Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp330335lqo;
        Wed, 8 May 2024 00:33:10 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWCnlY2y7Gs0JxZ/nTC4G8naMrV6MbLybp1qJP8iWflAaJ9pBYrQyD5onCvQZuBxjlDmEW/7UD/uiLDjMm4FM1ds07ZGfdI7FB7IFzN4w==
X-Google-Smtp-Source: AGHT+IH6P8YBP8K53apOezJ/Ycwcq+C8F8h2nAlRV8n83hti/HbxGl/oikFtVTYVmbJu92Tjxrw7
X-Received: by 2002:a17:90b:46d2:b0:2b0:e2cf:118b with SMTP id 98e67ed59e1d1-2b6169db57fmr1768949a91.33.1715153590140;
        Wed, 08 May 2024 00:33:10 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715153590; cv=pass;
        d=google.com; s=arc-20160816;
        b=nnkXJaja15vqrki6DNHmpbWk+Ph3TD+6HImm3X/SAiPlB0tpovZ18YrxIozb1QiZJc
         BeHGjV9ju1FSgcg/WC3sZebOKOXDW8qNjcXAHXoD75r3EP0FnI/WaRGD1cMKuoExrqI7
         JQhBG6pZ2KqKmCI2rfIPY8OMM04eqLe2A5hUA+ebDQ/elgjNe9TDekZJDlCJlgXL24mc
         QRbOIU8pxRp8xlaD7xWs4i66JDnHPffRRDr1nyTZRYMk1sgcezG4RKzq5Q1Y3bw5sgi+
         xHGa5+qrnlSmhqvD2Tbv0mTKgyKFyF6jO/j5/4aoSq33WhbvrHEKF2+gKHmGCJs2X3tI
         61+Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=lNcSTicC5tkSUzl4vY7Ih8iBpSMs5AAUyZTrx1Dk+Is=;
        fh=z+enKcXs02NEdbwBtlBKSa2v29HaX9gMdIKAqr0217s=;
        b=UcMO9jkrHuBSAsnEEGuqqnivCuaM2WnEFLxivPJx35bROQYfU/5cMvEX5WRMJJkZEK
         JvrNIXCXIYzx4jOb2rGeLyymApXEqYwhDmFM1oOPvNffkrr599FxJPgyBD8sDqXKtMp2
         iOuBs8ZIm/HKnQSDhHvqI0DdF097ML+suE0hGGd07xoaRUpYhEFcsQ90YqNQptNKO3Ud
         SypO0ZspqQq5yTPlUVdcab3ulsLz1TBgogIaowQYFWNCZZplSs6//UlTbAJ9oWLpHEgP
         qPT2gyKBOkC2Ni2Jx1dZMpJkhli7KRv2lZ4EhLS/hHCaZCuZ5cEHhW9fbyZ+vAqFStZ9
         EbIA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FDpTbF2R;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
        by mx.google.com with ESMTPS id i1-20020a17090a650100b002b44e772a7asi827740pjj.122.2024.05.08.00.33.09
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 08 May 2024 00:33:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FDpTbF2R;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id ED719B22626
	for <linux.lists.archive@gmail.com>; Wed,  8 May 2024 07:32:28 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 843152C68A;
	Wed,  8 May 2024 07:32:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FDpTbF2R"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A769515E86;
	Wed,  8 May 2024 07:32:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715153537; cv=none; b=cdRp3raxAcKdr6zZq+4VuHnZRxdDGZXLrX14Fn4U2p5IzOUmN1KrcFja/p0mqHHbmAnlsRpGAnoYEPzf5FDtu5hDBCs2Mb2Xt1Ue1a+7Q0yWPy+/Ggect5n8bd+HwWn6iptGmoCdHhGLZwuQdrTSUcUfLCnEcCgPzagrLf2z4ks=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715153537; c=relaxed/simple;
	bh=5xjdvgZ0qfVphG4RYVX/Wl6O8KYdPOuRI8itJoQ9NB8=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=ZX8tZVPUoaQfsnP4qUhYUslyYhdjovf9oS02RLyjmAgotv5sALitDZ0ClH9Wpdi1nVkkXja0zKFzw6roWp2iBRBN/d9EMCMaY9EEmQHcLq2Z4aeIFjGoekpbgg9R4ow+GjweJ7uJsUef78xNGi+vN/BazcKj8ojuIv+ddSMPgqI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FDpTbF2R; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF425C113CC;
	Wed,  8 May 2024 07:32:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1715153537;
	bh=5xjdvgZ0qfVphG4RYVX/Wl6O8KYdPOuRI8itJoQ9NB8=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=FDpTbF2R7n6xJrz6oUW8BeA7alylXQTyeEEhkebELa2sOQHOd4ajm+bMy5OIOCvNz
	 1hStICxUX6R5/aVAYbO4dMLZ4tnd4CdymL8ucPoAS2UslNeA2iQu+xZtLdoJ/VAT5K
	 sSWbYcb1TRZUELjMSfilF32Pu8z4xDqD+wnWzSU8zj5Muw7JplHkZqZB+GqAa2Wk45
	 4w0UKLZLdSF18ontN/S0AU86gATAAxL0iAHeHr/noM59Lb1coc9bgEjFaX5FT/8JiE
	 u7Rg25nbooDQhX49NECdavcvcxIsJliuuK9iOfr7hNdI2/5oWrftsRtowQPOAgWMZQ
	 rsjQj+csP3lxw==
Date: Wed, 8 May 2024 09:32:10 +0200
From: Christian Brauner <brauner@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Aleksa Sarai <cyphar@cyphar.com>, Stas Sergeev <stsp2@yandex.ru>, 
	"Serge E. Hallyn" <serge@hallyn.com>, linux-kernel@vger.kernel.org, 
	Stefan Metzmacher <metze@samba.org>, Eric Biederman <ebiederm@xmission.com>, 
	Alexander Viro <viro@zeniv.linux.org.uk>, Andy Lutomirski <luto@kernel.org>, Jan Kara <jack@suse.cz>, 
	Jeff Layton <jlayton@kernel.org>, Chuck Lever <chuck.lever@oracle.com>, 
	Alexander Aring <alex.aring@gmail.com>, David Laight <David.Laight@aculab.com>, 
	linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>, 
	Christian =?utf-8?B?R8O2dHRzY2hl?= <cgzones@googlemail.com>
Subject: Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2()
Message-ID: <20240508-flugverbindung-sonnig-dcfa4971152e@brauner>
References: <20240426133310.1159976-1-stsp2@yandex.ru>
 <CALCETrUL3zXAX94CpcQYwj1omwO+=-1Li+J7Bw2kpAw4d7nsyw@mail.gmail.com>
 <20240428.171236-tangy.giblet.idle.helpline-y9LqufL7EAAV@cyphar.com>
 <CALCETrU2VwCF-o7E5sc8FN_LBs3Q-vNMBf7N4rm0PAWFRo5QWw@mail.gmail.com>
 <20240507-verpennen-defekt-b6f2c9a46916@brauner>
 <CALCETrWuVQ-ggnak40AX16PUnM43zhogceFN-3c_YAKZGvs5Og@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CALCETrWuVQ-ggnak40AX16PUnM43zhogceFN-3c_YAKZGvs5Og@mail.gmail.com>

On Tue, May 07, 2024 at 01:38:42PM -0700, Andy Lutomirski wrote:
> On Tue, May 7, 2024 at 12:42 AM Christian Brauner <brauner@kernel.org> wrote:
> >
> > > With my kernel hat on, maybe I agree.  But with my *user* hat on, I
> > > think I pretty strongly disagree.  Look, idmapis lousy for
> > > unprivileged use:
> > >
> > > $ install -m 0700 -d test_directory
> > > $ echo 'hi there' >test_directory/file
> > > $ podman run -it --rm
> > > --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim]
> >
> > $ podman run -it --rm --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim]
> >
> > as an unprivileged user doesn't use idmapped mounts at all. So I'm not
> > sure what this is showing. I suppose you're talking about idmaps in
> > general.
> 
> Meh, fair enough.  But I don't think this would have worked any better
> with privilege.
> 
> Can idmaps be programmed by an otherwise unprivileged owner of a
> userns and a mountns inside?

Yes, but only for userns mountable filesystems that support idmapped
mounts. IOW, you need privilege over the superblock and the idmapping
you're trying to use.

> 
> > Many idmappings to one is in principle possible and I've noted that idea
> > down as a possible extension at
> > https://github.com/uapi-group/kernel-features quite a while (2 years?) ago.
> >
> > > I haven't looked at the idmap implementation nearly enough to have any
> > > opinion as to whether squashing UID is practical or whether there's
> >
> > It's doable. The interesting bit to me was that if we want to allow
> > writes we'd need a way to determine what the uid/gid would be to write
> > down. Imho, that's not super difficult to solve though. The most obvious
> > one is that userspace can just determine it when creating the idmapped
> > mount.
> 
> Seems reasonable to me.  If this is set up by someone unprivileged, it
> would need to be that uid/gid.