Merge tag 'fs.idmapped.v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux (5dfbfe71) · Commits · EulixOS / Software / Kernel

Documentation/filesystems/idmappings.rst

+0 −72

Original line number	Original line	Diff line number	Diff line
	@@ -952,75 +952,3 @@ The raw userspace id that is put on disk is ``u1000`` so when the user takes
	their home directory back to their home computer where they are assigned		their home directory back to their home computer where they are assigned
	``u1000`` using the initial idmapping and mount the filesystem with the initial		``u1000`` using the initial idmapping and mount the filesystem with the initial
	idmapping they will see all those files owned by ``u1000``.		idmapping they will see all those files owned by ``u1000``.

	Shortcircuting
	--------------

	Currently, the implementation of idmapped mounts enforces that the filesystem
	is mounted with the initial idmapping. The reason is simply that none of the
	filesystems that we targeted were mountable with a non-initial idmapping. But
	that might change soon enough. As we've seen above, thanks to the properties of
	idmappings the translation works for both filesystems mounted with the initial
	idmapping and filesystem with non-initial idmappings.

	Based on this current restriction to filesystem mounted with the initial
	idmapping two noticeable shortcuts have been taken:

	1. We always stash a reference to the initial user namespace in ``struct
	vfsmount``. Idmapped mounts are thus mounts that have a non-initial user
	namespace attached to them.

	In order to support idmapped mounts this needs to be changed. Instead of
	stashing the initial user namespace the user namespace the filesystem was
	mounted with must be stashed. An idmapped mount is then any mount that has
	a different user namespace attached then the filesystem was mounted with.
	This has no user-visible consequences.

	2. The translation algorithms in ``mapped_fsid()`` and ``i_id_into_mnt()``
	are simplified.

	Let's consider ``mapped_fs*id()`` first. This function translates the
	caller's kernel id into a kernel id in the filesystem's idmapping via
	a mount's idmapping. The full algorithm is::

	mapped_fsuid(kid):
	/* Map the kernel id up into a userspace id in the mount's idmapping. */
	from_kuid(mount-idmapping, kid) = uid

	/* Map the userspace id down into a kernel id in the filesystem's idmapping. */
	make_kuid(filesystem-idmapping, uid) = kuid

	We know that the filesystem is always mounted with the initial idmapping as
	we enforce this in ``mount_setattr()``. So this can be shortened to::

	mapped_fsuid(kid):
	/* Map the kernel id up into a userspace id in the mount's idmapping. */
	from_kuid(mount-idmapping, kid) = uid

	/* Map the userspace id down into a kernel id in the filesystem's idmapping. */
	KUIDT_INIT(uid) = kuid

	Similarly, for ``i_*id_into_mnt()`` which translated the filesystem's kernel
	id into a mount's kernel id::

	i_uid_into_mnt(kid):
	/* Map the kernel id up into a userspace id in the filesystem's idmapping. */
	from_kuid(filesystem-idmapping, kid) = uid

	/* Map the userspace id down into a kernel id in the mounts's idmapping. */
	make_kuid(mount-idmapping, uid) = kuid

	Again, we know that the filesystem is always mounted with the initial
	idmapping as we enforce this in ``mount_setattr()``. So this can be
	shortened to::

	i_uid_into_mnt(kid):
	/* Map the kernel id up into a userspace id in the filesystem's idmapping. */
	__kuid_val(kid) = uid

	/* Map the userspace id down into a kernel id in the mounts's idmapping. */
	make_kuid(mount-idmapping, uid) = kuid

	Handling filesystems mounted with non-initial idmappings requires that the
	translation functions be converted to their full form. They can still be
	shortcircuited on non-idmapped mounts. This has no user-visible consequences.

fs/cachefiles/bind.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -117,7 +117,7 @@ static int cachefiles_daemon_add_cache(struct cachefiles_cache *cache)
	root = path.dentry;		root = path.dentry;

	ret = -EINVAL;		ret = -EINVAL;
	if (mnt_user_ns(path.mnt) != &init_user_ns) {		if (is_idmapped_mnt(path.mnt)) {
	pr_warn("File cache on idmapped mounts not supported");		pr_warn("File cache on idmapped mounts not supported");
	goto error_unsupported;		goto error_unsupported;
	}		}

fs/ecryptfs/main.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -537,7 +537,7 @@ static struct dentry ecryptfs_mount(struct file_system_type fs_type, int flags
	goto out_free;		goto out_free;
	}		}

	if (mnt_user_ns(path.mnt) != &init_user_ns) {		if (is_idmapped_mnt(path.mnt)) {
	rc = -EINVAL;		rc = -EINVAL;
	printk(KERN_ERR "Mounting on idmapped mounts currently disallowed\n");		printk(KERN_ERR "Mounting on idmapped mounts currently disallowed\n");
	goto out_free;		goto out_free;

fs/ksmbd/smbacl.c

+3 −16

Original line number	Original line	Diff line number	Diff line
	@@ -9,6 +9,7 @@
	#include <linux/fs.h>		#include <linux/fs.h>
	#include <linux/slab.h>		#include <linux/slab.h>
	#include <linux/string.h>		#include <linux/string.h>
			#include <linux/mnt_idmapping.h>

	#include "smbacl.h"		#include "smbacl.h"
	#include "smb_common.h"		#include "smb_common.h"
	@@ -274,14 +275,7 @@ static int sid_to_id(struct user_namespace *user_ns,
	uid_t id;		uid_t id;

	id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);		id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);
	/*		uid = mapped_kuid_user(user_ns, &init_user_ns, KUIDT_INIT(id));
	* Translate raw sid into kuid in the server's user
	* namespace.
	*/
	uid = make_kuid(&init_user_ns, id);

	/* If this is an idmapped mount, apply the idmapping. */
	uid = kuid_from_mnt(user_ns, uid);
	if (uid_valid(uid)) {		if (uid_valid(uid)) {
	fattr->cf_uid = uid;		fattr->cf_uid = uid;
	rc = 0;		rc = 0;
	@@ -291,14 +285,7 @@ static int sid_to_id(struct user_namespace *user_ns,
	gid_t id;		gid_t id;

	id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);		id = le32_to_cpu(psid->sub_auth[psid->num_subauth - 1]);
	/*		gid = mapped_kgid_user(user_ns, &init_user_ns, KGIDT_INIT(id));
	* Translate raw sid into kgid in the server's user
	* namespace.
	*/
	gid = make_kgid(&init_user_ns, id);

	/* If this is an idmapped mount, apply the idmapping. */
	gid = kgid_from_mnt(user_ns, gid);
	if (gid_valid(gid)) {		if (gid_valid(gid)) {
	fattr->cf_gid = gid;		fattr->cf_gid = gid;
	rc = 0;		rc = 0;

fs/ksmbd/smbacl.h

+3 −2

Original line number	Original line	Diff line number	Diff line
	@@ -11,6 +11,7 @@
	#include <linux/fs.h>		#include <linux/fs.h>
	#include <linux/namei.h>		#include <linux/namei.h>
	#include <linux/posix_acl.h>		#include <linux/posix_acl.h>
			#include <linux/mnt_idmapping.h>

	#include "mgmt/tree_connect.h"		#include "mgmt/tree_connect.h"

	@@ -216,7 +217,7 @@ static inline uid_t posix_acl_uid_translate(struct user_namespace *mnt_userns,
	kuid_t kuid;		kuid_t kuid;

	/* If this is an idmapped mount, apply the idmapping. */		/* If this is an idmapped mount, apply the idmapping. */
	kuid = kuid_into_mnt(mnt_userns, pace->e_uid);		kuid = mapped_kuid_fs(mnt_userns, &init_user_ns, pace->e_uid);

	/* Translate the kuid into a userspace id ksmbd would see. */		/* Translate the kuid into a userspace id ksmbd would see. */
	return from_kuid(&init_user_ns, kuid);		return from_kuid(&init_user_ns, kuid);
	@@ -228,7 +229,7 @@ static inline gid_t posix_acl_gid_translate(struct user_namespace *mnt_userns,
	kgid_t kgid;		kgid_t kgid;

	/* If this is an idmapped mount, apply the idmapping. */		/* If this is an idmapped mount, apply the idmapping. */
	kgid = kgid_into_mnt(mnt_userns, pace->e_gid);		kgid = mapped_kgid_fs(mnt_userns, &init_user_ns, pace->e_gid);

	/* Translate the kgid into a userspace id ksmbd would see. */		/* Translate the kgid into a userspace id ksmbd would see. */
	return from_kgid(&init_user_ns, kgid);		return from_kgid(&init_user_ns, kgid);