[Virtio-fs] Map more than one uid/gid when running virtiofsd with unprivileged user

[Elaheh Dehghani]

We are using an unprivileged user to run virtiofsd in its own user
namespace. We have a guest VM running on top of QEMU with KVM. We are
sharing files from the host to the guest and we need to make sure only
certain users/groups in the guest can read/write those files. Currently
there is only one uid/gid that’s mapped correctly (the virtiofsd user on
the host is mapped to guest) and everything else is mapped to nobody.

It seems the reason is that unprivileged virtiofsd only maps current
uid/gid when it's running inside its own user namespace.

Due to some resource limitations that we have in our system, we can't use a
container-engine such as lxc-usernsexec to map a range of uids/gids. So,
I'm trying to figure out if there is a way to patch the ‘setup_id_mappings’
in virtiofsd code to support our specific scenario.


The additional mapping that we need is for uid/gid=1000. What I've done:

-        Defined 1000:100000:65536 in both /etc/subuid and /etc/subgid

-        Changed this line src/sandbox.rs · main · virtio-fs / virtiofsd ·
GitLab
<https://gitlab.com/virtio-fs/virtiofsd/-/blob/main/src/sandbox.rs#L289> to
something like:

-         let uid_mapping = format!("{} {} 1\n1000 1000 1\n", uid, uid);


After running virtiofsd, I’m getting this error:

Error entering sandbox: WriteUidMap(Os { code: 1, kind: PermissionDenied,
message: “Operation not permitted” })


What am I missing here?


Thanks,

Ellie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/virtio-fs/attachments/20220817/17457323/attachment.htm>