Make ovl idmap mounts read-only

mbaynton · mbaynton · commit 1e3d10dc2961 · 2024-12-21T16:02:33.000-06:00
This is a planned follow-on from containerd#10721 primarily at the request of @fuweid, exchanging MNT_DETACH at unmount time for MOUNT_ATTR_RDONLY at mount time. The effect is to increase risk of unmount failure due to EBUSY (as observed in the wild) but add an additional protection that the then-leaked bind mount does not act as a conduit for inadvertent modification of the underlying data, including our own efforts to clean up the mountpoint. Tests covering the lifecycle of the temporary idmap mounts and integrity of the underlying lower layer data is also included in the normal and failed-unmount case. Fixes containerd#10704 Signed-off-by: Mike Baynton <mike@mbaynton.com>
diff --git a/core/mount/mount_idmapped_linux.go b/core/mount/mount_idmapped_linux.go
@@ -61,14 +61,19 @@ func parseIDMapping(mapping string) ([]syscall.SysProcIDMap, error) {
 	}, nil
 }
 
-// IDMapMount applies GID/UID shift according to gidmap/uidmap for target path
+// IDMapMount clones the mount at source to target, applying GID/UID idmapping of the user namespace for target path
 func IDMapMount(source, target string, usernsFd int) (err error) {
+	return IDMapMountWithAttrs(source, target, usernsFd, 0, 0)
+}
+
+// IDMapMountWithAttrs clones the mount at source to target with the provided mount options and idmapping of the user namespace.
+func IDMapMountWithAttrs(source, target string, usernsFd int, attrSet uint64, attrClr uint64) (err error) {
 	var (
 		attr unix.MountAttr
 	)
 
-	attr.Attr_set = unix.MOUNT_ATTR_IDMAP
-	attr.Attr_clr = 0
+	attr.Attr_set = unix.MOUNT_ATTR_IDMAP | attrSet
+	attr.Attr_clr = attrClr
 	attr.Propagation = 0
 	attr.Userns_fd = uint64(usernsFd)
 
@@ -79,7 +84,7 @@ func IDMapMount(source, target string, usernsFd int) (err error) {
 
 	defer unix.Close(dFd)
 	if err = unix.MountSetattr(dFd, "", unix.AT_EMPTY_PATH, &attr); err != nil {
-		return fmt.Errorf("Unable to shift GID/UID for %s: %w", target, err)
+		return fmt.Errorf("Unable to shift GID/UID or set mount attrs for %s: %w", target, err)
 	}
 
 	if err = unix.MoveMount(dFd, "", -int(unix.EBADF), target, unix.MOVE_MOUNT_F_EMPTY_PATH); err != nil {
diff --git a/core/mount/mount_idmapped_linux_test.go b/core/mount/mount_idmapped_linux_test.go
@@ -18,12 +18,15 @@ package mount
 
 import (
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"sync"
 	"syscall"
 	"testing"
 
+	"golang.org/x/sys/unix"
+
 	kernel "github.com/containerd/containerd/v2/pkg/kernelversion"
 	"github.com/containerd/continuity/testutil"
 	"github.com/stretchr/testify/require"
@@ -84,6 +87,8 @@ func TestIdmappedMount(t *testing.T) {
 	t.Run("GetUsernsFD", testGetUsernsFD)
 
 	t.Run("IDMapMount", testIDMapMount)
+
+	t.Run("IDMapMountWithAttrs", testIDMapMountWithAttrs)
 }
 
 func testGetUsernsFD(t *testing.T) {
@@ -129,19 +134,60 @@ func testIDMapMount(t *testing.T) {
 	require.NoError(t, err)
 	defer usernsFD.Close()
 
-	srcDir, checkFunc := initIDMappedChecker(t, testUIDMaps, testGIDMaps)
+	srcDir, checkFunc := initIDMappedChecker(t, testUIDMaps, testGIDMaps, true)
 	destDir := t.TempDir()
 	defer func() {
 		require.NoError(t, UnmountAll(destDir, 0))
 	}()
 
 	err = IDMapMount(srcDir, destDir, int(usernsFD.Fd()))
-	usernsFD.Close()
 	require.NoError(t, err)
 	checkFunc(destDir)
 }
 
-func initIDMappedChecker(t *testing.T, uidMaps, gidMaps []syscall.SysProcIDMap) (_srcDir string, _verifyFunc func(destDir string)) {
+func testIDMapMountWithAttrs(t *testing.T) {
+	usernsFD, err := getUsernsFD(testUIDMaps, testGIDMaps)
+	require.NoError(t, err)
+	defer usernsFD.Close()
+
+	type testCase struct {
+		name      string
+		srcDir    string
+		setAttr   uint64
+		checkFunc func(destDir string)
+	}
+
+	cases := make([]testCase, 0)
+	srcDir, checkFunc := initIDMappedChecker(t, testUIDMaps, testGIDMaps, true)
+	cases = append(cases, testCase{
+		name:      "Writable idmapped mount",
+		srcDir:    srcDir,
+		setAttr:   0,
+		checkFunc: checkFunc,
+	})
+
+	srcDir, checkFunc = initIDMappedChecker(t, testUIDMaps, testGIDMaps, false)
+	cases = append(cases, testCase{
+		name:      "Readonly idmapped mount",
+		srcDir:    srcDir,
+		setAttr:   unix.MOUNT_ATTR_RDONLY,
+		checkFunc: checkFunc,
+	})
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			destDir := t.TempDir()
+			defer func() {
+				require.NoError(t, UnmountAll(destDir, 0))
+			}()
+			err := IDMapMountWithAttrs(tc.srcDir, destDir, int(usernsFD.Fd()), tc.setAttr, 0)
+			require.NoError(t, err)
+			tc.checkFunc(destDir)
+		})
+	}
+}
+
+func initIDMappedChecker(t *testing.T, uidMaps, gidMaps []syscall.SysProcIDMap, expectWritable bool) (_srcDir string, _verifyFunc func(destDir string)) {
 	testutil.RequiresRoot(t)
 
 	srcDir := t.TempDir()
@@ -159,6 +205,11 @@ func initIDMappedChecker(t *testing.T, uidMaps, gidMaps []syscall.SysProcIDMap)
 		require.NoError(t, err, fmt.Sprintf("chown %v:%v for file %s", uid, gid, file))
 	}
 
+	writableDir := filepath.Join(srcDir, "write-test")
+	require.NoError(t, os.Mkdir(writableDir, os.ModePerm))
+	require.NoError(t, os.Chmod(writableDir, os.ModePerm))
+	require.NoError(t, os.Chown(writableDir, uidMaps[0].ContainerID, gidMaps[0].ContainerID))
+
 	return srcDir, func(destDir string) {
 		for idx := range uidMaps {
 			file := filepath.Join(destDir, fmt.Sprintf("%v", idx))
@@ -177,5 +228,18 @@ func initIDMappedChecker(t *testing.T, uidMaps, gidMaps []syscall.SysProcIDMap)
 			require.Equal(t, uint32(gid), sysStat.Gid, fmt.Sprintf("check file %s gid", file))
 			t.Logf("IDMapped File %s uid=%v, gid=%v", file, uid, gid)
 		}
+
+		wf, err := os.Create(filepath.Join(destDir, "write-test", "1"))
+		if err == nil {
+			defer wf.Close()
+		}
+		if expectWritable {
+			require.NoError(t, err, "create write-test file")
+		} else {
+			require.Error(t, err)
+			pathErr, isPathErr := err.(*fs.PathError)
+			require.True(t, isPathErr, "Expecting path error")
+			require.Equal(t, unix.EROFS, pathErr.Err, "Expecting read-only filesystem error")
+		}
 	}
 }
diff --git a/core/mount/mount_linux.go b/core/mount/mount_linux.go
@@ -66,7 +66,12 @@ func prepareIDMappedOverlay(usernsFd int, options []string) ([]string, func(), e
 		return options, nil, fmt.Errorf("failed to parse overlay lowerdir's from given options")
 	}
 
-	tmpLowerdirs, idMapCleanUp, err := doPrepareIDMappedOverlay(lowerDirs, usernsFd)
+	tempRemountsLocation, err := os.MkdirTemp(tempMountLocation, "ovl-idmapped")
+	if err != nil {
+		return options, nil, fmt.Errorf("failed to create temporary overlay lowerdir mount location: %w", err)
+	}
+
+	tmpLowerdirs, idMapCleanUp, err := doPrepareIDMappedOverlay(tempRemountsLocation, lowerDirs, usernsFd)
 	if err != nil {
 		return options, idMapCleanUp, fmt.Errorf("failed to create idmapped mount: %w", err)
 	}
@@ -244,39 +249,35 @@ func getUnprivilegedMountFlags(path string) (int, error) {
 	return flags, nil
 }
 
-func doPrepareIDMappedOverlay(lowerDirs []string, usernsFd int) (tmpLowerDirs []string, _ func(), _ error) {
-	td, err := os.MkdirTemp(tempMountLocation, "ovl-idmapped")
-	if err != nil {
-		return nil, nil, err
-	}
+func doPrepareIDMappedOverlay(tempRemountsLocation string, lowerDirs []string, usernsFd int) ([]string, func(), error) {
+	tmpLowerDirs := make([]string, 0, len(lowerDirs))
+
 	cleanUp := func() {
 		for _, lowerDir := range tmpLowerDirs {
-			// Do a detached unmount so even if the resource is busy, the mount will be
-			// gone (eventually) and we can safely delete the directory too.
-			if err := unix.Unmount(lowerDir, unix.MNT_DETACH); err != nil {
+			if err := unix.Unmount(lowerDir, 0); err != nil {
 				log.L.WithError(err).Warnf("failed to unmount temp lowerdir %s", lowerDir)
 				continue
 			}
 			// Using os.Remove() so if it's not empty, we don't delete files in the
 			// rootfs.
 			if err := os.Remove(lowerDir); err != nil {
-				log.L.WithError(err).Warnf("failed to remove temporary overlay lowerdir's")
+				log.L.WithError(err).Warnf("failed to remove temporary overlay lowerdir")
 			}
 		}
 
 		// This dir should be empty now. Otherwise, we don't do anything.
-		if err := os.Remove(filepath.Join(tmpLowerDirs[0], "..")); err != nil {
+		if err := os.Remove(tempRemountsLocation); err != nil {
 			log.L.WithError(err).Infof("failed to remove temporary overlay dir")
 		}
 	}
 	for i, lowerDir := range lowerDirs {
-		tmpLowerDir := filepath.Join(td, strconv.Itoa(i))
+		tmpLowerDir := filepath.Join(tempRemountsLocation, strconv.Itoa(i))
 		tmpLowerDirs = append(tmpLowerDirs, tmpLowerDir)
 
-		if err = os.MkdirAll(tmpLowerDir, 0700); err != nil {
+		if err := os.MkdirAll(tmpLowerDir, 0700); err != nil {
 			return nil, cleanUp, fmt.Errorf("failed to create temporary dir: %w", err)
 		}
-		if err = IDMapMount(lowerDir, tmpLowerDir, usernsFd); err != nil {
+		if err := IDMapMountWithAttrs(lowerDir, tmpLowerDir, usernsFd, unix.MOUNT_ATTR_RDONLY, 0); err != nil {
 			return nil, cleanUp, err
 		}
 	}
diff --git a/core/mount/mount_linux_test.go b/core/mount/mount_linux_test.go
@@ -18,12 +18,18 @@ package mount
 
 import (
 	"fmt"
+	"io/fs"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"reflect"
+	"syscall"
 	"testing"
 
+	kernel "github.com/containerd/containerd/v2/pkg/kernelversion"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
 	"github.com/containerd/continuity/testutil"
 	"golang.org/x/sys/unix"
 )
@@ -198,6 +204,109 @@ func TestUnmountRecursive(t *testing.T) {
 	}
 }
 
+func TestDoPrepareIDMappedOverlay(t *testing.T) {
+	testutil.RequiresRoot(t)
+
+	k512 := kernel.KernelVersion{Kernel: 5, Major: 12}
+	ok, err := kernel.GreaterEqualThan(k512)
+	require.NoError(t, err)
+	if !ok {
+		t.Skip("GetUsernsFD requires kernel >= 5.12")
+	}
+
+	usernsFD, err := getUsernsFD(testUIDMaps, testGIDMaps)
+	require.NoError(t, err)
+	defer usernsFD.Close()
+
+	type testCase struct {
+		name              string
+		injectUmountFault bool
+	}
+
+	tcases := []testCase{
+		{
+			name:              "normal",
+			injectUmountFault: false,
+		},
+		{
+			name:              "umount-fault",
+			injectUmountFault: true,
+		},
+	}
+
+	for _, tc := range tcases {
+		t.Run(tc.name, func(t *testing.T) {
+			fakeLowerDirsDir := t.TempDir()
+			if !supportsIDMap(fakeLowerDirsDir) {
+				t.Skip("IDmapped mounts not supported on filesystem selected by t.TempDir()")
+			}
+
+			lowerDirs := []string{filepath.Join(fakeLowerDirsDir, "lower1"), filepath.Join(fakeLowerDirsDir, "lower2")}
+			for _, dir := range lowerDirs {
+				require.NoError(t, os.Mkdir(dir, 0755))
+				require.NoError(t, os.WriteFile(filepath.Join(dir, filepath.Base(dir)), []byte("foo"), 0644))
+			}
+
+			remountsLocation := t.TempDir()
+
+			tmpLowerDirs, cleanup, err := doPrepareIDMappedOverlay(remountsLocation, lowerDirs, int(usernsFD.Fd()))
+			require.NoError(t, err)
+			require.Len(t, tmpLowerDirs, len(lowerDirs))
+
+			lowerContents := make([][]byte, len(lowerDirs))
+
+			for i, dir := range lowerDirs {
+				correspondingRemount := tmpLowerDirs[i]
+				filename := filepath.Base(dir)
+
+				expectedFile, err := os.ReadFile(filepath.Join(dir, filename))
+				require.NoError(t, err, "reading comparison test fixture file")
+				lowerContents[i] = expectedFile
+
+				actualFile, err := os.ReadFile(filepath.Join(correspondingRemount, filename))
+				require.NoError(t, err, "reading file in temporary remount")
+
+				assert.Equal(t, expectedFile, actualFile, "file content in temporary remount")
+			}
+
+			var busyDh *os.File
+			if tc.injectUmountFault {
+				busyDh, err = os.Open(tmpLowerDirs[0])
+				require.NoError(t, err)
+				defer busyDh.Close()
+			}
+
+			cleanup()
+
+			_, err = os.Stat(remountsLocation)
+
+			if tc.injectUmountFault {
+				// We should have failed to remove the remounts location if the unmount failed.
+				assert.NoError(t, err, "expected remounts location to still exist after unmount failure")
+			} else {
+				pathErr, isPathErr := err.(*fs.PathError)
+				require.True(t, isPathErr, "expected a PathError")
+				assert.Equal(t, unix.ENOENT, pathErr.Err, "temporary remounts should be cleaned up")
+			}
+
+			// Original lowerdirs should be unaffected.
+			for i, dir := range lowerDirs {
+				filename := filepath.Base(dir)
+
+				actualFile, err := os.ReadFile(filepath.Join(dir, filename))
+				require.NoError(t, err, "reading file in original lowerdir")
+				assert.Equal(t, lowerContents[i], actualFile, "file content in original lowerdir")
+			}
+
+			// If we blocked cleanup, allow it now so the test stays tidy.
+			if tc.injectUmountFault {
+				require.NoError(t, busyDh.Close())
+				cleanup()
+			}
+		})
+	}
+}
+
 func setupMounts(t *testing.T) (target string, mounts []Mount) {
 	dir1 := t.TempDir()
 	dir2 := t.TempDir()
@@ -243,3 +352,46 @@ func setupMounts(t *testing.T) (target string, mounts []Mount) {
 
 	return target, mounts
 }
+
+func supportsIDMap(path string) bool {
+	treeFD, err := unix.OpenTree(-1, path, uint(unix.OPEN_TREE_CLONE|unix.OPEN_TREE_CLOEXEC))
+	if err != nil {
+		return false
+	}
+	defer unix.Close(treeFD)
+
+	// We want to test if idmap mounts are supported.
+	// So we use just some random mapping, it doesn't really matter which one.
+	// For the helper command, we just need something that is alive while we
+	// test this, a sleep 5 will do it.
+	cmd := exec.Command("sleep", "5")
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Cloneflags:  syscall.CLONE_NEWUSER,
+		UidMappings: []syscall.SysProcIDMap{{ContainerID: 0, HostID: 65536, Size: 65536}},
+		GidMappings: []syscall.SysProcIDMap{{ContainerID: 0, HostID: 65536, Size: 65536}},
+	}
+	if err := cmd.Start(); err != nil {
+		return false
+	}
+	defer func() {
+		_ = cmd.Process.Kill()
+		_ = cmd.Wait()
+	}()
+
+	usernsFD := fmt.Sprintf("/proc/%d/ns/user", cmd.Process.Pid)
+	var usernsFile *os.File
+	if usernsFile, err = os.Open(usernsFD); err != nil {
+		return false
+	}
+	defer usernsFile.Close()
+
+	attr := unix.MountAttr{
+		Attr_set:  unix.MOUNT_ATTR_IDMAP,
+		Userns_fd: uint64(usernsFile.Fd()),
+	}
+	if err := unix.MountSetattr(treeFD, "", unix.AT_EMPTY_PATH, &attr); err != nil {
+		return false
+	}
+
+	return true
+}
diff --git a/plugins/snapshots/overlay/overlayutils/check.go b/plugins/snapshots/overlay/overlayutils/check.go

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,12 @@ func prepareIDMappedOverlay(usernsFd int, options []string) ([]string, func(), e`
`66`	`66`	`return options, nil, fmt.Errorf("failed to parse overlay lowerdir's from given options")`
`67`	`67`	`}`
`68`	`68`
`69`		`- tmpLowerdirs, idMapCleanUp, err := doPrepareIDMappedOverlay(lowerDirs, usernsFd)`
	`69`	`+ tempRemountsLocation, err := os.MkdirTemp(tempMountLocation, "ovl-idmapped")`
	`70`	`+ if err != nil {`
	`71`	`+ return options, nil, fmt.Errorf("failed to create temporary overlay lowerdir mount location: %w", err)`
	`72`	`+ }`
	`73`	`+`
	`74`	`+ tmpLowerdirs, idMapCleanUp, err := doPrepareIDMappedOverlay(tempRemountsLocation, lowerDirs, usernsFd)`
`70`	`75`	`if err != nil {`
`71`	`76`	`return options, idMapCleanUp, fmt.Errorf("failed to create idmapped mount: %w", err)`
`72`	`77`	`}`
`@@ -244,39 +249,35 @@ func getUnprivilegedMountFlags(path string) (int, error) {`
`244`	`249`	`return flags, nil`
`245`	`250`	`}`
`246`	`251`
`247`		`-func doPrepareIDMappedOverlay(lowerDirs []string, usernsFd int) (tmpLowerDirs []string, _ func(), _ error) {`
`248`		`- td, err := os.MkdirTemp(tempMountLocation, "ovl-idmapped")`
`249`		`- if err != nil {`
`250`		`- return nil, nil, err`
`251`		`- }`
	`252`	`+func doPrepareIDMappedOverlay(tempRemountsLocation string, lowerDirs []string, usernsFd int) ([]string, func(), error) {`
	`253`	`+ tmpLowerDirs := make([]string, 0, len(lowerDirs))`
	`254`	`+`
`252`	`255`	`cleanUp := func() {`
`253`	`256`	`for _, lowerDir := range tmpLowerDirs {`
`254`		`- // Do a detached unmount so even if the resource is busy, the mount will be`
`255`		`- // gone (eventually) and we can safely delete the directory too.`
`256`		`- if err := unix.Unmount(lowerDir, unix.MNT_DETACH); err != nil {`
	`257`	`+ if err := unix.Unmount(lowerDir, 0); err != nil {`
`257`	`258`	`log.L.WithError(err).Warnf("failed to unmount temp lowerdir %s", lowerDir)`
`258`	`259`	`continue`
`259`	`260`	`}`
`260`	`261`	`// Using os.Remove() so if it's not empty, we don't delete files in the`
`261`	`262`	`// rootfs.`
`262`	`263`	`if err := os.Remove(lowerDir); err != nil {`
`263`		`- log.L.WithError(err).Warnf("failed to remove temporary overlay lowerdir's")`
	`264`	`+ log.L.WithError(err).Warnf("failed to remove temporary overlay lowerdir")`
`264`	`265`	`}`
`265`	`266`	`}`
`266`	`267`
`267`	`268`	`// This dir should be empty now. Otherwise, we don't do anything.`
`268`		`- if err := os.Remove(filepath.Join(tmpLowerDirs[0], "..")); err != nil {`
	`269`	`+ if err := os.Remove(tempRemountsLocation); err != nil {`
`269`	`270`	`log.L.WithError(err).Infof("failed to remove temporary overlay dir")`
`270`	`271`	`}`
`271`	`272`	`}`
`272`	`273`	`for i, lowerDir := range lowerDirs {`
`273`		`- tmpLowerDir := filepath.Join(td, strconv.Itoa(i))`
	`274`	`+ tmpLowerDir := filepath.Join(tempRemountsLocation, strconv.Itoa(i))`
`274`	`275`	`tmpLowerDirs = append(tmpLowerDirs, tmpLowerDir)`
`275`	`276`
`276`		`- if err = os.MkdirAll(tmpLowerDir, 0700); err != nil {`
	`277`	`+ if err := os.MkdirAll(tmpLowerDir, 0700); err != nil {`
`277`	`278`	`return nil, cleanUp, fmt.Errorf("failed to create temporary dir: %w", err)`
`278`	`279`	`}`
`279`		`- if err = IDMapMount(lowerDir, tmpLowerDir, usernsFd); err != nil {`
	`280`	`+ if err := IDMapMountWithAttrs(lowerDir, tmpLowerDir, usernsFd, unix.MOUNT_ATTR_RDONLY, 0); err != nil {`
`280`	`281`	`return nil, cleanUp, err`
`281`	`282`	`}`
`282`	`283`	`}`