tixxdz/0001-nspawn-just-a-quick-patch-to-test-overlayfs-uid-shif.patch

## 0001-nspawn-just-a-quick-patch-to-test-overlayfs-uid-shif.patch
From fc07e715ec5c20b461f4fda4014f755a53a39d5a Mon Sep 17 00:00:00 2001
From: Djalal Harouni <djalal@endocode.com>
Date: Thu, 21 Jan 2016 12:49:41 +0100
Subject: [PATCH] nspawn: just a quick patch to test overlayfs uid shift

Signed-off-by: Djalal Harouni <djalal@endocode.com>
---
 src/nspawn/nspawn-mount.c | 25 ++++++++++++++++++-------
 src/nspawn/nspawn-mount.h |  1 +
 src/nspawn/nspawn.c       |  1 +
 3 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index c8e627a..38ab028 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -514,14 +514,19 @@ static char *joined_and_escaped_lower_dirs(char * const *lower) {

 static int mount_overlay(const char *dest, CustomMount *m) {
         _cleanup_free_ char *lower = NULL;
+        _cleanup_free_ char *escaped_source = NULL;
+        _cleanup_free_ char *escaped_work_dir = NULL;
         const char *where, *options;
-        int r;
+        int r, shift = 0;

         assert(dest);
         assert(m);

         where = prefix_roota(dest, m->destination);

+        if (m->arg_uid_shift != UID_INVALID)
+                shift = 1;
+
         r = mkdir_label(where, 0755);
         if (r < 0 && r != -EEXIST)
                 return log_error_errno(r, "Creating mount point for overlay %s failed: %m", where);
@@ -533,16 +538,13 @@ static int mount_overlay(const char *dest, CustomMount *m) {
                 return log_oom();

         if (m->read_only) {
-                _cleanup_free_ char *escaped_source = NULL;
-
                 escaped_source = shell_escape(m->source, ",:");
                 if (!escaped_source)
                         return log_oom();

-                options = strjoina("lowerdir=", escaped_source, ":", lower);
+                options = strjoina(shift ? "shift_uids,shift_gids," : "",
+                                   "lowerdir=", escaped_source, ":", lower);
         } else {
-                _cleanup_free_ char *escaped_source = NULL, *escaped_work_dir = NULL;
-
                 assert(m->work_dir);
                 (void) mkdir_label(m->work_dir, 0700);

@@ -553,12 +555,21 @@ static int mount_overlay(const char *dest, CustomMount *m) {
                 if (!escaped_work_dir)
                         return log_oom();

-                options = strjoina("lowerdir=", lower, ",upperdir=", escaped_source, ",workdir=", escaped_work_dir);
+                options = strjoina("lowerdir=", lower, ",upperdir=", escaped_source, ",workdir=", escaped_work_dir,
+                                   shift ? ",shift_uids,shift_gids" : "");
         }

         if (mount("overlay", where, "overlay", m->read_only ? MS_RDONLY : 0, options) < 0)
                 return log_error_errno(errno, "overlay mount to %s failed: %m", where);

+        /* Just a hack to test overlayfs UID shifts */
+        if (shift && escaped_source && escaped_work_dir) {
+                lchown(escaped_source, 0 + m->arg_uid_shift,
+                       0 + m->arg_uid_shift);
+                lchown(escaped_work_dir, 0 + m->arg_uid_shift,
+                       0 + m->arg_uid_shift);
+        }
+
         return 0;
 }

diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
index bdab23b..235f530 100644
--- a/src/nspawn/nspawn-mount.h
+++ b/src/nspawn/nspawn-mount.h
@@ -47,6 +47,7 @@ typedef struct CustomMount {
         char *options;
         char *work_dir;
         char **lower;
+        unsigned int arg_uid_shift;
 } CustomMount;

 CustomMount* custom_mount_add(CustomMount **l, unsigned *n, CustomMountType t);
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index d619206..779b28a 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -681,6 +681,7 @@ static int parse_argv(int argc, char *argv[]) {
                         m->source = upper;
                         m->lower = lower;
                         m->read_only = c == ARG_OVERLAY_RO;
+                        m->arg_uid_shift = arg_uid_shift;

                         upper = destination = NULL;
                         lower = NULL;
--
2.4.5
	From fc07e715ec5c20b461f4fda4014f755a53a39d5a Mon Sep 17 00:00:00 2001
	From: Djalal Harouni <djalal@endocode.com>
	Date: Thu, 21 Jan 2016 12:49:41 +0100
	Subject: [PATCH] nspawn: just a quick patch to test overlayfs uid shift

	Signed-off-by: Djalal Harouni <djalal@endocode.com>
	---
	src/nspawn/nspawn-mount.c \| 25 ++++++++++++++++++-------
	src/nspawn/nspawn-mount.h \| 1 +
	src/nspawn/nspawn.c \| 1 +
	3 files changed, 20 insertions(+), 7 deletions(-)

	diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
	index c8e627a..38ab028 100644
	--- a/src/nspawn/nspawn-mount.c
	+++ b/src/nspawn/nspawn-mount.c
	@@ -514,14 +514,19 @@ static char joined_and_escaped_lower_dirs(char const *lower) {

	static int mount_overlay(const char dest, CustomMount m) {
	_cleanup_free_ char *lower = NULL;
	+ _cleanup_free_ char *escaped_source = NULL;
	+ _cleanup_free_ char *escaped_work_dir = NULL;
	const char where, options;
	- int r;
	+ int r, shift = 0;

	assert(dest);
	assert(m);

	where = prefix_roota(dest, m->destination);

	+ if (m->arg_uid_shift != UID_INVALID)
	+ shift = 1;
	+
	r = mkdir_label(where, 0755);
	if (r < 0 && r != -EEXIST)
	return log_error_errno(r, "Creating mount point for overlay %s failed: %m", where);
	@@ -533,16 +538,13 @@ static int mount_overlay(const char dest, CustomMount m) {
	return log_oom();

	if (m->read_only) {
	- _cleanup_free_ char *escaped_source = NULL;
	-
	escaped_source = shell_escape(m->source, ",:");
	if (!escaped_source)
	return log_oom();

	- options = strjoina("lowerdir=", escaped_source, ":", lower);
	+ options = strjoina(shift ? "shift_uids,shift_gids," : "",
	+ "lowerdir=", escaped_source, ":", lower);
	} else {
	- _cleanup_free_ char escaped_source = NULL, escaped_work_dir = NULL;
	-
	assert(m->work_dir);
	(void) mkdir_label(m->work_dir, 0700);

	@@ -553,12 +555,21 @@ static int mount_overlay(const char dest, CustomMount m) {
	if (!escaped_work_dir)
	return log_oom();

	- options = strjoina("lowerdir=", lower, ",upperdir=", escaped_source, ",workdir=", escaped_work_dir);
	+ options = strjoina("lowerdir=", lower, ",upperdir=", escaped_source, ",workdir=", escaped_work_dir,
	+ shift ? ",shift_uids,shift_gids" : "");
	}

	if (mount("overlay", where, "overlay", m->read_only ? MS_RDONLY : 0, options) < 0)
	return log_error_errno(errno, "overlay mount to %s failed: %m", where);

	+ /* Just a hack to test overlayfs UID shifts */
	+ if (shift && escaped_source && escaped_work_dir) {
	+ lchown(escaped_source, 0 + m->arg_uid_shift,
	+ 0 + m->arg_uid_shift);
	+ lchown(escaped_work_dir, 0 + m->arg_uid_shift,
	+ 0 + m->arg_uid_shift);
	+ }
	+
	return 0;
	}

	diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
	index bdab23b..235f530 100644
	--- a/src/nspawn/nspawn-mount.h
	+++ b/src/nspawn/nspawn-mount.h
	@@ -47,6 +47,7 @@ typedef struct CustomMount {
	char *options;
	char *work_dir;
	char **lower;
	+ unsigned int arg_uid_shift;
	} CustomMount;

	CustomMount* custom_mount_add(CustomMount *l, unsigned n, CustomMountType t);
	diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
	index d619206..779b28a 100644
	--- a/src/nspawn/nspawn.c
	+++ b/src/nspawn/nspawn.c
	@@ -681,6 +681,7 @@ static int parse_argv(int argc, char *argv[]) {
	m->source = upper;
	m->lower = lower;
	m->read_only = c == ARG_OVERLAY_RO;
	+ m->arg_uid_shift = arg_uid_shift;

	upper = destination = NULL;
	lower = NULL;
	--
	2.4.5