Merge pull request #3709 from brauner/2021-03-17/idmapped_mounts_v2

configure.ac

@@ -652,8 +652,9 @@ AC_CHECK_HEADER([ifaddrs.h],
 AC_HEADER_MAJOR
 
 # Check for some syscalls functions
-AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create move_mount open_tree execveat clone3 fsopen fspick fsconfig fsmount, openat2, close_range, statvfs])
+AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create move_mount open_tree execveat clone3 fsopen fspick fsconfig fsmount, openat2, close_range, statvfs, mount_setattr])
 AC_CHECK_TYPES([__aligned_u64], [], [], [[#include <linux/types.h>]])
+AC_CHECK_TYPES([struct mount_attr], [], [], [[#include <linux/mount.h>]])
 AC_CHECK_TYPES([struct open_how], [], [], [[#include <linux/openat2.h>]])
 AC_CHECK_TYPES([struct clone_args], [], [], [[#include <linux/sched.h>]])
 AC_CHECK_MEMBERS([struct clone_args.set_tid],[],[],[[#include <linux/sched.h>]])

src/lxc/attach.c

@@ -181,10 +181,12 @@ static struct attach_context *alloc_attach_context(void)
 	if (!ctx)
 		return ret_set_errno(NULL, ENOMEM);
 
+	ctx->init_pid		= -ESRCH;
+
 	ctx->dfd_self_pid	= -EBADF;
 	ctx->dfd_init_pid	= -EBADF;
 	ctx->init_pidfd		= -EBADF;
-	ctx->init_pid		= -ESRCH;
+
 	ctx->setup_ns_uid	= LXC_INVALID_UID;
 	ctx->setup_ns_gid	= LXC_INVALID_GID;
 	ctx->target_ns_uid	= LXC_INVALID_UID;
@@ -192,7 +194,7 @@ static struct attach_context *alloc_attach_context(void)
 	ctx->target_host_uid	= LXC_INVALID_UID;
 	ctx->target_host_gid	= LXC_INVALID_GID;
 
-	for (int i = 0; i < LXC_NS_MAX; i++)
+	for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++)
 		ctx->ns_fd[i] = -EBADF;
 
 	return ctx;
@@ -436,7 +438,7 @@ static int get_attach_context(struct attach_context *ctx,
 		if (options->namespaces == -1)
 			return log_error_errno(-EINVAL, EINVAL, "Failed to automatically determine the namespaces which the container uses");
 
-		for (int i = 0; i < LXC_NS_MAX; i++) {
+		for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++) {
 			if (ns_info[i].clone_flag & CLONE_NEWCGROUP)
 				if (!(options->attach_flags & LXC_ATTACH_MOVE_TO_CGROUP) ||
 				    !cgns_supported())
@@ -531,7 +533,7 @@ static int same_ns(int dfd_pid1, int dfd_pid2, const char *ns_path)
 
 static int __prepare_namespaces_pidfd(struct attach_context *ctx)
 {
-	for (int i = 0; i < LXC_NS_MAX; i++) {
+	for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++) {
 		int ret;
 
 		ret = same_nsfd(ctx->dfd_self_pid,
@@ -559,8 +561,8 @@ static int __prepare_namespaces_pidfd(struct attach_context *ctx)
 static int __prepare_namespaces_nsfd(struct attach_context *ctx,
 				     lxc_attach_options_t *options)
 {
-	for (int i = 0; i < LXC_NS_MAX; i++) {
-		int j;
+	for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++) {
+		lxc_namespace_t j;
 
 		if (options->namespaces & ns_info[i].clone_flag)
 			ctx->ns_fd[i] = open_at(ctx->dfd_init_pid,
@@ -642,7 +644,7 @@ static int __attach_namespaces_nsfd(struct attach_context *ctx,
 {
 	int fret = 0;
 
-	for (int i = 0; i < LXC_NS_MAX; i++) {
+	for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++) {
 		int ret;
 
 		if (ctx->ns_fd[i] < 0)
@@ -670,7 +672,7 @@ static int attach_namespaces(struct attach_context *ctx,
 			     lxc_attach_options_t *options)
 {
 	if (lxc_log_trace()) {
-		for (int i = 0; i < LXC_NS_MAX; i++) {
+		for (lxc_namespace_t i = 0; i < LXC_NS_MAX; i++) {
 			if (ns_info[i].clone_flag & options->namespaces) {
 				TRACE("Attaching to %s namespace", ns_info[i].proc_name);
 				continue;

src/lxc/conf.c

@@ -98,6 +98,10 @@
 #include <../include/prlimit.h>
 #endif
 
+#ifndef HAVE_STRLCPY
+#include "include/strlcpy.h"
+#endif
+
 lxc_log_define(conf, lxc);
 
 /*
@@ -484,11 +488,24 @@ int run_script(const char *name, const char *section, const char *script, ...)
  */
 int lxc_rootfs_prepare(struct lxc_rootfs *rootfs, bool userns)
 {
-	__do_close int dfd_path = -EBADF, fd_pin = -EBADF;
+	__do_close int dfd_path = -EBADF, fd_pin = -EBADF, fd_userns = -EBADF;
 	int ret;
 	struct stat st;
 	struct statfs stfs;
 
+	if (!is_empty_string(rootfs->mnt_opts.userns_path)) {
+		if (!rootfs->path)
+			return syserror_set(-EINVAL, "Idmapped rootfs currently only supported with separate rootfs for container");
+
+		if (rootfs->bdev_type && !strequal(rootfs->bdev_type, "dir"))
+			return syserror_set(-EINVAL, "Idmapped rootfs currently only supports the \"dir\" storage driver");
+
+		fd_userns = open_at(-EBADF, rootfs->mnt_opts.userns_path,
+				    PROTECT_OPEN_WITH_TRAILING_SYMLINKS, 0, 0);
+		if (fd_userns < 0)
+			return syserror("Failed to open user namespace");
+	}
+
 	if (rootfs->path) {
 		if (rootfs->bdev_type &&
 		    (strequal(rootfs->bdev_type, "overlay") ||
@@ -500,13 +517,17 @@ int lxc_rootfs_prepare(struct lxc_rootfs *rootfs, bool userns)
 		dfd_path = open_at(-EBADF, "/", PROTECT_OPATH_FILE, PROTECT_LOOKUP_ABSOLUTE, 0);
 	}
 	if (dfd_path < 0)
-		return log_error_errno(-errno, errno, "Failed to open \"%s\"", rootfs->path);
+		return syserror("Failed to open \"%s\"", rootfs->path);
 
-	if (!rootfs->path)
-		return log_trace(0, "Not pinning because container does not have a rootfs");
+	if (!rootfs->path) {
+		TRACE("Not pinning because container does not have a rootfs");
+		goto out;
+	}
 
-	if (userns)
-		return log_trace(0, "Not pinning because container runs in user namespace");
+	if (userns) {
+		TRACE("Not pinning because container runs in user namespace");
+		goto out;
+	}
 
 	ret = fstat(dfd_path, &st);
 	if (ret < 0)
@@ -520,7 +541,7 @@ int lxc_rootfs_prepare(struct lxc_rootfs *rootfs, bool userns)
 			 PROTECT_LOOKUP_BENEATH,
 			 S_IWUSR | S_IRUSR);
 	if (fd_pin < 0)
-		return log_error_errno(-errno, errno, "Failed to pin rootfs");
+		return syserror("Failed to pin rootfs");
 
 	TRACE("Pinned rootfs %d(.lxc_keep)", fd_pin);
 
@@ -542,6 +563,7 @@ int lxc_rootfs_prepare(struct lxc_rootfs *rootfs, bool userns)
 
 out:
 	rootfs->fd_path_pin = move_fd(fd_pin);
+	rootfs->mnt_opts.userns_fd = move_fd(fd_userns);
 	return 0;
 }
 
@@ -2090,34 +2112,70 @@ skipremount:
 	return 0;
 }
 
+const char *lxc_mount_options_info[LXC_MOUNT_MAX] = {
+	"create=dir",
+	"create=file",
+	"optional",
+	"relative",
+	"idmap=",
+};
+
 /* Remove "optional", "create=dir", and "create=file" from mntopt */
-static void cull_mntent_opt(struct mntent *mntent)
+int parse_lxc_mntopts(struct lxc_mount_options *opts, char *mnt_opts)
 {
-	int i;
-	char *list[] = {
-		"create=dir",
-		"create=file",
-		"optional",
-		"relative",
-		NULL
-	};
-
-	for (i = 0; list[i]; i++) {
-		char *p, *p2;
+	for (size_t i = LXC_MOUNT_CREATE_DIR; i < LXC_MOUNT_MAX; i++) {
+		__do_close int fd_userns = -EBADF;
+		const char *opt_name = lxc_mount_options_info[i];
+		size_t len;
+		char *idmap_path, *p, *p2;
 
-		p = strstr(mntent->mnt_opts, list[i]);
+		p = strstr(mnt_opts, opt_name);
 		if (!p)
 			continue;
 
-		p2 = strchr(p, ',');
-		if (!p2) {
-			/* no more mntopts, so just chop it here */
-			*p = '\0';
-			continue;
+		switch (i) {
+		case LXC_MOUNT_CREATE_DIR:
+			opts->create_dir = 1;
+			break;
+		case LXC_MOUNT_CREATE_FILE:
+			opts->create_file = 1;
+			break;
+		case LXC_MOUNT_OPTIONAL:
+			opts->optional = 1;
+			break;
+		case LXC_MOUNT_RELATIVE:
+			opts->relative = 1;
+			break;
+		case LXC_MOUNT_IDMAP:
+			p2 = p;
+			p2 += STRLITERALLEN("idmap=");
+			idmap_path = strchrnul(p2, ',');
+
+			len = strlcpy(opts->userns_path, p2, idmap_path - p2 + 1);
+			if (len >= sizeof(opts->userns_path))
+				return syserror_set(-EIO, "Excessive idmap path length for \"idmap=<path>\" LXC specific mount option");
+
+			if (is_empty_string(opts->userns_path))
+				return syserror_set(-EINVAL, "Missing idmap path for \"idmap=<path>\" LXC specific mount option");
+
+			fd_userns = open(opts->userns_path, O_RDONLY | O_NOCTTY | O_CLOEXEC);
+			if (fd_userns < 0)
+				return syserror("Failed to open user namespace");
+
+			TRACE("Parse LXC specific mount option %d->\"idmap=%s\"", fd_userns, opts->userns_path);
+			break;
+		default:
+			return syserror_set(-EINVAL, "Unknown LXC specific mount option");
 		}
 
-		memmove(p, p2 + 1, strlen(p2 + 1) + 1);
+		p2 = strchr(p, ',');
+		if (!p2)
+			*p = '\0'; /* no more mntopts, so just chop it here */
+		else
+			memmove(p, p2 + 1, strlen(p2 + 1) + 1);
 	}
+
+	return 0;
 }
 
 static int mount_entry_create_dir_file(const struct mntent *mntent,
@@ -2178,6 +2236,7 @@ static inline int mount_entry_on_generic(struct mntent *mntent,
 	char *rootfs_path = NULL;
 	int ret;
 	bool dev, optional, relative;
+	struct lxc_mount_options opts = {};
 
 	optional = hasmntopt(mntent, "optional") != NULL;
 	dev = hasmntopt(mntent, "dev") != NULL;
@@ -2194,7 +2253,13 @@ static inline int mount_entry_on_generic(struct mntent *mntent,
 
 		return -1;
 	}
-	cull_mntent_opt(mntent);
+
+	ret = parse_lxc_mntopts(&opts, mntent->mnt_opts);
+	if (ret < 0)
+		return ret;
+
+	if (!is_empty_string(opts.userns_path))
+		return syserror_set(-EINVAL, "Idmapped mount entries not yet supported");
 
 	ret = parse_propagationopts(mntent->mnt_opts, &pflags);
 	if (ret < 0)
@@ -2686,6 +2751,7 @@ struct lxc_conf *lxc_conf_init(void)
 	new->rootfs.dfd_dev = -EBADF;
 	new->rootfs.dfd_host = -EBADF;
 	new->rootfs.fd_path_pin = -EBADF;
+	new->rootfs.mnt_opts.userns_fd = -EBADF;
 	new->logfd = -1;
 	lxc_list_init(&new->cgroup);
 	lxc_list_init(&new->cgroup2);

src/lxc/conf.h

@@ -181,6 +181,26 @@ struct lxc_tty_info {
 	struct lxc_terminal_info *tty;
 };
 
+typedef enum lxc_mount_options_t {
+	LXC_MOUNT_CREATE_DIR	= 0,
+	LXC_MOUNT_CREATE_FILE	= 1,
+	LXC_MOUNT_OPTIONAL	= 2,
+	LXC_MOUNT_RELATIVE	= 3,
+	LXC_MOUNT_IDMAP		= 4,
+	LXC_MOUNT_MAX		= 5,
+} lxc_mount_options_t;
+
+__hidden extern const char *lxc_mount_options_info[LXC_MOUNT_MAX];
+
+struct lxc_mount_options {
+	int create_dir : 1;
+	int create_file : 1;
+	int optional : 1;
+	int relative : 1;
+	char userns_path[PATH_MAX];
+	int userns_fd;
+};
+
 /* Defines a structure to store the rootfs location, the
  * optionals pivot_root, rootfs mount paths
  * @path         : the rootfs source (directory or device)
@@ -211,6 +231,7 @@ struct lxc_rootfs {
 	unsigned long mountflags;
 	char *data;
 	bool managed;
+	struct lxc_mount_options mnt_opts;
 };
 
 /*
@@ -509,6 +530,7 @@ __hidden extern int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), v
 				     const char *fn_name);
 __hidden extern int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata);
 __hidden extern int parse_propagationopts(const char *mntopts, unsigned long *pflags);
+__hidden extern int parse_lxc_mntopts(struct lxc_mount_options *opts, char *mnt_opts);
 __hidden extern void tmp_proc_unmount(struct lxc_conf *lxc_conf);
 __hidden extern void suggest_default_idmap(void);
 __hidden extern FILE *make_anonymous_mount_file(struct lxc_list *mount, bool include_nesting_helpers);
@@ -554,12 +576,18 @@ static inline const char *get_rootfs_mnt(const struct lxc_rootfs *rootfs)
 	return !is_empty_string(rootfs->path) ? rootfs->mount : s;
 }
 
+static inline bool idmapped_rootfs_mnt(const struct lxc_rootfs *rootfs)
+{
+	return rootfs->mnt_opts.userns_fd >= 0;
+}
+
 static inline void put_lxc_rootfs(struct lxc_rootfs *rootfs, bool unpin)
 {
 	if (rootfs) {
 		close_prot_errno_disarm(rootfs->dfd_host);
 		close_prot_errno_disarm(rootfs->dfd_mnt);
 		close_prot_errno_disarm(rootfs->dfd_dev);
+		close_prot_errno_disarm(rootfs->mnt_opts.userns_fd);
 		if (unpin)
 			close_prot_errno_disarm(rootfs->fd_path_pin);
 	}

src/lxc/confile.c

@@ -2790,7 +2790,7 @@ static int set_config_rootfs_mount(const char *key, const char *value,
 static int set_config_rootfs_options(const char *key, const char *value,
 				     struct lxc_conf *lxc_conf, void *data)
 {
-	__do_free char *mdata = NULL, *opts = NULL;
+	__do_free char *dup = NULL, *mdata = NULL, *opts = NULL;
 	unsigned long mflags = 0, pflags = 0;
 	struct lxc_rootfs *rootfs = &lxc_conf->rootfs;
 	int ret;
@@ -2799,18 +2799,30 @@ static int set_config_rootfs_options(const char *key, const char *value,
 	if (lxc_config_value_empty(value))
 		return 0;
 
-	ret = parse_mntopts(value, &mflags, &mdata);
+	dup = strdup(value);
+	if (!dup)
+		return -ENOMEM;
+
+	ret = parse_lxc_mntopts(&rootfs->mnt_opts, dup);
+	if (ret < 0)
+		return ret;
+
+	ret = parse_mntopts(dup, &mflags, &mdata);
 	if (ret < 0)
 		return ret_errno(EINVAL);
 
-	ret = parse_propagationopts(value, &pflags);
+	ret = parse_propagationopts(dup, &pflags);
 	if (ret < 0)
 		return ret_errno(EINVAL);
 
-	ret = set_config_string_item(&opts, value);
+	ret = set_config_string_item(&opts, dup);
 	if (ret < 0)
 		return ret_errno(ENOMEM);
 
+	if (rootfs->mnt_opts.create_dir || rootfs->mnt_opts.create_file ||
+	    rootfs->mnt_opts.optional || rootfs->mnt_opts.relative)
+		return syserror_set(-EINVAL, "Invalid LXC specifc mount option for rootfs mount");
+
 	rootfs->mountflags	= mflags | pflags;
 	rootfs->options		= move_ptr(opts);
 	rootfs->data		= move_ptr(mdata);

src/lxc/lsm/apparmor.c

@@ -1165,15 +1165,15 @@ static int apparmor_process_label_fd_get(struct lsm_ops *ops, pid_t pid, bool on
 
 static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, const char *label, bool on_exec)
 {
+	__do_free char *command = NULL;
 	int ret = -1;
 	size_t len;
-	__do_free char *command = NULL;
 
 	if (on_exec)
-		log_trace(0, "Changing AppArmor profile on exec not supported");
+		TRACE("Changing AppArmor profile on exec not supported");
 
 	len = strlen(label) + strlen("changeprofile ") + 1;
-	command = malloc(len);
+	command = zalloc(len);
 	if (!command)
 		return ret_errno(ENOMEM);
 

src/lxc/mount_utils.c

@@ -236,16 +236,76 @@ int fs_attach(int fd_fs,
 	return 0;
 }
 
-int fd_bind_mount(int dfd_from, const char *path_from,
-		  __u64 o_flags_from, __u64 resolve_flags_from,
-		  int dfd_to, const char *path_to,
-		  __u64 o_flags_to, __u64 resolve_flags_to,
-		  unsigned int attr_flags, bool recursive)
+int create_detached_idmapped_mount(const char *path, int userns_fd, bool recursive)
+{
+	__do_close int fd_tree_from = -EBADF;
+	unsigned int open_tree_flags = OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC;
+	struct lxc_mount_attr attr = {
+		.attr_set	= MOUNT_ATTR_IDMAP,
+		.userns_fd	= userns_fd,
+
+	};
+	int ret;
+
+	TRACE("Idmapped mount \"%s\" requested with user namespace fd %d", path, userns_fd);
+
+	if (recursive)
+		open_tree_flags |= AT_RECURSIVE;
+
+	fd_tree_from = open_tree(-EBADF, path, open_tree_flags);
+	if (fd_tree_from < 0)
+		return syserror("Failed to create detached mount");
+
+	ret = mount_setattr(fd_tree_from, "",
+			    AT_EMPTY_PATH | (recursive ? AT_RECURSIVE : 0),
+			    &attr, sizeof(attr));
+	if (ret < 0)
+		return syserror("Failed to change mount attributes");
+
+	return move_fd(fd_tree_from);
+}
+
+int move_detached_mount(int dfd_from, int dfd_to, const char *path_to,
+			__u64 o_flags_to, __u64 resolve_flags_to)
+{
+	__do_close int __fd_to = -EBADF;
+	int fd_to, ret;
+
+	if (!is_empty_string(path_to)) {
+		struct lxc_open_how how = {
+			.flags		= o_flags_to,
+			.resolve	= resolve_flags_to,
+		};
+
+		__fd_to = openat2(dfd_to, path_to, &how, sizeof(how));
+		if (__fd_to < 0)
+			return -errno;
+		fd_to = __fd_to;
+	} else {
+		fd_to = dfd_to;
+	}
+
+	ret = move_mount(dfd_from, "", fd_to, "", MOVE_MOUNT_F_EMPTY_PATH | MOVE_MOUNT_T_EMPTY_PATH);
+	if (ret)
+		return syserror("Failed to attach detached mount %d to filesystem at %d", dfd_from, fd_to);
+
+	TRACE("Attach detached mount %d to filesystem at %d", dfd_from, fd_to);
+	return 0;
+}
+
+static int __fd_bind_mount(int dfd_from, const char *path_from,
+			   __u64 o_flags_from, __u64 resolve_flags_from,
+			   int dfd_to, const char *path_to, __u64 o_flags_to,
+			   __u64 resolve_flags_to, unsigned int attr_flags,
+			   int userns_fd, bool recursive)
 {
-	__do_close int __fd_from = -EBADF, __fd_to = -EBADF;
+	struct lxc_mount_attr attr = {
+		.attr_set = attr_flags,
+	};
+	__do_close int __fd_from = -EBADF;
 	__do_close int fd_tree_from = -EBADF;
 	unsigned int open_tree_flags = AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC;
-	int fd_from, fd_to, ret;
+	int fd_from, ret;
 
 	if (!is_empty_string(path_from)) {
 		struct lxc_open_how how = {
@@ -266,28 +326,46 @@ int fd_bind_mount(int dfd_from, const char *path_from,
 
 	fd_tree_from = open_tree(fd_from, "", open_tree_flags);
 	if (fd_tree_from < 0)
-		return log_error_errno(-errno, errno, "Failed to create detached mount");
+		return syserror("Failed to create detached mount");
 
-	if (!is_empty_string(path_to)) {
-		struct lxc_open_how how = {
-			.flags		= o_flags_to,
-			.resolve	= resolve_flags_to,
-		};
+	if (userns_fd >= 0) {
+		attr.attr_set	|= MOUNT_ATTR_IDMAP;
+		attr.userns_fd	= userns_fd;
+		TRACE("Idmapped mount requested with user namespace fd %d", userns_fd);
+	}
 
-		__fd_to = openat2(dfd_to, path_to, &how, sizeof(how));
-		if (__fd_to < 0)
-			return -errno;
-		fd_to = __fd_to;
-	} else {
-		fd_to = dfd_to;
+	if (attr.attr_set) {
+		ret = mount_setattr(fd_tree_from, "",
+				    AT_EMPTY_PATH | (recursive ? AT_RECURSIVE : 0),
+				    &attr, sizeof(attr));
+		if (ret < 0)
+			return syserror("Failed to change mount attributes");
 	}
 
-	ret = move_mount(fd_tree_from, "", fd_to, "", MOVE_MOUNT_F_EMPTY_PATH | MOVE_MOUNT_T_EMPTY_PATH);
-	if (ret)
-		return log_error_errno(-errno, errno, "Failed to attach detached mount %d to filesystem at %d", fd_tree_from, fd_to);
+	return move_detached_mount(fd_tree_from, dfd_to, path_to, o_flags_to,
+				   resolve_flags_to);
+}
 
-	TRACE("Attach detached mount %d to filesystem at %d", fd_tree_from, fd_to);
-	return 0;
+int fd_mount_idmapped(int dfd_from, const char *path_from,
+		      __u64 o_flags_from, __u64 resolve_flags_from,
+		      int dfd_to, const char *path_to,
+		      __u64 o_flags_to, __u64 resolve_flags_to,
+		      unsigned int attr_flags, int userns_fd, bool recursive)
+{
+	return __fd_bind_mount(dfd_from, path_from, o_flags_from, resolve_flags_from,
+			       dfd_to, path_to, o_flags_to, resolve_flags_to,
+			       attr_flags, userns_fd, recursive);
+}
+
+int fd_bind_mount(int dfd_from, const char *path_from,
+		  __u64 o_flags_from, __u64 resolve_flags_from,
+		  int dfd_to, const char *path_to,
+		  __u64 o_flags_to, __u64 resolve_flags_to,
+		  unsigned int attr_flags, bool recursive)
+{
+	return __fd_bind_mount(dfd_from, path_from, o_flags_from, resolve_flags_from,
+			       dfd_to, path_to, o_flags_to, resolve_flags_to,
+			       attr_flags, -EBADF, recursive);
 }
 
 int calc_remount_flags_new(int dfd_from, const char *path_from,
@@ -488,3 +566,28 @@ bool can_use_mount_api(void)
 
 	return supported == 1;
 }
+
+bool can_use_bind_mounts(void)
+{
+	static int supported = -1;
+
+	if (supported == -1) {
+		int ret;
+
+		if (!can_use_mount_api()) {
+			supported = 0;
+			return false;
+		}
+
+		ret = mount_setattr(-EBADF, NULL, 0, NULL, 0);
+		if (!ret || errno == ENOSYS) {
+			supported = 0;
+			return false;
+		}
+
+		supported = 1;
+		TRACE("Kernel supports bind mounts in the new mount api");
+	}
+
+	return supported == 1;
+}

src/lxc/mount_utils.h

@@ -152,6 +152,10 @@
 #define MOUNT_ATTR_NODIRATIME 0x00000080 /* Do not update directory access times */
 #endif
 
+#ifndef MOUNT_ATTR_IDMAP
+#define MOUNT_ATTR_IDMAP 0x00100000
+#endif
+
 __hidden extern int mnt_attributes_new(unsigned int old_flags, unsigned int *new_flags);
 
 __hidden extern int mnt_attributes_old(unsigned int new_flags, unsigned int *old_flags);
@@ -185,6 +189,18 @@ __hidden extern int fd_bind_mount(int dfd_from, const char *path_from,
 				  __u64 o_flags_to, __u64 resolve_flags_to,
 				  unsigned int attr_flags, bool recursive);
 
+__hidden extern int fd_mount_idmapped(int dfd_from, const char *path_from,
+				      __u64 o_flags_from, __u64 resolve_flags_from,
+				      int dfd_to, const char *path_to,
+				      __u64 o_flags_to, __u64 resolve_flags_to,
+				      unsigned int attr_flags, int userns_fd,
+				      bool recursive);
+__hidden extern int create_detached_idmapped_mount(const char *path,
+						   int userns_fd, bool recursive);
+__hidden extern int move_detached_mount(int dfd_from, int dfd_to,
+					const char *path_to, __u64 o_flags_to,
+					__u64 resolve_flags_to);
+
 __hidden extern int calc_remount_flags_new(int dfd_from, const char *path_from,
 					   __u64 o_flags_from,
 					   __u64 resolve_flags_from,
@@ -202,5 +218,6 @@ __hidden extern unsigned long add_required_remount_flags(const char *s,
 							 unsigned long flags);
 
 __hidden extern bool can_use_mount_api(void);
+__hidden extern bool can_use_bind_mounts(void);
 
 #endif /* __LXC_MOUNT_UTILS_H */

src/lxc/start.c

@@ -1645,16 +1645,6 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
 
-	/* If the rootfs is not a blockdev, prevent the container from marking
-	 * it readonly.
-	 * If the container is unprivileged then skip rootfs pinning.
-	 */
-	ret = lxc_rootfs_prepare(&conf->rootfs, wants_to_map_ids);
-	if (ret) {
-		ERROR("Failed to handle rootfs pinning for container \"%s\"", handler->name);
-		goto out_delete_net;
-	}
-
 	/* Create a process in a new set of namespaces. */
 	if (share_ns) {
 		pid_t attacher_pid;
@@ -2040,9 +2030,34 @@ int __lxc_start(struct lxc_handler *handler, struct lxc_operations *ops,
 		goto out_abort;
 	}
 
+	/* If the rootfs is not a blockdev, prevent the container from marking
+	 * it readonly.
+	 * If the container is unprivileged then skip rootfs pinning.
+	 */
+	ret = lxc_rootfs_prepare(&conf->rootfs, !lxc_list_empty(&conf->id_map));
+	if (ret) {
+		ERROR("Failed to handle rootfs pinning for container \"%s\"", handler->name);
+		ret = -1;
+		goto out_abort;
+	}
+
 	if (geteuid() == 0 && !lxc_list_empty(&conf->id_map)) {
-		/* If the backing store is a device, mount it here and now. */
-		if (rootfs_is_blockdev(conf)) {
+		/*
+		 * This handles two cases: mounting real block devices and
+		 * creating idmapped mounts. The block device case should be
+		 * obivous, i.e. no real filesystem can currently be mounted
+		 * from inside a user namespace.
+		 *
+		 * Idmapped mounts can currently only be created if the caller
+		 * is privileged wrt to the user namespace in which the
+		 * underlying block device has been mounted in. This basically
+		 * (with few exceptions) means we need to be CAP_SYS_ADMIN in
+		 * the initial user namespace since almost no interesting
+		 * filesystems can be mounted inside of user namespaces. This
+		 * is way we need to do the rootfs setup here. In the future
+		 * this may change.
+		 */
+		if (idmapped_rootfs_mnt(&conf->rootfs) || rootfs_is_blockdev(conf)) {
 			ret = unshare(CLONE_NEWNS);
 			if (ret < 0) {
 				ERROR("Failed to unshare CLONE_NEWNS");

src/lxc/storage/dir.c

@@ -148,23 +148,46 @@ int dir_mount(struct lxc_storage *bdev)
 
 	src = lxc_storage_get_path(bdev->src, bdev->type);
 
-	ret = mount(src, bdev->dest, "bind", MS_BIND | MS_REC | mntflags | pflags, mntdata);
-	if (ret < 0)
-		return log_error_errno(-errno, errno, "Failed to mount \"%s\" on \"%s\"", src, bdev->dest);
-
-	if (ret == 0 && (mntflags & MS_RDONLY)) {
-		mflags = add_required_remount_flags(src, bdev->dest, MS_BIND | MS_REC | mntflags | pflags | MS_REMOUNT);
-		ret = mount(src, bdev->dest, "bind", mflags, mntdata);
+	if (can_use_bind_mounts()) {
+		__do_close int fd_source = -EBADF, fd_target = -EBADF;
+
+		fd_source = open_at(-EBADF, src, PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_ABSOLUTE, 0);
+		if (fd_source < 0)
+			return syserror("Failed to open \"%s\"", src);
+
+		fd_target = open_at(-EBADF, bdev->dest, PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_ABSOLUTE, 0);
+		if (fd_target < 0)
+			return syserror("Failed to open \"%s\"", bdev->dest);
+
+		ret = fd_mount_idmapped(fd_source, "", PROTECT_OPATH_DIRECTORY,
+					PROTECT_LOOKUP_BENEATH, fd_target, "",
+					PROTECT_OPATH_DIRECTORY,
+					PROTECT_LOOKUP_BENEATH, 0,
+					bdev->rootfs->mnt_opts.userns_fd, true);
+		if (ret < 0)
+			return syserror("Failed to mount \"%s\" onto \"%s\"", src, bdev->dest);
+	} else {
+		ret = mount(src, bdev->dest, "bind", MS_BIND | MS_REC | mntflags | pflags, mntdata);
 		if (ret < 0)
-			return log_error_errno(-errno, errno, "Failed to remount \"%s\" on \"%s\" read-only with options \"%s\", mount flags \"%lu\", and propagation flags \"%lu\"",
-					       src ? src : "(none)", bdev->dest ? bdev->dest : "(none)", mntdata, mflags, pflags);
-		else
-			DEBUG("Remounted \"%s\" on \"%s\" read-only with options \"%s\", mount flags \"%lu\", and propagation flags \"%lu\"",
-			      src ? src : "(none)", bdev->dest ? bdev->dest : "(none)", mntdata, mflags, pflags);
+			return log_error_errno(-errno, errno, "Failed to mount \"%s\" on \"%s\"", src, bdev->dest);
+
+		if (ret == 0 && (mntflags & MS_RDONLY)) {
+			mflags = add_required_remount_flags(src, bdev->dest, MS_BIND | MS_REC | mntflags | pflags | MS_REMOUNT);
+
+			ret = mount(src, bdev->dest, "bind", mflags, mntdata);
+			if (ret < 0)
+				return log_error_errno(-errno, errno, "Failed to remount \"%s\" on \"%s\" read-only with options \"%s\", mount flags \"%lu\", and propagation flags \"%lu\"",
+						       src ? src : "(none)", bdev->dest ? bdev->dest : "(none)", mntdata, mflags, pflags);
+			else
+				DEBUG("Remounted \"%s\" on \"%s\" read-only with options \"%s\", mount flags \"%lu\", and propagation flags \"%lu\"",
+				      src ? src : "(none)", bdev->dest ? bdev->dest : "(none)", mntdata, mflags, pflags);
+		}
+
+		TRACE("Mounted \"%s\" on \"%s\" with options \"%s\", mount flags \"%lu\", and propagation flags \"%lu\"",
+		      src ? src : "(none)", bdev->dest ? bdev->dest : "(none)", mntdata, mflags, pflags);
 	}
 
-	TRACE("Mounted \"%s\" on \"%s\" with options \"%s\", mount flags \"%lu\", and propagation flags \"%lu\"",
-	      src ? src : "(none)", bdev->dest ? bdev->dest : "(none)", mntdata, mflags, pflags);
+	TRACE("Mounted \"%s\" onto \"%s\"", src, bdev->dest);
 	return 0;
 }
 

src/lxc/storage/storage.c

@@ -598,14 +598,13 @@ struct lxc_storage *storage_init(struct lxc_conf *conf)
 	if (!q)
 		return NULL;
 
-	bdev = malloc(sizeof(struct lxc_storage));
+	bdev = zalloc(sizeof(struct lxc_storage));
 	if (!bdev)
 		return NULL;
 
-	memset(bdev, 0, sizeof(struct lxc_storage));
-
-	bdev->ops = q->ops;
-	bdev->type = q->name;
+	bdev->ops	= q->ops;
+	bdev->type	= q->name;
+	bdev->rootfs	= &conf->rootfs;
 
 	if (mntopts)
 		bdev->mntopts = strdup(mntopts);

src/lxc/storage/storage.h

@@ -15,6 +15,7 @@
 #endif
 
 #include "compiler.h"
+#include "conf.h"
 
 #ifndef MS_DIRSYNC
 #define MS_DIRSYNC 128
@@ -87,6 +88,7 @@ struct lxc_storage {
 	/* index for the connected nbd device. */
 	int nbd_idx;
 	int flags;
+	struct lxc_rootfs *rootfs;
 };
 
 /**

src/lxc/syscall_numbers.h

@@ -680,4 +680,24 @@
 	#endif
 #endif
 
+#ifndef __NR_mount_setattr
+	#if defined __alpha__
+		#define __NR_mount_setattr 552
+	#elif defined _MIPS_SIM
+		#if _MIPS_SIM == _MIPS_SIM_ABI32	/* o32 */
+			#define __NR_mount_setattr (442 + 4000)
+		#endif
+		#if _MIPS_SIM == _MIPS_SIM_NABI32	/* n32 */
+			#define __NR_mount_setattr (442 + 6000)
+		#endif
+		#if _MIPS_SIM == _MIPS_SIM_ABI64	/* n64 */
+			#define __NR_mount_setattr (442 + 5000)
+		#endif
+	#elif defined __ia64__
+		#define __NR_mount_setattr (442 + 1024)
+	#else
+		#define __NR_mount_setattr 442
+	#endif
+#endif
+
 #endif /* __LXC_SYSCALL_NUMBERS_H */

src/lxc/syscall_wrappers.h

@@ -209,6 +209,24 @@ extern int fsmount(int fs_fd, unsigned int flags, unsigned int attr_flags);
 #endif
 
 /*
+ * mount_setattr()
+ */
+struct lxc_mount_attr {
+	__u64 attr_set;
+	__u64 attr_clr;
+	__u64 propagation;
+	__u64 userns_fd;
+};
+
+#ifndef HAVE_MOUNT_SETATTR
+static inline int mount_setattr(int dfd, const char *path, unsigned int flags,
+				struct lxc_mount_attr *attr, size_t size)
+{
+	return syscall(__NR_mount_setattr, dfd, path, flags, attr, size);
+}
+#endif
+
+/*
  * Arguments for how openat2(2) should open the target path. If only @flags and
  * @mode are non-zero, then openat2(2) operates very similarly to openat(2).
  *