Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prefer user.containers.override_stat over user.fuseoverlayfs. #422

Merged
merged 9 commits into from
Jun 17, 2024

Conversation

akihikodaki
Copy link
Contributor

Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@akihikodaki
Copy link
Contributor Author

The fallback code was wrong so I fixed it with commit 9aa27e5.

I also added changes to fix xattrs on network storage with commit 78711d8 and 75a3c4b. You can pull the earlier patches first if you like.

@giuseppe
Copy link
Member

I'll merge once CI is green. Thanks for working on this!

I am wondering at this point, if it would be easier to always use "user.containers. and avoid this madness (that I am responsible for) of having so many ways to do the same thing

@akihikodaki
Copy link
Contributor Author

Added tests with commit 80ebaf3. I merged #420 and #421 into this pull request because they would conflict.

@akihikodaki
Copy link
Contributor Author

I opened #424 to fix tests.

Commit 2267664 and 80ebaf3 only work with user.containers. because I also thought there is no point supporting the other prefixes for anything new.

@giuseppe
Copy link
Member

does this PR need a rebase?

Signed-off-by: Akihiko Odaki <[email protected]>
override_mode () used to suppress ENODATA only in a certain condition.
ENODATA errors in other situations made load_dir () fail because it
indirectly calls override_mode () when the underlying file system
reports DT_UNKNOWN for an opaque whiteout file and such an file does
not have mode xattrs. do_fchmod () and do_chmod () worked around the
problem by supressing ENODATA by themselves, but that led to code
duplication. Always suppress ENODATA to resolve these problems.

Signed-off-by: Akihiko Odaki <[email protected]>
do_fchmod () and do_chmod () used to call override_mode () directly to
retrieve the owner information, but the usage of override_mode () was
wrong; override_mode () expects struct stat is already populated by
the information provided by the underlying filesystem, but do_fchmod ()
and do_chmod () only zeroed st_uid and st_gid. override_mode () does not
update the owner information when st_mode is not S_IFDIR nor S_IFREG so
this caused chmod to change the file owner to root at random.

Use the logic rpl_stat () employs to file owner retrieval for chmod
functions to ensure they provide the owner information consistent with
rpl_stat ().

Signed-off-by: Akihiko Odaki <[email protected]>
@akihikodaki akihikodaki force-pushed the containers branch 4 times, most recently from 5cec1d1 to 8f9b942 Compare June 17, 2024 13:32
ovl_setattr () used to pass -1 as uid or gid when either of them
is not changed for do_fchown () / do_chown (), but if these functions
use overriding xattrs instead of real fchown () or chown (), it causes
-1 to be written in owner overriding xattrs and break them.

Replace -1 with the current uid or gid before calling do_fchown () /
do_chown ().

Signed-off-by: Akihiko Odaki <[email protected]>
Previously, fuse-overlayfs always used user.fuseoverlayfs.override_stat
for the upper layer while honoring user.containers.override_stat for
lower layers so that it can consume a layer created by
containers/storage.

It turned out that containers/storage also needs to get the overriding
extended attribute set by fuse-overlayfs and to set one for the upper
layer to make the root directory of the upper layer inherit the mode
of a lower layer. Adding code to get and to set
user.fuseoverlayfs.override_stat to containers/storage is a bit ugly.

The underlying problem is that fuse-overlayfs changes what name to use
ad hoc. Fix it by always preferring user.containers.override_stat, which
containers/storage honors, over user.fuseoverlayfs.overlayfs, which is
specific to fuse-overlayfs.

Signed-off-by: Akihiko Odaki <[email protected]>
The major use case of stat override is to enable rootless containers
on network filesystems, and they also lack security xattr support in
non-root user namespaces. Trying to set security xattrs on them result
in ENOTSUP and break things.

It makes little sense to share security xattrs with the underlying
filesystems when overriding stat in the first place. Linux's NFS server
exposes security xattrs only when the user explicitly claims the
security consistencies between the server and clients, and hide them
otherwise. Following this precedent, we should isolate security xattrs
since we know the security policy enforced by fuse-overlayfs is already
distinct from the underlying filesystem when overriding owners and file
mode.

Mark security xattrs inaccessible with STAT_OVERRIDE_CONTAINERS to
prefix all access to them with XATTR_CONTAINERS_OVERRIDE_PREFIX.

Signed-off-by: Akihiko Odaki <[email protected]>
@akihikodaki
Copy link
Contributor Author

Rebased and fixed tests.

Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@giuseppe giuseppe merged commit 4217e1c into containers:main Jun 17, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants