[PATCH v3 03/25] proc: add /proc/<pid>/fsgid_map
Serge E. Hallyn
serge at hallyn.com
Wed Feb 19 02:33:43 UTC 2020
On Tue, Feb 18, 2020 at 03:33:49PM +0100, Christian Brauner wrote:
> The /proc/<pid>/fsgid_map file can be written once to setup an fsgid mapping
> for a user namespace. Writing to this file has the same restrictions as writing
> to /proc/<pid>/fsgid_map.
>
> root at e1-vm:/# cat /proc/13023/fsgid_map
> 0 300000 100000
>
> Fsid mappings have always been around. They are currently always identical to
> the id mappings for a user namespace. This means, currently whenever an fsid
> needs to be looked up the kernel will use the id mapping of the user namespace.
> With the introduction of fsid mappings the kernel will now lookup fsids in the
> fsid mappings of the user namespace. If no fsid mapping exists the kernel will
> continue looking up fsids in the id mappings of the user namespace. Hence, if a
> system supports fsid mappings through /proc/<pid>/fs*id_map and a container
> runtime is not aware of fsid mappings it or does not use them it will it will
> continue to work just as before.
>
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Acked-by: Serge Hallyn <serge at hallyn.com>
> ---
> /* v2 */
> unchanged
>
> /* v3 */
> - Christian Brauner <christian.brauner at ubuntu.com>:
> - Fix grammar in commit message.
> ---
> fs/proc/base.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 5fb28004663e..1303cdd2e617 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2975,6 +2975,11 @@ static int proc_fsuid_map_open(struct inode *inode, struct file *file)
> {
> return proc_id_map_open(inode, file, &proc_fsuid_seq_operations);
> }
> +
> +static int proc_fsgid_map_open(struct inode *inode, struct file *file)
> +{
> + return proc_id_map_open(inode, file, &proc_fsgid_seq_operations);
> +}
> #endif
>
> static const struct file_operations proc_uid_map_operations = {
> @@ -3009,6 +3014,14 @@ static const struct file_operations proc_fsuid_map_operations = {
> .llseek = seq_lseek,
> .release = proc_id_map_release,
> };
> +
> +static const struct file_operations proc_fsgid_map_operations = {
> + .open = proc_fsgid_map_open,
> + .write = proc_fsgid_map_write,
> + .read = seq_read,
> + .llseek = seq_lseek,
> + .release = proc_id_map_release,
> +};
> #endif
>
> static int proc_setgroups_open(struct inode *inode, struct file *file)
> @@ -3195,6 +3208,7 @@ static const struct pid_entry tgid_base_stuff[] = {
> #ifdef CONFIG_USER_NS
> #ifdef CONFIG_USER_NS_FSID
> REG("fsuid_map", S_IRUGO|S_IWUSR, proc_fsuid_map_operations),
> + REG("fsgid_map", S_IRUGO|S_IWUSR, proc_fsgid_map_operations),
> #endif
> REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
> REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
> --
> 2.25.0
More information about the Linux-security-module-archive
mailing list