KH+I84bPGD/l3sq7VXplNr1qBPBXB8VzrGmCx68PfhQR7DE4VqtNqJxS8HmS1qJlT1Fu
y4xhf7q+C/Hgr8+2/YteBqOceN8OvqAe3gohI9VhJxtJGjCsXS7+lPIinpL92Snh4ggZeDaSC
jkL+FCbwXUHxv/UPX/zkJQZVojzSGjelcUdQA2OTOgmQylqVuU0mgY7cdDs+Z2hSPYt2fPkqL
COXaMvn5nwb0+UR174Ub5l2ohGm1SxjTOBsSxzZPLGYmi1epVnKgMm0ONIqIzfLNikqBKcaD8
GyIzzmHLqD6BjiiIFYdSNncALOb8AN6hJL+k3q7g97NuW8ixr/MedMhLq7UDqIWIoRlvDv7du
tO08dt0xen+0O5OlTK3Ig3FNIRuHRFWMBExDREW79Um/hXtTB6zKmRUNna2wBwCd3FuDLA/Dc
TaDLwa39dJJ4mEKXo+QHOaLosom0IjtAwFzsaF/FwW8juy/LIA9Ku/Mif8mOICOI8EpFNPUo5
KJSTFNKeDbckippD2cezPyGtiqkbXmqftyDl/jrioTSNmj8hKrvvRbVnqFFljCWSzBVZd7KKZ
uJxAgSQqnsLMjDEZosULhgKJ84dQw==
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747605054302636348?=
X-GMAIL-MSGID: =?utf-8?q?1747605054302636348?=
|
| Series |
[1/1] squashfs: enable idmapped mounts
|
|
Commit Message
Michael Weiß
Oct. 24, 2022, 7:15 p.m. UTC
For squashfs all needed functionality for idmapped mounts is already
implemented by the generic handlers in the VFS. Thus, it is sufficient
to just enable the corresponding FS_ALLOW_IDMAP flag to support
idmapped mounts.
We use this for unprivileged (user namespaced) containers based on
squashfs images as rootfs in GyroidOS.
A simple test using the mount-idmapped tool executed as user with
uid=1000 looks as follows:
$ mkdir test
$ echo "test" > test/test_file
$ mksquashfs test/ fs.img
$ sudo mkdir /mnt/test
$ sudo mkdir /mnt/mapped
$ sudo mount fs.img -o loop /mnt/test/
$ sudo ./mount-idmapped --map-mount b:1000:2000:1 /mnt/test/ /mnt/mapped/
$ mount | tail -n2
fs.img on /mnt/test type squashfs (ro,relatime,errors=continue)
fs.img on /mnt/mapped type squashfs (ro,relatime,idmapped,errors=continue)
$ ls -lan /mnt/test/
total 5
drwxr-xr-x 2 1000 1000 32 Okt 24 13:36 .
drwxr-xr-x 6 0 0 4096 Okt 24 13:38 ..
-rw-r--r-- 1 1000 1000 5 Okt 24 13:36 test_file
$ ls -lan /mnt/mapped/
total 5
drwxr-xr-x 2 2000 2000 32 Okt 24 13:36 .
drwxr-xr-x 6 0 0 4096 Okt 24 13:38 ..
-rw-r--r-- 1 2000 2000 5 Okt 24 13:36 test_file
Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
fs/squashfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Mon, Oct 24, 2022 at 09:15:52PM +0200, Michael Weiß wrote: > For squashfs all needed functionality for idmapped mounts is already > implemented by the generic handlers in the VFS. Thus, it is sufficient > to just enable the corresponding FS_ALLOW_IDMAP flag to support > idmapped mounts. > > We use this for unprivileged (user namespaced) containers based on > squashfs images as rootfs in GyroidOS. > > A simple test using the mount-idmapped tool executed as user with > uid=1000 looks as follows: > > $ mkdir test > $ echo "test" > test/test_file > $ mksquashfs test/ fs.img > $ sudo mkdir /mnt/test > $ sudo mkdir /mnt/mapped > $ sudo mount fs.img -o loop /mnt/test/ > $ sudo ./mount-idmapped --map-mount b:1000:2000:1 /mnt/test/ /mnt/mapped/ > > $ mount | tail -n2 > fs.img on /mnt/test type squashfs (ro,relatime,errors=continue) > fs.img on /mnt/mapped type squashfs (ro,relatime,idmapped,errors=continue) > > $ ls -lan /mnt/test/ > total 5 > drwxr-xr-x 2 1000 1000 32 Okt 24 13:36 . > drwxr-xr-x 6 0 0 4096 Okt 24 13:38 .. > -rw-r--r-- 1 1000 1000 5 Okt 24 13:36 test_file > > $ ls -lan /mnt/mapped/ > total 5 > drwxr-xr-x 2 2000 2000 32 Okt 24 13:36 . > drwxr-xr-x 6 0 0 4096 Okt 24 13:38 .. > -rw-r--r-- 1 2000 2000 5 Okt 24 13:36 test_file > > Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de> > --- This should indeed be all that is needed. Looks good to me, Reviewed-by: Christian Brauner <brauner@kernel.org>
From: Christian Brauner (Microsoft) <brauner@kernel.org> On Mon, 24 Oct 2022 21:15:52 +0200, Michael Weiß wrote: > For squashfs all needed functionality for idmapped mounts is already > implemented by the generic handlers in the VFS. Thus, it is sufficient > to just enable the corresponding FS_ALLOW_IDMAP flag to support > idmapped mounts. > > We use this for unprivileged (user namespaced) containers based on > squashfs images as rootfs in GyroidOS. > > [...] Hey Phillip, Michael reminded me about this patch just now. I've picked this up now so it can make it into the next mw. Phillip, in case you'll pick this up just tell me and I'll drop it. [1/1] squashfs: enable idmapped mounts commit: 01546f1d7142f27002789e8626a32b20d5853a48 Thanks! Christian
On 24/10/2022 20:15, Michael Weiß wrote: > For squashfs all needed functionality for idmapped mounts is already > implemented by the generic handlers in the VFS. Thus, it is sufficient > to just enable the corresponding FS_ALLOW_IDMAP flag to support > idmapped mounts. > > We use this for unprivileged (user namespaced) containers based on > squashfs images as rootfs in GyroidOS. > > A simple test using the mount-idmapped tool executed as user with > uid=1000 looks as follows: > > $ mkdir test > $ echo "test" > test/test_file > $ mksquashfs test/ fs.img > $ sudo mkdir /mnt/test > $ sudo mkdir /mnt/mapped > $ sudo mount fs.img -o loop /mnt/test/ > $ sudo ./mount-idmapped --map-mount b:1000:2000:1 /mnt/test/ /mnt/mapped/ > > $ mount | tail -n2 > fs.img on /mnt/test type squashfs (ro,relatime,errors=continue) > fs.img on /mnt/mapped type squashfs (ro,relatime,idmapped,errors=continue) > > $ ls -lan /mnt/test/ > total 5 > drwxr-xr-x 2 1000 1000 32 Okt 24 13:36 . > drwxr-xr-x 6 0 0 4096 Okt 24 13:38 .. > -rw-r--r-- 1 1000 1000 5 Okt 24 13:36 test_file > > $ ls -lan /mnt/mapped/ > total 5 > drwxr-xr-x 2 2000 2000 32 Okt 24 13:36 . > drwxr-xr-x 6 0 0 4096 Okt 24 13:38 .. > -rw-r--r-- 1 2000 2000 5 Okt 24 13:36 test_file > > Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de> Looks OK. Reviewed-by: Phillip Lougher <phillip@squashfs.org.uk> > --- > fs/squashfs/super.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c > index 32565dafa7f3..2636cb354435 100644 > --- a/fs/squashfs/super.c > +++ b/fs/squashfs/super.c > @@ -568,7 +568,7 @@ static struct file_system_type squashfs_fs_type = { > .init_fs_context = squashfs_init_fs_context, > .parameters = squashfs_fs_parameters, > .kill_sb = kill_block_super, > - .fs_flags = FS_REQUIRES_DEV > + .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP, > }; > MODULE_ALIAS_FS("squashfs"); >
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c index 32565dafa7f3..2636cb354435 100644 --- a/fs/squashfs/super.c +++ b/fs/squashfs/super.c @@ -568,7 +568,7 @@ static struct file_system_type squashfs_fs_type = { .init_fs_context = squashfs_init_fs_context, .parameters = squashfs_fs_parameters, .kill_sb = kill_block_super, - .fs_flags = FS_REQUIRES_DEV + .fs_flags = FS_REQUIRES_DEV | FS_ALLOW_IDMAP, }; MODULE_ALIAS_FS("squashfs");