-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request: if run as uid 0 in unpriv userns, use mount instead of fusermount #697
Comments
Hi, yes it is. There's some brokenness in go-fuse that needs to be shaked out first, working on it: https://review.gerrithub.io/c/hanwen/go-fuse/+/547866 |
Another similar case: no namespaces, but /etc/fstab has an unprivileged mount point set up for the user (user,nauto options). That would be another case where using mount before falling back to fusermount would make sense. |
It's merged |
Attempt to directly call mount(2) before trying fusermount. This means we can do without fusermount if running as root. #697
So, uhmm, I implemented this. gocryptfs now tries direct mount before falling back to fusermount. HOWEVER, I was unable to get this to work inside a podman container. This says https://man7.org/linux/man-pages/man7/user_namespaces.7.html :
Note the absence of FUSE. OTOH, I see that this patch was merged in 2018: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4ad769f3c346ec3d458e255548dec26ca5284cf6 And this commit was included in Linux v4.18, as you said:
|
Looks like I needed to pass
|
I don't have a full understanding of what Maybe if you temporarily make fusermount non suid, so that gocryptfs fails outside podman, and redo this test? Or add |
I guess I missed a detail of my test. fusermount is not installed in a default debian docker container. Also, enabling --fusedebug, we see that the mount syscall succeeds and fusermount is not attempted:
|
Cool! I guess this loses the no allow_other protections, though, which I wasn't thinking much about when I first submitted this, but obviously have been recently. I wonder whether my pam_mount gocryptfs will still use fuse? I don't know what caps pam_mount gives its client mounter, which runs as the user - probably enough to do a normal non-fuse mount over any mountpoint they own. |
It is my understanding that allow_other is independent of whether fusermount or direct mount is used. Testing in podman confirms that:
Also note that there's no allow_other in the mount flags inside the container:
And also, this mount cannot be accessed at all unless you are inside the container - it is not visible outside! |
Awesome! |
I confirm that this works without fusermount for building and running apptainer encrypted containers unprivileged using the apptainer main (i.e. not yet released) code branch. Thanks! |
Recent linux kernels (I think after 4.18?) allow mounts within unprivileged namespaces without using a suid like fusermount. This is especially advantageous within unprivileged sandboxes that have nonewprivs set (for example, flatpaks and other things using bwrap), hence cannot use suids like fusermount even if any are installed. Is it possible for gocryptfs to attempt to use mount before falling back on fusermount in such cases?
The text was updated successfully, but these errors were encountered: