virtio/fs: Check capabilities & act accordingly#244
Merged
slp merged 2 commits intocontainers:mainfrom Dec 19, 2024
Merged
Conversation
hoshinolina
requested review from
mtjhrc,
slp and
tylerfanelli
as code owners
When run in muvm as an unprivileged user, write operations right now kind of work by accident, since libkrun assumes it runs as root: - If the access is in root context, it assumes it does not need to change user. The access is then made as the user. - If the access is as the muvm user, it tries to change uid to that user, which succeeds as a no-op. The access is made as the user, and then it tries to change back to root after it, which spams an error message. - If the access is as any other user, it tries to change to that uid, which fails and the access fails. This behavior, except for the spammy error, is essentially what we want. Re-do the credential change logic to explicitly implement the above, without trying to change uid/gid at all if we do not have the capability. Signed-off-by: Asahi Lina <lina@asahilina.net>
This makes overlayfs mounts with virtiofs lower dirs work. Signed-off-by: Asahi Lina <lina@asahilina.net>
hoshinolina
force-pushed
the
asahi/fs-check-caps
branch
from
590fafa to
6ad8a33
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two changes that make the passthrough layer check whether it runs with the proper capabilities to do something (i.e. root) and, if not, make it not do it.
Needed for some experiments I'm trying with the FEX RootFS stuff, but also generally helpful (I don't expect anything else to be needed in libkrun, so I'm sending this early).