From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932528AbdBPQ60 (ORCPT <rfc822;w@1wt.eu>);
        Thu, 16 Feb 2017 11:58:26 -0500
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:35182 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1754622AbdBPQ6Y (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Feb 2017 11:58:24 -0500
Message-ID: <1487264301.2944.51.camel@HansenPartnership.com>
Subject: Re: [RFC 1/1] shiftfs: uid/gid shifting bind mount
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: Amir Goldstein <amir73il@gmail.com>, Djalal Harouni <tixxdz@gmail.com>,
        Chris Mason <clm@fb.com>, Theodore Tso <tytso@mit.edu>,
        Josh Triplett <josh@joshtriplett.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Andy Lutomirski <luto@kernel.org>,
        Seth Forshee <seth.forshee@canonical.com>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Dongsu Park <dongsu@endocode.com>,
        David Herrmann <dh.herrmann@googlemail.com>,
        Miklos Szeredi <mszeredi@redhat.com>,
        Alban Crequy <alban.crequy@gmail.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "Serge E. Hallyn" <serge@hallyn.com>, Phil Estes <estesp@gmail.com>
Date: Thu, 16 Feb 2017 08:58:21 -0800
In-Reply-To: <20170216164233.GC23490@redhat.com>
References: <1486235880.2484.17.camel@HansenPartnership.com>
         <1486235972.2484.19.camel@HansenPartnership.com>
         <CAOQ4uxjRYZCA8mHw_YNTfDDZoOMO9qD-nJyw2qWAypNxmYNALQ@mail.gmail.com>
         <1486343891.2496.54.camel@HansenPartnership.com>
         <20170214230305.GC4017@redhat.com>
         <1487115955.3133.73.camel@HansenPartnership.com>
         <20170215141734.GA2101@redhat.com>
         <1487260318.2944.18.camel@HansenPartnership.com>
         <20170216164233.GC23490@redhat.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.16.5 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2017-02-16 at 11:42 -0500, Vivek Goyal wrote:
> On Thu, Feb 16, 2017 at 07:51:58AM -0800, James Bottomley wrote:
> 
> [..]
> > > Two levels of checks will simplify this a bit. Top level inode 
> > > will belong to the user namespace of caller and checks should 
> > > pass. And mounter's creds will have ownership over the real inode 
> > > so no additional namespace shifting required there.
> > 
> > That's the problem: for a marked mount, they don't.
> 
> In this new model it does not fit directly. 
> 
> I was playing with a slightly different approach and modified patches 
> so that real root still does the mounting and takes an mount option
> which specifies which user namespace we want to shift into. Thanks to 
> Eric for the idea.
> 
> mount -t shiftfs -o userns_fd=<fd> source shifted-fs

This is a non-starter because it doesn't work for the unprivileged use
case, which is what I'm really interested in.  For fully unprivileged
containers you don't have an orchestration system to ask to build the
container.  You can get init scripts to set stuff up for you, like the
marks, but ideally it should just work even without that (so an inode
flag following project semantics seems really appealing), but after
that the unprivileged user should be able to build their own
containers.

As you saw from the reply to Eric, this approach (which I have tried)
also opens up a whole can of worms for non-FS_USERNS_MOUNT filesystems.

James


> In this case real-root is mounter and notion of using mounter's creds 
> on real-inode works. 
> This requires a user namespace to be created before shiftfs can be 
> mounted and then container admin should be able to bind mount shifted
> -fs.
> 
> In this model, intervention of real-root is still required to setup
> container and shiftfs. I guess that might not satisfy your needs 
> where unprivileged user should be able to launch container and be 
> able to make use of shiftfs, IIUC.
> 
> Vivek
>