[lxc-devel] [lxd/master] checkfeature: check for vfs3 fscaps support

brauner on Github lxc-bot at linuxcontainers.org
Fri Oct 12 21:06:54 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181012/223759a2/attachment.bin>
-------------- next part --------------
From 86c7accaf200cd46f0c35aee78434890dc847c7b Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 12 Oct 2018 22:54:52 +0200
Subject: [PATCH 1/2] idmap: use global variable for vfs3 fcaps support

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 shared/idmap/idmapset_linux.go | 21 +++++++++++++++------
 shared/idmap/shift_linux.go    |  2 +-
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index d1b76720c1..cc95260c08 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -11,12 +11,19 @@ import (
 	"sort"
 	"strconv"
 	"strings"
+	"sync/atomic"
 
 	"github.com/lxc/lxd/shared"
 	"github.com/lxc/lxd/shared/logger"
 	"github.com/pkg/errors"
 )
 
+const VFS3FscapsUnsupported int32 = 0
+const VFS3FscapsSupported int32 = 1
+const VFS3FscapsUnknown int32 = -1
+
+var VFS3Fscaps int32 = -1
+
 type IdRange struct {
 	Isuid   bool
 	Isgid   bool
@@ -470,11 +477,13 @@ func (m IdmapSet) ShiftFromNs(uid int64, gid int64) (int64, int64) {
 }
 
 func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how string, skipper func(dir string, absPath string, fi os.FileInfo) bool) error {
-	v3Caps := true
-	if how == "in" {
-		if !supportsV3Fcaps(dir) {
-			logger.Debugf("System doesn't support unprivileged file capabilities")
-			v3Caps = false
+	if how == "in" && atomic.LoadInt32(&VFS3Fscaps) == VFS3FscapsUnknown {
+		if SupportsV3Fcaps(dir) {
+			atomic.StoreInt32(&VFS3Fscaps, VFS3FscapsSupported)
+			logger.Debugf("System supports unprivileged file capabilities")
+		} else {
+			atomic.StoreInt32(&VFS3Fscaps, VFS3FscapsUnsupported)
+			logger.Debugf("System does not support unprivileged file capabilities")
 		}
 	}
 
@@ -556,7 +565,7 @@ func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how stri
 						rootUid, _ = set.ShiftIntoNs(0, 0)
 					}
 
-					if how != "in" || v3Caps {
+					if how != "in" || atomic.LoadInt32(&VFS3Fscaps) == VFS3FscapsSupported {
 						err = SetCaps(path, caps, rootUid)
 						if err != nil {
 							logger.Warnf("Unable to set file capabilities on %s", path)
diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index c729064d29..0ff1037dab 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -299,7 +299,7 @@ func shiftAclType(path string, aclType _Ctype_acl_type_t, shiftIds func(uid int6
 	return nil
 }
 
-func supportsV3Fcaps(prefix string) bool {
+func SupportsV3Fcaps(prefix string) bool {
 	tmpfile, err := ioutil.TempFile(prefix, ".lxd_fcaps_v3_")
 	if err != nil {
 		return false

From a3c81a30d6f1738b4b16ba152ece966fec546500 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 12 Oct 2018 23:05:24 +0200
Subject: [PATCH 2/2] checkfeature: check for vfs3 fscaps support

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/daemon.go                  | 10 ++++++++++
 lxd/sys/os.go                  |  1 +
 shared/idmap/idmapset_linux.go |  2 --
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 53fd95f672..bd04635672 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -36,6 +36,7 @@ import (
 	"github.com/lxc/lxd/lxd/task"
 	"github.com/lxc/lxd/lxd/util"
 	"github.com/lxc/lxd/shared"
+	"github.com/lxc/lxd/shared/idmap"
 	"github.com/lxc/lxd/shared/logger"
 	"github.com/lxc/lxd/shared/version"
 
@@ -450,6 +451,15 @@ func (d *Daemon) init() error {
 		logger.Debugf("Running kernel does not support uevent injection")
 	}
 
+	d.os.VFS3Fscaps = idmap.SupportsV3Fcaps("")
+	if d.os.VFS3Fscaps {
+		idmap.VFS3Fscaps = idmap.VFS3FscapsSupported
+		logger.Debugf("System supports unprivileged file capabilities")
+	} else {
+		idmap.VFS3Fscaps = idmap.VFS3FscapsUnsupported
+		logger.Debugf("System does not support unprivileged file capabilities")
+	}
+
 	/* Initialize the database */
 	dump, err := initializeDbObject(d)
 	if err != nil {
diff --git a/lxd/sys/os.go b/lxd/sys/os.go
index 3d28f0e7a9..8625cd804d 100644
--- a/lxd/sys/os.go
+++ b/lxd/sys/os.go
@@ -60,6 +60,7 @@ type OS struct {
 	InotifyWatch            InotifyInfo
 	NetnsGetifaddrs         bool
 	UeventInjection         bool
+	VFS3Fscaps              bool
 
 	MockMode bool // If true some APIs will be mocked (for testing)
 }
diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index cc95260c08..bfa2a34f17 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -480,10 +480,8 @@ func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how stri
 	if how == "in" && atomic.LoadInt32(&VFS3Fscaps) == VFS3FscapsUnknown {
 		if SupportsV3Fcaps(dir) {
 			atomic.StoreInt32(&VFS3Fscaps, VFS3FscapsSupported)
-			logger.Debugf("System supports unprivileged file capabilities")
 		} else {
 			atomic.StoreInt32(&VFS3Fscaps, VFS3FscapsUnsupported)
-			logger.Debugf("System does not support unprivileged file capabilities")
 		}
 	}

More information about the lxc-devel mailing list