Rework virtiofsd uid/gid map handling #1692
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hallyn
reviewed
Feb 25, 2025
| } | ||
| } | ||
|
|
||
| if lastUID < 4294967295 { |
There was a problem hiding this comment.
Hm, but if there was only a uid, and no gid, then
lastGid will still be its default value and therefore
pass the < 4294967295 test, and you'll add an entry
for that. Is that what you wanted?
There was a problem hiding this comment.
If no gid is passed (very bad idea), we should ban all GIDs, so I'd expect a 0-4294967295 reject range to be put in place.
There was a problem hiding this comment.
But that actually brings in a good point that I should initialize at -1 as with current logic, we'd end up only forbidding 1-4294967295, allowing the most dangerous one...
There was a problem hiding this comment.
For extra fun: https://gitlab.com/virtio-fs/virtiofsd/-/issues/198
There was a problem hiding this comment.
@hallyn tweaked the logic as mentioned in that Gitlab issue and I did a manual test using a slightly more complex setup with two uid/gid being allowed (1000 and 2000) and then checking all the potential problematic values.
I basically ran a loop that individually validated everything from uid/gid 0 through 65536 and then another quick loop to validate the behavior over the last 100 valid uid/gid. Seems to behave as expected, only 1000 and 2000 were allowed.
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Closes lxc#1682 Signed-off-by: Stéphane Graber <[email protected]>
hallyn
approved these changes
Feb 25, 2025
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Mar 2, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [lxc/incus](https://github.com/lxc/incus) | minor | `v6.9.0` -> `v6.10.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>lxc/incus (lxc/incus)</summary> ### [`v6.10.0`](https://github.com/lxc/incus/releases/tag/v6.10.0): Incus 6.10 [Compare Source](lxc/incus@v6.9.0...v6.10.0) #### What's Changed - incusd/instance/drivers/qmp: Handle missing log directory by [@​stgraber](https://github.com/stgraber) in lxc/incus#1604 - incus-user: keep track of socket path used to connect to the server by [@​bboozzoo](https://github.com/bboozzoo) in lxc/incus#1607 - incus-user: unify logging, support --verbose and --debug by [@​bboozzoo](https://github.com/bboozzoo) in lxc/incus#1606 - Add project support to profiles in preseed init by [@​megheaiulian](https://github.com/megheaiulian) in lxc/incus#1608 - incusd/network/ovn: Fix bad route check by [@​stgraber](https://github.com/stgraber) in lxc/incus#1616 - incus/file/pull: Ensure we have a leading / in all paths by [@​stgraber](https://github.com/stgraber) in lxc/incus#1617 - incus/file/pull: Read files in chunks by [@​stgraber](https://github.com/stgraber) in lxc/incus#1623 - doc/installing: mention incus group on NixOS by [@​dawidd6](https://github.com/dawidd6) in lxc/incus#1622 - incus/file/pull: Actually make read buffer 1MiB by [@​stgraber](https://github.com/stgraber) in lxc/incus#1624 - Translations update from Hosted Weblate by [@​weblate](https://github.com/weblate) in lxc/incus#1639 - incusd/device/disk: Allow virtiofsd on non-x86 by [@​stgraber](https://github.com/stgraber) in lxc/incus#1638 - Translations update from Hosted Weblate by [@​weblate](https://github.com/weblate) in lxc/incus#1640 - Translations update from Hosted Weblate by [@​weblate](https://github.com/weblate) in lxc/incus#1642 - incusd/instance/drivers/qemu: Add IOMMU device by [@​stgraber](https://github.com/stgraber) in lxc/incus#1644 - incus/file: Remove unused function by [@​stgraber](https://github.com/stgraber) in lxc/incus#1645 - Translations update from Hosted Weblate by [@​weblate](https://github.com/weblate) in lxc/incus#1646 - incus/network/info (ovn): Fix object not found. by [@​rxtom](https://github.com/rxtom) in lxc/incus#1628 - incusd/instance/drivers: Improve NUMA balancing by [@​lnutimura](https://github.com/lnutimura) in lxc/incus#1626 - incusd/network/bridge: Fix deletion of tunnels and dummy devices by [@​montag451](https://github.com/montag451) in lxc/incus#1627 - incus/file: Move from path to filepath by [@​stgraber](https://github.com/stgraber) in lxc/incus#1647 - Added LZ4 support for incus import by [@​Spitfireap](https://github.com/Spitfireap) in lxc/incus#1611 - Add `vrf` parameter for routed-nic devices by [@​ibot3](https://github.com/ibot3) in lxc/incus#1615 - Translations update from Hosted Weblate by [@​weblate](https://github.com/weblate) in lxc/incus#1648 - Translations update from Hosted Weblate by [@​weblate](https://github.com/weblate) in lxc/incus#1651 - Move generators to the cmd package by [@​stgraber](https://github.com/stgraber) in lxc/incus#1652 - Fix incorrect volume group naming when `vg_name` is not specified by [@​presztak](https://github.com/presztak) in lxc/incus#1653 - Rename incus-generate and incus-doc by [@​breml](https://github.com/breml) in lxc/incus#1654 - Implement `smbios11` config keys by [@​stgraber](https://github.com/stgraber) in lxc/incus#1655 - Fix instance copy error when using '--refresh' flag by [@​presztak](https://github.com/presztak) in lxc/incus#1658 - Fix docs for load balancer create backend by [@​gwenya](https://github.com/gwenya) in lxc/incus#1661 - incusd/instance/utils: Only check uid/gid for containers by [@​stgraber](https://github.com/stgraber) in lxc/incus#1662 - incusd/main_nsexec: Fix change_namespaces fallback to handle multiple… by [@​stgraber](https://github.com/stgraber) in lxc/incus#1664 - Check if disk is remote when migrating with an extra disk by [@​presztak](https://github.com/presztak) in lxc/incus#1669 - incusd/instance/edk2: Look for bios.bin in /usr/share/seabios by [@​stgraber](https://github.com/stgraber) in lxc/incus#1672 - Replace ast.Package with types.Package by [@​breml](https://github.com/breml) in lxc/incus#1665 - list/format: provide more information on error by [@​rxtom](https://github.com/rxtom) in lxc/incus#1666 - Add additional validation when joining a new cluster member by [@​presztak](https://github.com/presztak) in lxc/incus#1680 - Upgrade flosch/pongo2 to v6 by [@​nanjj](https://github.com/nanjj) in lxc/incus#1677 - incusd/resources: Prevent concurrent runs and cache data for 10s by [@​stgraber](https://github.com/stgraber) in lxc/incus#1681 - Fix importing from older backups by [@​stgraber](https://github.com/stgraber) in lxc/incus#1683 - fix: Don't attempt to download signatures for oci by [@​m2Giles](https://github.com/m2Giles) in lxc/incus#1685 - Ensure directories have 755 permissions in `incus file push -p` command by [@​presztak](https://github.com/presztak) in lxc/incus#1687 - devcontainer: Update Go to 1.23 by [@​breml](https://github.com/breml) in lxc/incus#1689 - Make "Code generated" comments for generate-database Go conformant by [@​breml](https://github.com/breml) in lxc/incus#1690 - Disclaimer internal tool for generate-database and generate-config by [@​breml](https://github.com/breml) in lxc/incus#1694 - Truncate the block file during custom volume migration by [@​presztak](https://github.com/presztak) in lxc/incus#1696 - Rework virtiofsd uid/gid map handling by [@​stgraber](https://github.com/stgraber) in lxc/incus#1692 - Remove unused arguments and parameters by [@​presztak](https://github.com/presztak) in lxc/incus#1699 - generate-database: Use deferred func to map errors & make generated code self-sufficient by [@​breml](https://github.com/breml) in lxc/incus#1695 - incus/top: Fix handling of all-projects by [@​stgraber](https://github.com/stgraber) in lxc/incus#1701 - Ceph refactor by [@​MadnessASAP](https://github.com/MadnessASAP) in lxc/incus#1538 - incus/file: Port remaining functions to SFTP by [@​HassanAlsamahi](https://github.com/HassanAlsamahi) in lxc/incus#1649 - Add filtering to all API collections by [@​gwenya](https://github.com/gwenya) in lxc/incus#1679 - Add provider for DNS-01 ACME challenge by [@​accuser](https://github.com/accuser) in lxc/incus#1668 #### New Contributors - [@​bboozzoo](https://github.com/bboozzoo) made their first contribution in lxc/incus#1607 - [@​dawidd6](https://github.com/dawidd6) made their first contribution in lxc/incus#1622 - [@​rxtom](https://github.com/rxtom) made their first contribution in lxc/incus#1628 - [@​lnutimura](https://github.com/lnutimura) made their first contribution in lxc/incus#1626 - [@​ibot3](https://github.com/ibot3) made their first contribution in lxc/incus#1615 - [@​gwenya](https://github.com/gwenya) made their first contribution in lxc/incus#1661 - [@​accuser](https://github.com/accuser) made their first contribution in lxc/incus#1668 **Full Changelog**: lxc/incus@v6.9.0...v6.10.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xODIuMyIsInVwZGF0ZWRJblZlciI6IjM5LjE4Mi4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
virtiofsd has built-in uid/gid mapping these days, so use that rather than rely on our own user namespace. This fixes issues with the most recent virtiofsd which now fails to drop some privileges due to our user namespace wrapper.