Re: [RFC 1/1] shiftfs: uid/gid shifting bind mount

From: James Bottomley
Date: Wed Feb 08 2017 - 09:58:16 EST

On Wed, 2017-02-08 at 08:44 +0200, Amir Goldstein wrote:
> On Wed, Feb 8, 2017 at 1:42 AM, James Bottomley
> <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
> > On Tue, 2017-02-07 at 14:25 -0800, Christoph Hellwig wrote:
> > > On Tue, Feb 07, 2017 at 11:01:29PM +0200, Amir Goldstein wrote:
> > > > Project id's are not exactly "subtree" semantic, but
> > > > inheritance semantics,
> > > > which is not the same when non empty directories get their
> > > > project
> > > > id changed.
> > > > Here is a recap:
> > > >
> > >
> > > Yes - but if we abuse them for containers we could refine the
> > > semantics to simply not allow change of project ids from inside
> > > containers based on say capabilities.
> >
> You mean something like this:
> With the suggested protected_projects, projid 0 (also inside
> container) gets a special meaning, much like user 0, so we may do
> interesting things with the projid that is mapped to 0.
> > We can't really abuse projectid, it's part of the user namespace
> > mapping (for project quota). What we can do is have a new id that
> > behaves like it.
> >
> Perhaps we *can* use projid without abusing it. userns already maps
> projids, but there is no concept of "owning project" for a userns,
> nor does it make a lot of sense, because projid is not part of the
> credentials. But if we re-brand it as "container root projid", we can
> try to use it for defining semantics to grant unprivileged access to
> a subtree.
> The functionality you are trying to get with shiftfs mark does
> sounds a bit like "container root projid":
> - inodes with mapped projid MAY be uid/gid shifted
> - inodes with unmapped projid MAY NOT
> I realize this may be very raw, but its a start. If you like this
> direction we can try to develop it.

So I don't think hijacking project id is the way to go. If we do that
we interfere with using project quotas within containers. Now that
project quotas work for both xfs and ext4, it's no longer really an xfs
specific feature.

I could see adding a shift on a per projectid basis, so project id
still had its quota meaning, but you could get the uid/gid shift from a
given project id. However, the big kicker is that the only filesystems
you can actually set a projectid on (via the fsxattr) are ext4 and xfs.
That's too few to make it work universally (we'd at least need btrfs
and possibly a few others).

However, that's just mechanism. We can begin with a volatile mark and
work out how we want to store it later. I think following projectid
properties is the important one, so the choice of whether to hijack, or
attach to projectid is preserved but not mandated.