Merge pull request #12484 from mihalicyn/incus-pr-197-port

Fix idmapped mount layer on intercepted mounts
canonical · Oct 31, 2023 · d1cbd81 · d1cbd81
2 parents 5547d9b + 0e54f20
commit d1cbd81
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
@@ -441,9 +441,31 @@ static void mount_emulate(void)
 			_exit(EXIT_FAILURE);
 	} else if (strcmp(shiftfs, "idmapped") == 0) {
 		int fd_tree;
+		int fs_fd = -EBADF;
 
-		fd_tree = mount_detach_idmap(source, fd_userns);
+		struct lxc_mount_attr attr = {
+		    .attr_set		= MOUNT_ATTR_IDMAP,
+		};
+
+		fs_fd = lxd_fsopen(fstype, FSOPEN_CLOEXEC);
+		if (fs_fd < 0)
+			die("error: failed to create detached idmapped mount: fsopen");
+
+		ret = lxd_fsconfig(fs_fd, FSCONFIG_SET_STRING, "source", source, 0);
+		if (ret < 0)
+			die("error: failed to create detached idmapped mount: fsconfig");
+
+		ret = lxd_fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
+		if (ret < 0)
+			die("error: failed to create detached idmapped mount: fsconfig");
+
+		fd_tree = lxd_fsmount(fs_fd, FSMOUNT_CLOEXEC, flags);
 		if (fd_tree < 0)
+			die("error: failed to create detached idmapped mount: fsmount");
+
+		attr.userns_fd = fd_userns;
+		ret = lxd_mount_setattr(fd_tree, "", AT_EMPTY_PATH, &attr, sizeof(attr));
+		if (ret < 0)
 			die("error: failed to create detached idmapped mount");
 
 		ret = setns(fd_mntns, CLONE_NEWNS);

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
@@ -449,7 +449,7 @@ import (
 	"io"
 	"net"
 	"os"
-	"path"
+	"path/filepath"
 	"regexp"
 	"runtime"
 	"strconv"
@@ -624,7 +624,7 @@ var seccompPath = shared.VarPath("security", "seccomp")
 
 // ProfilePath returns the seccomp path for the instance.
 func ProfilePath(c Instance) string {
-	return path.Join(seccompPath, project.Instance(c.Project().Name, c.Name()))
+	return filepath.Join(seccompPath, project.Instance(c.Project().Name, c.Name()))
 }
 
 // InstanceNeedsPolicy returns whether the instance needs a policy or not.
@@ -2070,7 +2070,6 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 	}
 	args.source = C.GoString(&mntSource[0])
 	ctx["source"] = args.source
-	args.idmapType = s.MountSyscallShift(c, args.source)
 
 	// const char *target
 	if siov.req.data.args[1] != 0 {
@@ -2098,6 +2097,14 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 	args.fstype = C.GoString(&mntFs[0])
 	ctx["fstype"] = args.fstype
 
+	// idmap shift
+	fullSrcPath := filepath.Join(fmt.Sprintf("/proc/%d/root/", args.pid), args.source)
+	if shared.PathExists(fullSrcPath) {
+		args.idmapType = s.MountSyscallShift(c, fullSrcPath, args.fstype)
+	} else {
+		args.idmapType = s.MountSyscallShift(c, args.source, args.fstype)
+	}
+
 	// unsigned long mountflags
 	args.flags = int(siov.req.data.args[3])
 
@@ -2469,15 +2476,15 @@ func (s *Server) MountSyscallValid(c Instance, args *MountArgs) (bool, string) {
 }
 
 // MountSyscallShift checks whether this mount syscall needs shiftfs.
-func (s *Server) MountSyscallShift(c Instance, path string) idmap.IdmapStorageType {
+func (s *Server) MountSyscallShift(c Instance, path string, fsType string) idmap.IdmapStorageType {
 	if shared.IsTrue(c.ExpandedConfig()["security.syscalls.intercept.mount.shift"]) {
 		diskIdmap, err := c.DiskIdmap()
 		if err != nil {
 			return idmap.IdmapStorageNone
 		}
 
 		if diskIdmap == nil {
-			return c.IdmappedStorage(path, "none")
+			return c.IdmappedStorage(path, fsType)
 		}
 	}