Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2418600pxu; Mon, 14 Dec 2020 01:38:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJxSJFChCHh0iU4UUC/ehGOzU6ZoJfup5LLY8lzsU3jpS3kXJc7K9DabFPoddCbkosNjgRmR X-Received: by 2002:a17:906:d62:: with SMTP id s2mr21978986ejh.61.1607938735935; Mon, 14 Dec 2020 01:38:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607938735; cv=none; d=google.com; s=arc-20160816; b=JgS+7aeWiKKtIT5QnebPrynYxZiy4jRTdBjQfi8fWk9A3QSlXv6kRPhycqoSy8Tovq AsPTNSGBVGiPzs/mfOHbkuYkZsqUJJTe3DzKAnGXTNLD5IOn8/gpLuW53xpTL6dWh95c RCjrYPVwN3/xQL99hoFm11Q9rMIsa4lH2Sm87rSrXcrUfl1qpM4zfmaNYWeqHOPwbzx2 kXI/6iCL8c3CNKl5UWNND2Gu7ASYTm+p6U02HvpycWzHJUxeWzfXy4xs/PTpC7Gk5Fre o/d+OzrZciyfZYyTWTERyzpbo0iVK8GMzJaHVUTRiMsMvMLGIjKgPUMAnF07WDyD4jz3 VLCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=KfQodhCI8ZuQp7YRRZQxpihD4EYNwbDWNGKzRDV3Rag=; b=C6d2Dow6xQA8t35eiJJjuIqZP2es5//K72EMNCqomOcmThzUweH17lDSZoGCT+NK9d kdbZ9ldWcjO49rPo/Izs1RwyyQ3+6ACRL2nRXfTI3wVJJAGoVCDmYV9pId9j/s3A2GAV gN4tqkvqp6FE+O4XOPb7X/F5nisamFUxvJO5X4TzLv/aLJjCUrPwR1bujTSOXLLCOKzs 6Ge+YZTsUn8gxP/kMY0Y+f7eEcE+fglsm4Zj81Od0wFb31kXW9MdwrUQBBkcroD1yVXK aC+YNu+kmuxyr76EhxK663RIsUus0Dps4tHlocsod6dCSdqLeIOUt1mzAsz92FlKBBit perg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=1KGzDS5u; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b7si9953952edy.561.2020.12.14.01.38.22; Mon, 14 Dec 2020 01:38:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=1KGzDS5u; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407077AbgLNCx6 (ORCPT + 99 others); Sun, 13 Dec 2020 21:53:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2407038AbgLNCx5 (ORCPT ); Sun, 13 Dec 2020 21:53:57 -0500 Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64C67C0613CF for ; Sun, 13 Dec 2020 18:53:12 -0800 (PST) Received: by mail-pj1-x1043.google.com with SMTP id lb18so5438490pjb.5 for ; Sun, 13 Dec 2020 18:53:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=KfQodhCI8ZuQp7YRRZQxpihD4EYNwbDWNGKzRDV3Rag=; b=1KGzDS5u0//+69i40jGl8BDlvmqcrhtOGrim4gQ5ZvvqQHMirN53vp1rc+KQ2APQji 9Qd3c1wKn31jlea+mxfiu1w+7gInJ4ouz8qQcxMw5YKDSzVCmRaZx9YMvbNDmbwZydSl 61B+dCsaa8pDkz33W8h+7js6xg2xFV1aH8glo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=KfQodhCI8ZuQp7YRRZQxpihD4EYNwbDWNGKzRDV3Rag=; b=G5xwnwQJnejrL92gbRXBcHgdWyz2nCi+YMh4vevfjYwe9p38rlVw7WjzitP3OUATJh YJjc5gPpSHI8QIsej69Fzvmrr6CaVICXKOIOCagB8olZ2JW9rPnY52Q0AQHlt5vWAhO6 pj8i22yZ2HbpCCsKE7yAFkdRS0KViGJDHl8TSBENUafDTDcRPtGiaNvv7Ok2NAjrBpB9 MMuzAzhovMqQLT7uQ/O4Spm/u72WFwaL//YkbsBztKxHpGV7qT8QYa4zPagfy/i4o9km 041RbixIR9uapMOVAArHm8dIRwd5SLTyPYBzyu2SU8VB1hcvqmpxHpoqkzKMcL5tF+/7 LUiA== X-Gm-Message-State: AOAM533Imx5wiig5G/edO4y02omDJb1kl7lOEQUTN+NKLAxNtmUV3OIo mDhHCQTQ+opm6+NueFkit6xchQ== X-Received: by 2002:a17:902:bf06:b029:dc:1f:ac61 with SMTP id bi6-20020a170902bf06b02900dc001fac61mr2372550plb.16.1607914391619; Sun, 13 Dec 2020 18:53:11 -0800 (PST) Received: from ubuntu.netflix.com (203.20.25.136.in-addr.arpa. [136.25.20.203]) by smtp.gmail.com with ESMTPSA id h20sm17102713pgv.23.2020.12.13.18.53.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Dec 2020 18:53:10 -0800 (PST) From: Sargun Dhillon To: Trond Myklebust , Anna Schumaker , "J . Bruce Fields" Cc: Sargun Dhillon , David Howells , linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, mauricio@kinvolk.io, Alban Crequy , Christian Brauner Subject: [PATCH RESEND v5 0/2] NFS: Fix interaction between fs_context and user namespaces Date: Sun, 13 Dec 2020 18:53:03 -0800 Message-Id: <20201214025305.25984-1-sargun@sargun.me> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org This is a resend[2] for consideration into the next NFS client merge window. Right now, it is possible to mount NFS with an non-matching super block user ns, and NFS sunrpc user ns. This (for the user) results in an awkward set of interactions if using anything other than auth_null, where the UIDs being sent to the server are different than the local UIDs being checked. This can cause "breakage", where if you try to communicate with the NFS server with any other set of mappings, it breaks. The reason for this is that you can call fsopen("nfs4") in the unprivileged namespace, and that configures fs_context with all the right information for that user namespace. In addition, it also keeps a gets a cred object associated with the caller -- which should match the user namespace. Unfortunately, the mount has to be finished in the init_user_ns because we currently require CAP_SYS_ADMIN in the init user namespace to call fsmount. This means that the superblock's user namespace is set "correctly" to the container, but there's absolutely no way nfs4idmap to consume an unprivileged user namespace because the cred / user_ns that's passed down to nfs4idmap is the one at fsmount. How this actually exhibits is let's say that the UID 0 in the user namespace is mapped to UID 1000 in the init user ns (and kuid space). What will happen is that nfs4idmap will translate the UID 1000 into UID 0 on the wire, even if the mount is in entirely in the mount / user namespace of the container. So, it looks something like this Client in unprivileged User NS (UID: 0, KUID: 0) ->Perform open() ...VFS / NFS bits... nfs_map_uid_to_name -> from_kuid_munged(init_user_ns, uid) (returns 0) RPC with UID 0 This behaviour happens "the other way" as well, where the UID in the container may be 0, but the corresponding kuid is 1000. When a response from an NFS server comes in we decode it according to the idmap userns. The way this exhibits is even more odd. Server responds with file attribute (UID: 0, GID: 0) ->nfs_map_name_to_uid(..., 0) ->make_kuid(init_user_ns, id) (returns 0) ....VFS / NFS Bits... ->from_kuid(container_ns, 0) -> invalid uid -> EOVERFLOW This changes the nfs server to use the cred / userns from fs_context, which is how idmap is constructed. This subsequently is used in the above described flow of converting uids back-and-forth. Trond gave the feedback that this behaviour [implemented by this patch] is how the legacy sys_mount() behaviour worked[1], and that the intended behaviour is for UIDs to be plumbed through entirely, where the user namespaces UIDs are what is sent over the wire, and not the init user ns. [1]: https://lore.kernel.org/linux-nfs/8feccf45f6575a204da03e796391cc135283eb88.camel@hammerspace.com/ [2]: https://lore.kernel.org/linux-nfs/20201112100952.3514-1-sargun@sargun.me/ Sargun Dhillon (2): NFS: NFSv2/NFSv3: Use cred from fs_context during mount NFSv4: Refactor to use user namespaces for nfs4idmap fs/nfs/client.c | 4 ++-- fs/nfs/nfs4client.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) -- 2.25.1