7d6beb71da
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCYCegywAKCRCRxhvAZXjc
ouJ6AQDlf+7jCQlQdeKKoN9QDFfMzG1ooemat36EpRRTONaGuAD8D9A4sUsG4+5f
4IU5Lj9oY4DEmF8HenbWK2ZHsesL2Qg=
=yPaw
-----END PGP SIGNATURE-----
Merge tag 'idmapped-mounts-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
Pull idmapped mounts from Christian Brauner:
"This introduces idmapped mounts which has been in the making for some
time. Simply put, different mounts can expose the same file or
directory with different ownership. This initial implementation comes
with ports for fat, ext4 and with Christoph's port for xfs with more
filesystems being actively worked on by independent people and
maintainers.
Idmapping mounts handle a wide range of long standing use-cases. Here
are just a few:
- Idmapped mounts make it possible to easily share files between
multiple users or multiple machines especially in complex
scenarios. For example, idmapped mounts will be used in the
implementation of portable home directories in
systemd-homed.service(8) where they allow users to move their home
directory to an external storage device and use it on multiple
computers where they are assigned different uids and gids. This
effectively makes it possible to assign random uids and gids at
login time.
- It is possible to share files from the host with unprivileged
containers without having to change ownership permanently through
chown(2).
- It is possible to idmap a container's rootfs and without having to
mangle every file. For example, Chromebooks use it to share the
user's Download folder with their unprivileged containers in their
Linux subsystem.
- It is possible to share files between containers with
non-overlapping idmappings.
- Filesystem that lack a proper concept of ownership such as fat can
use idmapped mounts to implement discretionary access (DAC)
permission checking.
- They allow users to efficiently changing ownership on a per-mount
basis without having to (recursively) chown(2) all files. In
contrast to chown (2) changing ownership of large sets of files is
instantenous with idmapped mounts. This is especially useful when
ownership of a whole root filesystem of a virtual machine or
container is changed. With idmapped mounts a single syscall
mount_setattr syscall will be sufficient to change the ownership of
all files.
- Idmapped mounts always take the current ownership into account as
idmappings specify what a given uid or gid is supposed to be mapped
to. This contrasts with the chown(2) syscall which cannot by itself
take the current ownership of the files it changes into account. It
simply changes the ownership to the specified uid and gid. This is
especially problematic when recursively chown(2)ing a large set of
files which is commong with the aforementioned portable home
directory and container and vm scenario.
- Idmapped mounts allow to change ownership locally, restricting it
to specific mounts, and temporarily as the ownership changes only
apply as long as the mount exists.
Several userspace projects have either already put up patches and
pull-requests for this feature or will do so should you decide to pull
this:
- systemd: In a wide variety of scenarios but especially right away
in their implementation of portable home directories.
https://systemd.io/HOME_DIRECTORY/
- container runtimes: containerd, runC, LXD:To share data between
host and unprivileged containers, unprivileged and privileged
containers, etc. The pull request for idmapped mounts support in
containerd, the default Kubernetes runtime is already up for quite
a while now: https://github.com/containerd/containerd/pull/4734
- The virtio-fs developers and several users have expressed interest
in using this feature with virtual machines once virtio-fs is
ported.
- ChromeOS: Sharing host-directories with unprivileged containers.
I've tightly synced with all those projects and all of those listed
here have also expressed their need/desire for this feature on the
mailing list. For more info on how people use this there's a bunch of
talks about this too. Here's just two recent ones:
https://www.cncf.io/wp-content/uploads/2020/12/Rootless-Containers-in-Gitpod.pdf
https://fosdem.org/2021/schedule/event/containers_idmap/
This comes with an extensive xfstests suite covering both ext4 and
xfs:
https://git.kernel.org/brauner/xfstests-dev/h/idmapped_mounts
It covers truncation, creation, opening, xattrs, vfscaps, setid
execution, setgid inheritance and more both with idmapped and
non-idmapped mounts. It already helped to discover an unrelated xfs
setgid inheritance bug which has since been fixed in mainline. It will
be sent for inclusion with the xfstests project should you decide to
merge this.
In order to support per-mount idmappings vfsmounts are marked with
user namespaces. The idmapping of the user namespace will be used to
map the ids of vfs objects when they are accessed through that mount.
By default all vfsmounts are marked with the initial user namespace.
The initial user namespace is used to indicate that a mount is not
idmapped. All operations behave as before and this is verified in the
testsuite.
Based on prior discussions we want to attach the whole user namespace
and not just a dedicated idmapping struct. This allows us to reuse all
the helpers that already exist for dealing with idmappings instead of
introducing a whole new range of helpers. In addition, if we decide in
the future that we are confident enough to enable unprivileged users
to setup idmapped mounts the permission checking can take into account
whether the caller is privileged in the user namespace the mount is
currently marked with.
The user namespace the mount will be marked with can be specified by
passing a file descriptor refering to the user namespace as an
argument to the new mount_setattr() syscall together with the new
MOUNT_ATTR_IDMAP flag. The system call follows the openat2() pattern
of extensibility.
The following conditions must be met in order to create an idmapped
mount:
- The caller must currently have the CAP_SYS_ADMIN capability in the
user namespace the underlying filesystem has been mounted in.
- The underlying filesystem must support idmapped mounts.
- The mount must not already be idmapped. This also implies that the
idmapping of a mount cannot be altered once it has been idmapped.
- The mount must be a detached/anonymous mount, i.e. it must have
been created by calling open_tree() with the OPEN_TREE_CLONE flag
and it must not already have been visible in the filesystem.
The last two points guarantee easier semantics for userspace and the
kernel and make the implementation significantly simpler.
By default vfsmounts are marked with the initial user namespace and no
behavioral or performance changes are observed.
The manpage with a detailed description can be found here:
|
||
---|---|---|
.. | ||
Kconfig | ||
LICENCE | ||
Makefile | ||
README.Locking | ||
TODO | ||
acl.c | ||
acl.h | ||
background.c | ||
build.c | ||
compr.c | ||
compr.h | ||
compr_lzo.c | ||
compr_rtime.c | ||
compr_rubin.c | ||
compr_zlib.c | ||
debug.c | ||
debug.h | ||
dir.c | ||
erase.c | ||
file.c | ||
fs.c | ||
gc.c | ||
ioctl.c | ||
jffs2_fs_i.h | ||
jffs2_fs_sb.h | ||
malloc.c | ||
nodelist.c | ||
nodelist.h | ||
nodemgmt.c | ||
os-linux.h | ||
read.c | ||
readinode.c | ||
scan.c | ||
security.c | ||
summary.c | ||
summary.h | ||
super.c | ||
symlink.c | ||
wbuf.c | ||
write.c | ||
writev.c | ||
xattr.c | ||
xattr.h | ||
xattr_trusted.c | ||
xattr_user.c |
README.Locking
JFFS2 LOCKING DOCUMENTATION --------------------------- This document attempts to describe the existing locking rules for JFFS2. It is not expected to remain perfectly up to date, but ought to be fairly close. alloc_sem --------- The alloc_sem is a per-filesystem mutex, used primarily to ensure contiguous allocation of space on the medium. It is automatically obtained during space allocations (jffs2_reserve_space()) and freed upon write completion (jffs2_complete_reservation()). Note that the garbage collector will obtain this right at the beginning of jffs2_garbage_collect_pass() and release it at the end, thereby preventing any other write activity on the file system during a garbage collect pass. When writing new nodes, the alloc_sem must be held until the new nodes have been properly linked into the data structures for the inode to which they belong. This is for the benefit of NAND flash - adding new nodes to an inode may obsolete old ones, and by holding the alloc_sem until this happens we ensure that any data in the write-buffer at the time this happens are part of the new node, not just something that was written afterwards. Hence, we can ensure the newly-obsoleted nodes don't actually get erased until the write-buffer has been flushed to the medium. With the introduction of NAND flash support and the write-buffer, the alloc_sem is also used to protect the wbuf-related members of the jffs2_sb_info structure. Atomically reading the wbuf_len member to see if the wbuf is currently holding any data is permitted, though. Ordering constraints: See f->sem. File Mutex f->sem --------------------- This is the JFFS2-internal equivalent of the inode mutex i->i_sem. It protects the contents of the jffs2_inode_info private inode data, including the linked list of node fragments (but see the notes below on erase_completion_lock), etc. The reason that the i_sem itself isn't used for this purpose is to avoid deadlocks with garbage collection -- the VFS will lock the i_sem before calling a function which may need to allocate space. The allocation may trigger garbage-collection, which may need to move a node belonging to the inode which was locked in the first place by the VFS. If the garbage collection code were to attempt to lock the i_sem of the inode from which it's garbage-collecting a physical node, this lead to deadlock, unless we played games with unlocking the i_sem before calling the space allocation functions. Instead of playing such games, we just have an extra internal mutex, which is obtained by the garbage collection code and also by the normal file system code _after_ allocation of space. Ordering constraints: 1. Never attempt to allocate space or lock alloc_sem with any f->sem held. 2. Never attempt to lock two file mutexes in one thread. No ordering rules have been made for doing so. 3. Never lock a page cache page with f->sem held. erase_completion_lock spinlock ------------------------------ This is used to serialise access to the eraseblock lists, to the per-eraseblock lists of physical jffs2_raw_node_ref structures, and (NB) the per-inode list of physical nodes. The latter is a special case - see below. As the MTD API no longer permits erase-completion callback functions to be called from bottom-half (timer) context (on the basis that nobody ever actually implemented such a thing), it's now sufficient to use a simple spin_lock() rather than spin_lock_bh(). Note that the per-inode list of physical nodes (f->nodes) is a special case. Any changes to _valid_ nodes (i.e. ->flash_offset & 1 == 0) in the list are protected by the file mutex f->sem. But the erase code may remove _obsolete_ nodes from the list while holding only the erase_completion_lock. So you can walk the list only while holding the erase_completion_lock, and can drop the lock temporarily mid-walk as long as the pointer you're holding is to a _valid_ node, not an obsolete one. The erase_completion_lock is also used to protect the c->gc_task pointer when the garbage collection thread exits. The code to kill the GC thread locks it, sends the signal, then unlocks it - while the GC thread itself locks it, zeroes c->gc_task, then unlocks on the exit path. inocache_lock spinlock ---------------------- This spinlock protects the hashed list (c->inocache_list) of the in-core jffs2_inode_cache objects (each inode in JFFS2 has the correspondent jffs2_inode_cache object). So, the inocache_lock has to be locked while walking the c->inocache_list hash buckets. This spinlock also covers allocation of new inode numbers, which is currently just '++->highest_ino++', but might one day get more complicated if we need to deal with wrapping after 4 milliard inode numbers are used. Note, the f->sem guarantees that the correspondent jffs2_inode_cache will not be removed. So, it is allowed to access it without locking the inocache_lock spinlock. Ordering constraints: If both erase_completion_lock and inocache_lock are needed, the c->erase_completion has to be acquired first. erase_free_sem -------------- This mutex is only used by the erase code which frees obsolete node references and the jffs2_garbage_collect_deletion_dirent() function. The latter function on NAND flash must read _obsolete_ nodes to determine whether the 'deletion dirent' under consideration can be discarded or whether it is still required to show that an inode has been unlinked. Because reading from the flash may sleep, the erase_completion_lock cannot be held, so an alternative, more heavyweight lock was required to prevent the erase code from freeing the jffs2_raw_node_ref structures in question while the garbage collection code is looking at them. Suggestions for alternative solutions to this problem would be welcomed. wbuf_sem -------- This read/write semaphore protects against concurrent access to the write-behind buffer ('wbuf') used for flash chips where we must write in blocks. It protects both the contents of the wbuf and the metadata which indicates which flash region (if any) is currently covered by the buffer. Ordering constraints: Lock wbuf_sem last, after the alloc_sem or and f->sem. c->xattr_sem ------------ This read/write semaphore protects against concurrent access to the xattr related objects which include stuff in superblock and ic->xref. In read-only path, write-semaphore is too much exclusion. It's enough by read-semaphore. But you must hold write-semaphore when updating, creating or deleting any xattr related object. Once xattr_sem released, there would be no assurance for the existence of those objects. Thus, a series of processes is often required to retry, when updating such a object is necessary under holding read semaphore. For example, do_jffs2_getxattr() holds read-semaphore to scan xref and xdatum at first. But it retries this process with holding write-semaphore after release read-semaphore, if it's necessary to load name/value pair from medium. Ordering constraints: Lock xattr_sem last, after the alloc_sem.