[PATCH v3 02/25] proc: add /proc/<pid>/fsuid_map

Serge E. Hallyn serge at hallyn.com
Wed Feb 19 02:33:33 UTC 2020


On Tue, Feb 18, 2020 at 03:33:48PM +0100, Christian Brauner wrote:
> The /proc/<pid>/fsuid_map file can be written once to setup an fsuid mapping
> for a user namespace. Writing to this file has the same restrictions as writing
> to /proc/<pid>/fsuid_map:
> 
> root at e1-vm:/# cat /proc/13023/fsuid_map
>          0     300000     100000
> 
> Fsid mappings have always been around. They are currently always identical to
> the id mappings for a user namespace. This means, currently whenever an fsid
> needs to be looked up the kernel will use the id mapping of the user namespace.
> With the introduction of fsid mappings the kernel will now lookup fsids in the
> fsid mappings of the user namespace. If no fsid mapping exists the kernel will
> continue looking up fsids in the id mappings of the user namespace. Hence, if a
> system supports fsid mappings through /proc/<pid>/fs*id_map and a container
> runtime is not aware of fsid mappings it or does not use them it will it will
> continue to work just as before.
> 
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

Acked-by: Serge Hallyn <serge at hallyn.com>

> ---
> /* v2 */
> unchanged
> 
> /* v3 */
> - Christian Brauner <christian.brauner at ubuntu.com>:
>   - Fix grammar in commit message.
> ---
>  fs/proc/base.c | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index c7c64272b0fa..5fb28004663e 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2970,6 +2970,13 @@ static int proc_projid_map_open(struct inode *inode, struct file *file)
>  	return proc_id_map_open(inode, file, &proc_projid_seq_operations);
>  }
>  
> +#ifdef CONFIG_USER_NS_FSID
> +static int proc_fsuid_map_open(struct inode *inode, struct file *file)
> +{
> +	return proc_id_map_open(inode, file, &proc_fsuid_seq_operations);
> +}
> +#endif
> +
>  static const struct file_operations proc_uid_map_operations = {
>  	.open		= proc_uid_map_open,
>  	.write		= proc_uid_map_write,
> @@ -2994,6 +3001,16 @@ static const struct file_operations proc_projid_map_operations = {
>  	.release	= proc_id_map_release,
>  };
>  
> +#ifdef CONFIG_USER_NS_FSID
> +static const struct file_operations proc_fsuid_map_operations = {
> +	.open		= proc_fsuid_map_open,
> +	.write		= proc_fsuid_map_write,
> +	.read		= seq_read,
> +	.llseek		= seq_lseek,
> +	.release	= proc_id_map_release,
> +};
> +#endif
> +
>  static int proc_setgroups_open(struct inode *inode, struct file *file)
>  {
>  	struct user_namespace *ns = NULL;
> @@ -3176,6 +3193,9 @@ static const struct pid_entry tgid_base_stuff[] = {
>  	ONE("io",	S_IRUSR, proc_tgid_io_accounting),
>  #endif
>  #ifdef CONFIG_USER_NS
> +#ifdef CONFIG_USER_NS_FSID
> +	REG("fsuid_map",  S_IRUGO|S_IWUSR, proc_fsuid_map_operations),
> +#endif
>  	REG("uid_map",    S_IRUGO|S_IWUSR, proc_uid_map_operations),
>  	REG("gid_map",    S_IRUGO|S_IWUSR, proc_gid_map_operations),
>  	REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations),
> -- 
> 2.25.0



More information about the Linux-security-module-archive mailing list