On Thu, Aug 18, 2022 at 1:16 AM Elaheh Dehghani <[email protected]> wrote:
>
> We are using an unprivileged user to run virtiofsd in its own user namespace.
> We have a guest VM running on top of QEMU with KVM. We are sharing files from
> the host to the guest and we need to make sure only certain users/groups in
> the guest can read/write those files. Currently there is only one uid/gid
> that’s mapped correctly (the virtiofsd user on the host is mapped to guest)
> and everything else is mapped to nobody.
>
> It seems the reason is that unprivileged virtiofsd only maps current uid/gid
> when it's running inside its own user namespace.
>
> Due to some resource limitations that we have in our system, we can't use a
> container-engine such as lxc-usernsexec to map a range of uids/gids. So, I'm
> trying to figure out if there is a way to patch the ‘setup_id_mappings’ in
> virtiofsd code to support our specific scenario.
>
>
> The additional mapping that we need is for uid/gid=1000. What I've done:
>
> - Defined 1000:100000:65536 in both /etc/subuid and /etc/subgid
>
> - Changed this line src/sandbox.rs · main · virtio-fs / virtiofsd ·
> GitLab to something like:
>
> - let uid_mapping = format!("{} {} 1\n1000 1000 1\n", uid, uid);
>
>
> After running virtiofsd, I’m getting this error:
>
> Error entering sandbox: WriteUidMap(Os { code: 1, kind: PermissionDenied,
> message: “Operation not permitted” })
>
>
> What am I missing here?
As non-privilege user, you are only allowed to map the user UID ->
same NS-UID (as virtiofsd does) or user UID -> NS-UID 0,
by writing directly to '/proc/PID/{uid_map, gid_map}.
Mapping a range of UIDS/GUIDS is a privileged operation, you need to
set the content of both '/etc/subuid' and '/etc/subgid '
and run newuidmap/newgidmap.
You could "manually" create the user namespace with "unshare -U", map
the uids/guid using newuidmap/newgidmap, and run virtiofsd
--sandbox=chroot
For instance (as user 1000):
shell_0_$ unshare -U
shell_0_$ echo $$
1234
(in a different terminal)
shell_1_$ newuidmap 1234 0 100000 65536
shell_1_$ newgidmap 1234 0 100000 65536
(now in the previous terminal)
shell_0_$ virtiofsd --sandbox=chroot ...
Although lxc-usernsexec is a small tool that only creates user
namespaces and calls newuidmap/newgidmap to do the uid/gid mapping
Cheers,
--
German
_______________________________________________
Virtio-fs mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/virtio-fs
