Public bug reported:
SRU Justification
Impact: When nested containers use shiftfs and they have different id mappings
the nested container lacks privileges to create any files in its root
filesystem unless the directory in question is very permissive. This prevents
nested containers from being usable.
Here is a reproducer as given by Stéphane:
Reproducer:
- lxc init images:ubuntu/bionic b1 -c security.nesting=true
- Confirm b1 uses shiftfs and uses the default map
root@b1:~# cat /proc/self/uid_map
0 1000000 1000000000
root@b1:~# grep shiftfs /proc/self/mountinfo
3702 2266 0:92 / / rw,relatime - shiftfs
/var/lib/lxd/storage-pools/default/containers/b1/rootfs rw,passthrough=3
- Install LXD snap in there
- snap set lxd shiftfs.enable=true
- systemctl reload snap.lxd.daemon
- lxd init --auto
- lxc launch images:alpine/edge a1
- Confirm that a1 uses a different map than b1
- Confirm that a1 uses shiftfs
- touch /etc/a should fail with EACCES
Fix: Instead of recording the credentials of the process that created
the innermost shiftfs mount we need to record the credentials of the
lowers creator of the first shiftfs mark mount since we always refer
back to the lowers mount to get around vfs layering restrictions.
Regression Potential: Limited to shiftfs.
Test Case: Built a kernel with the mentioned fix and ran the reproducer.
The issue was not reproducible.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Christian Brauner (cbrauner)
Status: In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Christian Brauner (cbrauner)
** Changed in: linux (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1872094
Title:
shiftfs: broken shiftfs nesting
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1872094/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
