[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200219023343.GC19144@mail.hallyn.com>
Date: Tue, 18 Feb 2020 20:33:43 -0600
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Christian Brauner <christian.brauner@...ntu.com>
Cc: Stéphane Graber <stgraber@...ntu.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Aleksa Sarai <cyphar@...har.com>, Jann Horn <jannh@...gle.com>,
smbarber@...omium.org, Seth Forshee <seth.forshee@...onical.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Serge Hallyn <serge@...lyn.com>,
James Morris <jmorris@...ei.org>,
Kees Cook <keescook@...omium.org>,
Jonathan Corbet <corbet@....net>,
Phil Estes <estesp@...il.com>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
containers@...ts.linux-foundation.org,
linux-security-module@...r.kernel.org, linux-api@...r.kernel.org
Subject: Re: [PATCH v3 03/25] proc: add /proc/<pid>/fsgid_map
On Tue, Feb 18, 2020 at 03:33:49PM +0100, Christian Brauner wrote:
> The /proc/<pid>/fsgid_map file can be written once to setup an fsgid mapping
> for a user namespace. Writing to this file has the same restrictions as writing
> to /proc/<pid>/fsgid_map.
>
> root@...vm:/# cat /proc/13023/fsgid_map
> 0 300000 100000
>
> Fsid mappings have always been around. They are currently always identical to
> the id mappings for a user namespace. This means, currently whenever an fsid
> needs to be looked up the kernel will use the id mapping of the user namespace.
> With the introduction of fsid mappings the kernel will now lookup fsids in the
> fsid mappings of the user namespace. If no fsid mapping exists the kernel will
> continue looking up fsids in the id mappings of the user namespace. Hence, if a
> system supports fsid mappings through /proc/<pid>/fs*id_map and a container
> runtime is not aware of fsid mappings it or does not use them it will it will
> continue to work just as before.
>
> Signed-off-by: Christian Brauner <christian.brauner@...ntu.com>
Acked-by: Serge Hallyn <serge@...lyn.com>
> ---
> /* v2 */
> unchanged
>
> /* v3 */
> - Christian Brauner <christian.brauner@...ntu.com>:
> - Fix grammar in commit message.
> ---
> fs/proc/base.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 5fb28004663e..1303cdd2e617 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2975,6 +2975,11 @@ static int proc_fsuid_map_open(struct inode *inode, struct file *file)
> {
> return proc_id_map_open(inode, file, &proc_fsuid_seq_operations);
> }
> +
> +static int proc_fsgid_map_open(struct inode *inode, struct file *file)
> +{
> + return proc_id_map_open(inode, file, &proc_fsgid_seq_operations);
> +}
> #endif
>
> static const struct file_operations proc_uid_map_operations = {
> @@ -3009,6 +3014,14 @@ static const struct file_operations proc_fsuid_map_operations = {
> .llseek = seq_lseek,
> .release = proc_id_map_release,
> };
> +
> +static const struct file_operations proc_fsgid_map_operations = {
> + .open = proc_fsgid_map_open,
> + .write = proc_fsgid_map_write,
> + .read = seq_read,
> + .llseek = seq_lseek,
> + .release = proc_id_map_release,
> +};
> #endif
>
> static int proc_setgroups_open(struct inode *inode, struct file *file)
> @@ -3195,6 +3208,7 @@ static const struct pid_entry tgid_base_stuff[] = {
> #ifdef CONFIG_USER_NS
> #ifdef CONFIG_USER_NS_FSID
> REG("fsuid_map", S_IRUGO|S_IWUSR, proc_fsuid_map_operations),
> + REG("fsgid_map", S_IRUGO|S_IWUSR, proc_fsgid_map_operations),
> #endif
> REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
> REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
> --
> 2.25.0
Powered by blists - more mailing lists