Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a mkcomposefs+mount service #409

Open
cgwalters opened this issue Jan 24, 2025 · 0 comments
Open

Add a mkcomposefs+mount service #409

cgwalters opened this issue Jan 24, 2025 · 0 comments
Labels
enhancement New feature or request

Comments

@cgwalters
Copy link
Contributor

cgwalters commented Jan 24, 2025
edited
Loading

In order to be able to use composefs everywhere we should
support a mechanism for runtimes like podman/flatpak to
be able to safely mount a composefs as non-root. Privileges
for mounting EROFS are currently restricted to root for
security reasons. A decent solution for this problem is
basically "mkcomposefs --from-file + mount" as a (DBus/plain-socket) service.
This accepts the following arguments:

  • format version: string (e.g. "1.1")
  • textual composefs dump file: file descriptor (sealed memfd)
  • fsverity: bool
  • user namespace: file descriptor
  • mount namespace: file descriptor
  • existing erofs: file descriptor (optional)

Steps taken

  • Generate an erofs from the dump file
  • if fsverity, enable fsverity on the erofs (and error if this is unsupported)
  • if "existing erofs" is passed, compare the fsverity digest of our generated version against the provided one. If the provided one matches, discard our copy and use the provided one - otherwise error.
  • enter the user & mount namespace of the target, and get a detached mount fd for it
  • Send the fd for the erofs and the detached mount fd back to the client (note in the existing erofs path, the returned erofs fd should be exactly the passed fd)

Caching

By passing back a fd for the erofs (and accepting as optional input again), we allow the caller to maintain their own cache mapping from e.g. OCI config -> erofs, and avoid creating new ones each time.

Access control

In practice, this service only really needs to be accessible IMO to logged in human users, so we could check the login state by querying systemd for its state via the pid of the caller.

For system services running as unprivileged users (e.g. httpd) I can't think of a good use case for this, so it'd probably make sense to deny access by default.

OTOH I have heard of people running podman as non-root via system users which I think is probably better done via just ensuring userns on system containers (ref containers/podman#13728 ) but...if we did add access control those folks could just set require-login=false in /etc/mkmount-composefs.conf or whatever.

Actually or hmm...I bet instead of us implementing "check pid for login session" we could just make our socket accessible only to root by default, but have a bridge service which integrates with the login process and makes a socket accessible in /run/user/$uid/mkcomposefs.socket or so? Would need to dig at the details of this; there's some prior art in how we used ACLs to expose physical devices to unprivileged users too.

Other trackers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cgwalters