cstorage: Add userns helper for rootless containers-storage access

When running as an unprivileged user, files in containers-storage may
have restrictive permissions (e.g., /etc/shadow with mode 0600 owned by
remapped UIDs). This commit adds a user namespace helper that enables
reading these files by spawning a helper process via `podman unshare`.

The helper runs as UID 0 inside the user namespace and can read any file.
It communicates with the parent process via Unix socket using JSON-RPC 2.0
with SCM_RIGHTS file descriptor passing for zero-copy streaming.

Key components:
- userns.rs: User namespace detection (can_bypass_file_permissions(),
  should_enter_userns(), subuid/subgid parsing)
- userns_helper.rs: Helper process with JSON-RPC protocol, StorageProxy
  client, and ProxiedLayerStream for streaming layer content

The cstor.rs import code now automatically uses the proxy when running
as an unprivileged user, falling back to direct access when running as
root or with CAP_DAC_OVERRIDE.

Ported from cgwalters/cstor-rs.

Assisted-by: OpenCode (Opus 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Cargo.toml

@@ -21,6 +21,9 @@ composefs-oci = { version = "0.3.0", path = "crates/composefs-oci", default-feat
 composefs-boot = { version = "0.3.0", path = "crates/composefs-boot", default-features = false }
 composefs-http = { version = "0.3.0", path = "crates/composefs-http", default-features = false }
 
+# JSON-RPC with FD passing for userns helper
+jsonrpc-fdpass = { git = "https://github.com/cgwalters/jsonrpc-fdpass", rev = "b30fa1d" }
+
 [profile.dev.package.sha2]
 # this is *really* slow otherwise
 opt-level = 3

crates/cfsctl/Cargo.toml

@@ -14,7 +14,7 @@ version.workspace = true
 default = ['pre-6.15', 'oci', 'containers-storage']
 http = ['composefs-http']
 oci = ['composefs-oci']
-containers-storage = ['composefs-oci/containers-storage']
+containers-storage = ['composefs-oci/containers-storage', 'cstorage']
 rhel9 = ['composefs/rhel9']
 'pre-6.15' = ['composefs/pre-6.15']
 
@@ -25,6 +25,7 @@ composefs = { workspace = true }
 composefs-boot = { workspace = true }
 composefs-oci = { workspace = true, optional = true }
 composefs-http = { workspace = true, optional = true }
+cstorage = { path = "../cstorage", features = ["userns-helper"], optional = true }
 env_logger = { version = "0.11.0", default-features = false }
 hex = { version = "0.4.0", default-features = false }
 indicatif = { version = "0.17.0", default-features = false }

crates/cfsctl/src/main.rs

@@ -211,8 +211,20 @@ where
     Ok(repo)
 }
 
-#[tokio::main]
-async fn main() -> Result<()> {
+fn main() -> Result<()> {
+    // If we were spawned as a userns helper process, handle that and exit.
+    // This MUST be called before the tokio runtime is created.
+    #[cfg(feature = "containers-storage")]
+    cstorage::init_if_helper();
+
+    // Now we can create the tokio runtime for the main application
+    tokio::runtime::Builder::new_multi_thread()
+        .enable_all()
+        .build()?
+        .block_on(async_main())
+}
+
+async fn async_main() -> Result<()> {
     env_logger::init();
 
     let args = App::parse();

crates/composefs-oci/Cargo.toml

@@ -12,7 +12,7 @@ version.workspace = true
 
 [features]
 default = ["containers-storage"]
-containers-storage = ["dep:cstorage"]
+containers-storage = ["dep:cstorage", "cstorage?/userns-helper"]
 
 [dependencies]
 anyhow = { version = "1.0.87", default-features = false }