idmap

Author: iQQBot

components/workspacekit/cmd/rings.go

@@ -275,6 +275,10 @@ var ring1Cmd = &cobra.Command{
 
 		var mnts []mnte
 		switch fsshift {
+		case api.FSShiftMethod_IDMAPPED:
+			mnts = append(mnts,
+				mnte{Target: "/", Source: "/.workspace/mark", Flags: unix.MS_BIND | unix.MS_REC},
+			)
 		case api.FSShiftMethod_SHIFTFS:
 			mnts = append(mnts,
 				mnte{Target: "/", Source: "/.workspace/mark", FSType: "shiftfs"},

components/ws-daemon-api/go/workspace_daemon.pb.go

@@ -68,7 +68,9 @@ service WorkspaceInfoService {
     rpc WorkspaceInfo(WorkspaceInfoRequest) returns (WorkspaceInfoResponse) {}
 }
 
-message PrepareForUserNSRequest {}
+message PrepareForUserNSRequest {
+    int64 userns_pid = 1;
+}
 message PrepareForUserNSResponse {
     FSShiftMethod fs_shift = 1;
     // was used for full workspace backup
@@ -82,6 +84,7 @@ enum FSShiftMethod {
     SHIFTFS = 0;
     // was used for FUSE
     reserved 1;
+    IDMAPPED = 2;
 }
 
 message WriteIDMappingResponse {

components/ws-daemon-api/go/workspace_daemon_grpc.pb.go

@@ -10,6 +10,8 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"path/filepath"
+	"sync"
 	"time"
 	"unsafe"
 
@@ -85,6 +87,87 @@ func main() {
 					return unix.Mount("none", c.String("target"), "", unix.MS_SHARED, "")
 				},
 			},
+			{
+				Name:  "mount-idmapped-mark",
+				Usage: "mounts a idmapped mark",
+				Flags: []cli.Flag{
+					&cli.StringFlag{
+						Name:     "source",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "merged",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "upper",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "work",
+						Required: true,
+					},
+					&cli.StringFlag{
+						Name:     "userns",
+						Required: true,
+					},
+				},
+				Action: func(c *cli.Context) error {
+					target := filepath.Clean(c.String("merged"))
+					upper := filepath.Clean(c.String("upper"))
+					work := filepath.Clean(c.String("work"))
+					source := filepath.Clean(c.String("source"))
+					userns := filepath.Clean(c.String("userns"))
+
+					mappedLower, err := os.MkdirTemp("", "idmapped-mark")
+					if err != nil {
+						return xerrors.Errorf("mkdirtemp: %w", err)
+					}
+
+					mappedFD, err := unix.OpenTree(unix.AT_FDCWD, source, unix.OPEN_TREE_CLONE)
+					if err != nil {
+						return xerrors.Errorf("opentree: %w", err)
+					}
+					var closeOnce sync.Once
+					closeMappedFD := func() {
+						closeOnce.Do(func() { unix.Close(mappedFD) })
+					}
+					defer closeMappedFD()
+
+					usernsFD, err := os.Open(userns)
+					if err != nil {
+						return xerrors.Errorf("open(userns): %w", err)
+					}
+					defer usernsFD.Close()
+					err = unix.MountSetattr(mappedFD, "", unix.AT_EMPTY_PATH|unix.AT_RECURSIVE, &unix.MountAttr{
+						Attr_set:    unix.MOUNT_ATTR_IDMAP,
+						Attr_clr:    0,
+						Propagation: 0,
+						Userns_fd:   uint64(usernsFD.Fd()),
+					})
+					if err != nil {
+						return xerrors.Errorf("mountsetattr: %w", err)
+					}
+
+					err = unix.MoveMount(mappedFD, "", unix.AT_FDCWD, mappedLower, flagMoveMountFEmptyPath)
+					if err != nil {
+						return xerrors.Errorf("moveMount: %w", err)
+					}
+
+					err = unix.Mount("overlay", target, "overlay", 0, fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", mappedLower, upper, work))
+					if err != nil {
+						return xerrors.Errorf("mount(overlay): %w", err)
+					}
+
+					closeMappedFD()
+					err = unix.Unmount(mappedLower, 0)
+					if err != nil {
+						return xerrors.Errorf("Unmount(mappedLower): %w", err)
+					}
+
+					return nil
+				},
+			},
 			{
 				Name:  "mount-shiftfs-mark",
 				Usage: "mounts a shiftfs mark",

components/ws-daemon-api/typescript/src/workspace_daemon_grpc_pb.js

@@ -256,30 +256,56 @@ func (wbs *InWorkspaceServiceServer) PrepareForUserNS(ctx context.Context, req *
 
 	mountpoint := filepath.Join(wbs.Session.ServiceLocNode, "mark")
 
-	// We cannot use the nsenter syscall here because mount namespaces affect the whole process, not just the current thread.
-	// That's why we resort to exec'ing "nsenter ... mount ...".
-	err = nsi.Nsinsider(wbs.Session.InstanceID, int(1), func(c *exec.Cmd) {
-		c.Args = append(c.Args, "make-shared", "--target", "/")
-	})
-	if err != nil {
-		log.WithField("containerPID", containerPID).WithFields(wbs.Session.OWI()).WithError(err).Error("cannot make container's rootfs shared")
-		return nil, status.Errorf(codes.Internal, "cannot make container's rootfs shared")
-	}
+	switch wbs.FSShift {
+	case api.FSShiftMethod_SHIFTFS:
+		// We cannot use the nsenter syscall here because mount namespaces affect the whole process, not just the current thread.
+		// That's why we resort to exec'ing "nsenter ... mount ...".
+		err = nsi.Nsinsider(wbs.Session.InstanceID, int(1), func(c *exec.Cmd) {
+			c.Args = append(c.Args, "make-shared", "--target", "/")
+		})
+		if err != nil {
+			log.WithField("containerPID", containerPID).WithFields(wbs.Session.OWI()).WithError(err).Error("cannot make container's rootfs shared")
+			return nil, status.Errorf(codes.Internal, "cannot make container's rootfs shared")
+		}
 
-	err = nsi.Nsinsider(wbs.Session.InstanceID, int(1), func(c *exec.Cmd) {
-		c.Args = append(c.Args, "mount-shiftfs-mark", "--source", rootfs, "--target", mountpoint)
-	})
-	if err != nil {
-		log.WithField("rootfs", rootfs).WithFields(wbs.Session.OWI()).WithField("mountpoint", mountpoint).WithError(err).Error("cannot mount shiftfs mark")
-		return nil, status.Errorf(codes.Internal, "cannot mount shiftfs mark")
+		err = nsi.Nsinsider(wbs.Session.InstanceID, int(1), func(c *exec.Cmd) {
+			c.Args = append(c.Args, "mount-shiftfs-mark", "--source", rootfs, "--target", mountpoint)
+		})
+		if err != nil {
+			log.WithField("rootfs", rootfs).WithFields(wbs.Session.OWI()).WithField("mountpoint", mountpoint).WithError(err).Error("cannot mount shiftfs mark")
+			return nil, status.Errorf(codes.Internal, "cannot mount shiftfs mark")
+		}
+	case api.FSShiftMethod_IDMAPPED:
+		procPID, err := wbs.Uidmapper.findHostPID(containerPID, uint64(req.UsernsPid))
+		if err != nil {
+			log.WithError(err).WithField("containerPID", containerPID).WithField("processPID", req.UsernsPid).Error("cannot map in-container PID")
+			return nil, status.Error(codes.InvalidArgument, "cannot map in-container PID")
+		}
+
+		err = nsi.Nsinsider(wbs.Session.InstanceID, int(1), func(c *exec.Cmd) {
+			// In case of any change in the user mapping, the next line must be updated.
+			c.Args = append(c.Args, "mount-idmapped-mark",
+				"--source", rootfs,
+				"--merged", filepath.Join(wbs.Session.ServiceLocNode, "mark"),
+				"--upper", filepath.Join(wbs.Session.ServiceLocNode, "upper"),
+				"--work", filepath.Join(wbs.Session.ServiceLocNode, "work"),
+				"--userns", fmt.Sprintf("/proc/%d/ns/user", procPID))
+		})
+		if err != nil {
+			log.WithField("rootfs", rootfs).WithError(err).Error("cannot mount idmapped mark")
+			return nil, status.Errorf(codes.Internal, "cannot mount idmapped mark")
+		}
+	default:
+		log.WithField("fsshift", wbs.FSShift).Error("unknown fs shift")
+		return nil, status.Errorf(codes.FailedPrecondition, "unknown fs shift")
 	}
 
 	if err := wbs.createWorkspaceCgroup(ctx, wscontainerID); err != nil {
 		return nil, err
 	}
 
 	return &api.PrepareForUserNSResponse{
-		FsShift: api.FSShiftMethod_SHIFTFS,
+		FsShift: wbs.FSShift,
 	}, nil
 }