Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp330335lqo; Wed, 8 May 2024 00:33:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWCnlY2y7Gs0JxZ/nTC4G8naMrV6MbLybp1qJP8iWflAaJ9pBYrQyD5onCvQZuBxjlDmEW/7UD/uiLDjMm4FM1ds07ZGfdI7FB7IFzN4w== X-Google-Smtp-Source: AGHT+IH6P8YBP8K53apOezJ/Ycwcq+C8F8h2nAlRV8n83hti/HbxGl/oikFtVTYVmbJu92Tjxrw7 X-Received: by 2002:a17:90b:46d2:b0:2b0:e2cf:118b with SMTP id 98e67ed59e1d1-2b6169db57fmr1768949a91.33.1715153590140; Wed, 08 May 2024 00:33:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715153590; cv=pass; d=google.com; s=arc-20160816; b=nnkXJaja15vqrki6DNHmpbWk+Ph3TD+6HImm3X/SAiPlB0tpovZ18YrxIozb1QiZJc BeHGjV9ju1FSgcg/WC3sZebOKOXDW8qNjcXAHXoD75r3EP0FnI/WaRGD1cMKuoExrqI7 JQhBG6pZ2KqKmCI2rfIPY8OMM04eqLe2A5hUA+ebDQ/elgjNe9TDekZJDlCJlgXL24mc QRbOIU8pxRp8xlaD7xWs4i66JDnHPffRRDr1nyTZRYMk1sgcezG4RKzq5Q1Y3bw5sgi+ xHGa5+qrnlSmhqvD2Tbv0mTKgyKFyF6jO/j5/4aoSq33WhbvrHEKF2+gKHmGCJs2X3tI 61+Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=lNcSTicC5tkSUzl4vY7Ih8iBpSMs5AAUyZTrx1Dk+Is=; fh=z+enKcXs02NEdbwBtlBKSa2v29HaX9gMdIKAqr0217s=; b=UcMO9jkrHuBSAsnEEGuqqnivCuaM2WnEFLxivPJx35bROQYfU/5cMvEX5WRMJJkZEK JvrNIXCXIYzx4jOb2rGeLyymApXEqYwhDmFM1oOPvNffkrr599FxJPgyBD8sDqXKtMp2 iOuBs8ZIm/HKnQSDhHvqI0DdF097ML+suE0hGGd07xoaRUpYhEFcsQ90YqNQptNKO3Ud SypO0ZspqQq5yTPlUVdcab3ulsLz1TBgogIaowQYFWNCZZplSs6//UlTbAJ9oWLpHEgP qPT2gyKBOkC2Ni2Jx1dZMpJkhli7KRv2lZ4EhLS/hHCaZCuZ5cEHhW9fbyZ+vAqFStZ9 EbIA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FDpTbF2R; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id i1-20020a17090a650100b002b44e772a7asi827740pjj.122.2024.05.08.00.33.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 00:33:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FDpTbF2R; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172814-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id ED719B22626 for ; Wed, 8 May 2024 07:32:28 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 843152C68A; Wed, 8 May 2024 07:32:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FDpTbF2R" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A769515E86; Wed, 8 May 2024 07:32:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715153537; cv=none; b=cdRp3raxAcKdr6zZq+4VuHnZRxdDGZXLrX14Fn4U2p5IzOUmN1KrcFja/p0mqHHbmAnlsRpGAnoYEPzf5FDtu5hDBCs2Mb2Xt1Ue1a+7Q0yWPy+/Ggect5n8bd+HwWn6iptGmoCdHhGLZwuQdrTSUcUfLCnEcCgPzagrLf2z4ks= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715153537; c=relaxed/simple; bh=5xjdvgZ0qfVphG4RYVX/Wl6O8KYdPOuRI8itJoQ9NB8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ZX8tZVPUoaQfsnP4qUhYUslyYhdjovf9oS02RLyjmAgotv5sALitDZ0ClH9Wpdi1nVkkXja0zKFzw6roWp2iBRBN/d9EMCMaY9EEmQHcLq2Z4aeIFjGoekpbgg9R4ow+GjweJ7uJsUef78xNGi+vN/BazcKj8ojuIv+ddSMPgqI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FDpTbF2R; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id EF425C113CC; Wed, 8 May 2024 07:32:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1715153537; bh=5xjdvgZ0qfVphG4RYVX/Wl6O8KYdPOuRI8itJoQ9NB8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FDpTbF2R7n6xJrz6oUW8BeA7alylXQTyeEEhkebELa2sOQHOd4ajm+bMy5OIOCvNz 1hStICxUX6R5/aVAYbO4dMLZ4tnd4CdymL8ucPoAS2UslNeA2iQu+xZtLdoJ/VAT5K sSWbYcb1TRZUELjMSfilF32Pu8z4xDqD+wnWzSU8zj5Muw7JplHkZqZB+GqAa2Wk45 4w0UKLZLdSF18ontN/S0AU86gATAAxL0iAHeHr/noM59Lb1coc9bgEjFaX5FT/8JiE u7Rg25nbooDQhX49NECdavcvcxIsJliuuK9iOfr7hNdI2/5oWrftsRtowQPOAgWMZQ rsjQj+csP3lxw== Date: Wed, 8 May 2024 09:32:10 +0200 From: Christian Brauner To: Andy Lutomirski Cc: Aleksa Sarai , Stas Sergeev , "Serge E. Hallyn" , linux-kernel@vger.kernel.org, Stefan Metzmacher , Eric Biederman , Alexander Viro , Andy Lutomirski , Jan Kara , Jeff Layton , Chuck Lever , Alexander Aring , David Laight , linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, Paolo Bonzini , Christian =?utf-8?B?R8O2dHRzY2hl?= Subject: Re: [PATCH v5 0/3] implement OA2_CRED_INHERIT flag for openat2() Message-ID: <20240508-flugverbindung-sonnig-dcfa4971152e@brauner> References: <20240426133310.1159976-1-stsp2@yandex.ru> <20240428.171236-tangy.giblet.idle.helpline-y9LqufL7EAAV@cyphar.com> <20240507-verpennen-defekt-b6f2c9a46916@brauner> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Tue, May 07, 2024 at 01:38:42PM -0700, Andy Lutomirski wrote: > On Tue, May 7, 2024 at 12:42 AM Christian Brauner wrote: > > > > > With my kernel hat on, maybe I agree. But with my *user* hat on, I > > > think I pretty strongly disagree. Look, idmapis lousy for > > > unprivileged use: > > > > > > $ install -m 0700 -d test_directory > > > $ echo 'hi there' >test_directory/file > > > $ podman run -it --rm > > > --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim] > > > > $ podman run -it --rm --mount=type=bind,src=test_directory,dst=/tmp,idmap [debian-slim] > > > > as an unprivileged user doesn't use idmapped mounts at all. So I'm not > > sure what this is showing. I suppose you're talking about idmaps in > > general. > > Meh, fair enough. But I don't think this would have worked any better > with privilege. > > Can idmaps be programmed by an otherwise unprivileged owner of a > userns and a mountns inside? Yes, but only for userns mountable filesystems that support idmapped mounts. IOW, you need privilege over the superblock and the idmapping you're trying to use. > > > Many idmappings to one is in principle possible and I've noted that idea > > down as a possible extension at > > https://github.com/uapi-group/kernel-features quite a while (2 years?) ago. > > > > > I haven't looked at the idmap implementation nearly enough to have any > > > opinion as to whether squashing UID is practical or whether there's > > > > It's doable. The interesting bit to me was that if we want to allow > > writes we'd need a way to determine what the uid/gid would be to write > > down. Imho, that's not super difficult to solve though. The most obvious > > one is that userspace can just determine it when creating the idmapped > > mount. > > Seems reasonable to me. If this is set up by someone unprivileged, it > would need to be that uid/gid.