On Tue, Feb 18, 2020 at 03:33:48PM +0100, Christian Brauner wrote: > The /proc/<pid>/fsuid_map file can be written once to setup an fsuid mapping > for a user namespace. Writing to this file has the same restrictions as writing > to /proc/<pid>/fsuid_map: > > root@e1-vm:/# cat /proc/13023/fsuid_map > 0 300000 100000 > > Fsid mappings have always been around. They are currently always identical to > the id mappings for a user namespace. This means, currently whenever an fsid > needs to be looked up the kernel will use the id mapping of the user namespace. > With the introduction of fsid mappings the kernel will now lookup fsids in the > fsid mappings of the user namespace. If no fsid mapping exists the kernel will > continue looking up fsids in the id mappings of the user namespace. Hence, if a > system supports fsid mappings through /proc/<pid>/fs*id_map and a container > runtime is not aware of fsid mappings it or does not use them it will it will > continue to work just as before. > > Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx> Acked-by: Serge Hallyn <serge@xxxxxxxxxx> > --- > /* v2 */ > unchanged > > /* v3 */ > - Christian Brauner <christian.brauner@xxxxxxxxxx>: > - Fix grammar in commit message. > --- > fs/proc/base.c | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index c7c64272b0fa..5fb28004663e 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2970,6 +2970,13 @@ static int proc_projid_map_open(struct inode *inode, struct file *file) > return proc_id_map_open(inode, file, &proc_projid_seq_operations); > } > > +#ifdef CONFIG_USER_NS_FSID > +static int proc_fsuid_map_open(struct inode *inode, struct file *file) > +{ > + return proc_id_map_open(inode, file, &proc_fsuid_seq_operations); > +} > +#endif > + > static const struct file_operations proc_uid_map_operations = { > .open = proc_uid_map_open, > .write = proc_uid_map_write, > @@ -2994,6 +3001,16 @@ static const struct file_operations proc_projid_map_operations = { > .release = proc_id_map_release, > }; > > +#ifdef CONFIG_USER_NS_FSID > +static const struct file_operations proc_fsuid_map_operations = { > + .open = proc_fsuid_map_open, > + .write = proc_fsuid_map_write, > + .read = seq_read, > + .llseek = seq_lseek, > + .release = proc_id_map_release, > +}; > +#endif > + > static int proc_setgroups_open(struct inode *inode, struct file *file) > { > struct user_namespace *ns = NULL; > @@ -3176,6 +3193,9 @@ static const struct pid_entry tgid_base_stuff[] = { > ONE("io", S_IRUSR, proc_tgid_io_accounting), > #endif > #ifdef CONFIG_USER_NS > +#ifdef CONFIG_USER_NS_FSID > + REG("fsuid_map", S_IRUGO|S_IWUSR, proc_fsuid_map_operations), > +#endif > REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations), > REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations), > REG("projid_map", S_IRUGO|S_IWUSR, proc_projid_map_operations), > -- > 2.25.0 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers