Commit ed16d50
committed
cstorage: Add userns helper for rootless containers-storage access
When running as an unprivileged user, files in containers-storage may
have restrictive permissions (e.g., /etc/shadow with mode 0600 owned by
remapped UIDs). This commit adds a user namespace helper that enables
reading these files by spawning a helper process via `podman unshare`.
The helper runs as UID 0 inside the user namespace and can read any file.
It communicates with the parent process via Unix socket using JSON-RPC 2.0
with SCM_RIGHTS file descriptor passing for zero-copy streaming.
Key components:
- userns.rs: User namespace detection (can_bypass_file_permissions(),
should_enter_userns(), subuid/subgid parsing)
- userns_helper.rs: Helper process with JSON-RPC protocol, StorageProxy
client, and ProxiedLayerStream for streaming layer content
The cstor.rs import code now automatically uses the proxy when running
as an unprivileged user, falling back to direct access when running as
root or with CAP_DAC_OVERRIDE.
Ported from cgwalters/cstor-rs.
Assisted-by: OpenCode (Claude claude-opus-4-5@20251101)
Signed-off-by: Colin Walters <walters@verbum.org>1 parent cde1a65 commit ed16d50
10 files changed
Lines changed: 2293 additions & 62 deletions
File tree
- crates
- cfsctl
- src
- composefs-oci
- src
- cstorage
- src
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
24 | 27 | | |
25 | 28 | | |
26 | 29 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
17 | | - | |
| 17 | + | |
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
| 28 | + | |
28 | 29 | | |
29 | 30 | | |
30 | 31 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
211 | 211 | | |
212 | 212 | | |
213 | 213 | | |
214 | | - | |
215 | | - | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
216 | 228 | | |
217 | 229 | | |
218 | 230 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
15 | | - | |
| 15 | + | |
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
| |||
0 commit comments