From af10cb5bc68c7cf50b333e8b6db50bc23ecfa46f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Thu, 26 Oct 2023 23:15:43 -0400
Subject: [PATCH 1/3] lxd/seccomp: Switch to path/filepath
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 lxd/seccomp/seccomp.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index 9ea57b53ae8b..fb86e1215e09 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -449,7 +449,7 @@ import (
 	"io"
 	"net"
 	"os"
-	"path"
+	"path/filepath"
 	"regexp"
 	"runtime"
 	"strconv"
@@ -624,7 +624,7 @@ var seccompPath = shared.VarPath("security", "seccomp")
 
 // ProfilePath returns the seccomp path for the instance.
 func ProfilePath(c Instance) string {
-	return path.Join(seccompPath, project.Instance(c.Project().Name, c.Name()))
+	return filepath.Join(seccompPath, project.Instance(c.Project().Name, c.Name()))
 }
 
 // InstanceNeedsPolicy returns whether the instance needs a policy or not.

From 67b8a1a2e876970736e420c29036dee40917b421 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Thu, 26 Oct 2023 23:16:35 -0400
Subject: [PATCH 2/3] lxd/seccomp: Pass correct path and fstype to
 IdmappedStorage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 lxd/seccomp/seccomp.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lxd/seccomp/seccomp.go b/lxd/seccomp/seccomp.go
index fb86e1215e09..73e4788dc0f9 100644
--- a/lxd/seccomp/seccomp.go
+++ b/lxd/seccomp/seccomp.go
@@ -2070,7 +2070,6 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 	}
 	args.source = C.GoString(&mntSource[0])
 	ctx["source"] = args.source
-	args.idmapType = s.MountSyscallShift(c, args.source)
 
 	// const char *target
 	if siov.req.data.args[1] != 0 {
@@ -2098,6 +2097,14 @@ func (s *Server) HandleMountSyscall(c Instance, siov *Iovec) int {
 	args.fstype = C.GoString(&mntFs[0])
 	ctx["fstype"] = args.fstype
 
+	// idmap shift
+	fullSrcPath := filepath.Join(fmt.Sprintf("/proc/%d/root/", args.pid), args.source)
+	if shared.PathExists(fullSrcPath) {
+		args.idmapType = s.MountSyscallShift(c, fullSrcPath, args.fstype)
+	} else {
+		args.idmapType = s.MountSyscallShift(c, args.source, args.fstype)
+	}
+
 	// unsigned long mountflags
 	args.flags = int(siov.req.data.args[3])
 
@@ -2469,7 +2476,7 @@ func (s *Server) MountSyscallValid(c Instance, args *MountArgs) (bool, string) {
 }
 
 // MountSyscallShift checks whether this mount syscall needs shiftfs.
-func (s *Server) MountSyscallShift(c Instance, path string) idmap.IdmapStorageType {
+func (s *Server) MountSyscallShift(c Instance, path string, fsType string) idmap.IdmapStorageType {
 	if shared.IsTrue(c.ExpandedConfig()["security.syscalls.intercept.mount.shift"]) {
 		diskIdmap, err := c.DiskIdmap()
 		if err != nil {
@@ -2477,7 +2484,7 @@ func (s *Server) MountSyscallShift(c Instance, path string) idmap.IdmapStorageTy
 		}
 
 		if diskIdmap == nil {
-			return c.IdmappedStorage(path, "none")
+			return c.IdmappedStorage(path, fsType)
 		}
 	}
 

From 0e54f20a71fe57ca95ae25600647ea7611afc022 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Fri, 27 Oct 2023 00:03:33 -0400
Subject: [PATCH 3/3] lxd/forksyscall: Fix idmapped mount code path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 lxd/main_forksyscall.go | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
index 92223fd5a9f9..8202802e8bff 100644
--- a/lxd/main_forksyscall.go
+++ b/lxd/main_forksyscall.go
@@ -441,9 +441,31 @@ static void mount_emulate(void)
 			_exit(EXIT_FAILURE);
 	} else if (strcmp(shiftfs, "idmapped") == 0) {
 		int fd_tree;
+		int fs_fd = -EBADF;
 
-		fd_tree = mount_detach_idmap(source, fd_userns);
+		struct lxc_mount_attr attr = {
+		    .attr_set		= MOUNT_ATTR_IDMAP,
+		};
+
+		fs_fd = lxd_fsopen(fstype, FSOPEN_CLOEXEC);
+		if (fs_fd < 0)
+			die("error: failed to create detached idmapped mount: fsopen");
+
+		ret = lxd_fsconfig(fs_fd, FSCONFIG_SET_STRING, "source", source, 0);
+		if (ret < 0)
+			die("error: failed to create detached idmapped mount: fsconfig");
+
+		ret = lxd_fsconfig(fs_fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
+		if (ret < 0)
+			die("error: failed to create detached idmapped mount: fsconfig");
+
+		fd_tree = lxd_fsmount(fs_fd, FSMOUNT_CLOEXEC, flags);
 		if (fd_tree < 0)
+			die("error: failed to create detached idmapped mount: fsmount");
+
+		attr.userns_fd = fd_userns;
+		ret = lxd_mount_setattr(fd_tree, "", AT_EMPTY_PATH, &attr, sizeof(attr));
+		if (ret < 0)
 			die("error: failed to create detached idmapped mount");
 
 		ret = setns(fd_mntns, CLONE_NEWNS);