Merge tag 'fs.idmapped.v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/braune...

Pull fs idmapping updates from Christian Brauner:
 "This contains the work to enable the idmapping infrastructure to
  support idmapped mounts of filesystems mounted with an idmapping.

  In addition this contains various cleanups that avoid repeated
  open-coding of the same functionality and simplify the code in quite a
  few places.

  We also finish the renaming of the mapping helpers we started a few
  kernel releases back and move them to a dedicated header to not
  continue polluting the fs header needlessly with low-level idmapping
  helpers. With this series the fs header only contains idmapping
  helpers that interact with fs objects.

  Currently we only support idmapped mounts for filesystems mounted
  without an idmapping themselves. This was a conscious decision
  mentioned in multiple places (cf. [1]).

  As explained at length in [3] it is perfectly fine to extend support
  for idmapped mounts to filesystem's mounted with an idmapping should
  the need arise. The need has been there for some time now (cf. [2]).

  Before we can port any filesystem that is mountable with an idmapping
  to support idmapped mounts in the coming cycles, we need to first
  extend the mapping helpers to account for the filesystem's idmapping.
  This again, is explained at length in our documentation at [3] and
  also in the individual commit messages so here's an overview.

  Currently, the low-level mapping helpers implement the remapping
  algorithms described in [3] in a simplified manner as we could rely on
  the fact that all filesystems supporting idmapped mounts are mounted
  without an idmapping.

  In contrast, filesystems mounted with an idmapping are very likely to
  not use an identity mapping and will instead use a non-identity
  mapping. So the translation step from or into the filesystem's
  idmapping in the remapping algorithm cannot be skipped for such
  filesystems.

  Non-idmapped filesystems and filesystems not supporting idmapped
  mounts are unaffected by this change as the remapping algorithms can
  take the same shortcut as before. If the low-level helpers detect that
  they are dealing with an idmapped mount but the underlying filesystem
  is mounted without an idmapping we can rely on the previous shortcut
  and can continue to skip the translation step from or into the
  filesystem's idmapping. And of course, if the low-level helpers detect
  that they are not dealing with an idmapped mount they can simply
  return the relevant id unchanged; no remapping needs to be performed
  at all.

  These checks guarantee that only the minimal amount of work is
  performed. As before, if idmapped mounts aren't used the low-level
  helpers are idempotent and no work is performed at all"

Link: 2ca4dcc4909d ("fs/mount_setattr: tighten permission checks") [1]
Link: https://github.com/containers/podman/issues/10374
Link: Documentations/filesystems/idmappings.rst [3]
Link: a65e58e791a1 ("fs: document and rename fsid helpers") [4]

* tag 'fs.idmapped.v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
  fs: support mapped mounts of mapped filesystems
  fs: add i_user_ns() helper
  fs: port higher-level mapping helpers
  fs: remove unused low-level mapping helpers
  fs: use low-level mapping helpers
  docs: update mapping documentation
  fs: account for filesystem mappings
  fs: tweak fsuidgid_has_mapping()
  fs: move mapping helpers
  fs: add is_idmapped_mnt() helper

diff --combined fs/namespace.c
index b696543adab848edc175fd511c83e7cd06dfc3fb,08266a35c0c192b21561fddb552f35fc0a339fe2..dc31ad6b370f39a88dd4ee6f5fafbcc02344b203
--- 1/fs/namespace.c
--- 2/fs/namespace.c
+++ b/fs/namespace.c
@@@ -31,6 -31,7 +31,7 @@@
  #include <uapi/linux/mount.h>
  #include <linux/fs_context.h>
  #include <linux/shmem_fs.h>
+ #include <linux/mnt_idmapping.h>
  
  #include "pnode.h"
  #include "internal.h"
@@@ -561,7 -562,7 +562,7 @@@ static void free_vfsmnt(struct mount *m
        struct user_namespace *mnt_userns;
  
        mnt_userns = mnt_user_ns(&mnt->mnt);
-       if (mnt_userns != &init_user_ns)
+       if (!initial_idmapping(mnt_userns))
                put_user_ns(mnt_userns);
        kfree_const(mnt->mnt_devname);
  #ifdef CONFIG_SMP
@@@ -965,6 -966,7 +966,7 @@@ static struct mount *skip_mnt_tree(stru
  struct vfsmount *vfs_create_mount(struct fs_context *fc)
  {
        struct mount *mnt;
+       struct user_namespace *fs_userns;
  
        if (!fc->root)
                return ERR_PTR(-EINVAL);
@@@ -982,6 -984,10 +984,10 @@@
        mnt->mnt_mountpoint     = mnt->mnt.mnt_root;
        mnt->mnt_parent         = mnt;
  
+       fs_userns = mnt->mnt.mnt_sb->s_user_ns;
+       if (!initial_idmapping(fs_userns))
+               mnt->mnt.mnt_userns = get_user_ns(fs_userns);
+ 
        lock_mount_hash();
        list_add_tail(&mnt->mnt_instance, &mnt->mnt.mnt_sb->s_mounts);
        unlock_mount_hash();
@@@ -1072,7 -1078,7 +1078,7 @@@ static struct mount *clone_mnt(struct m
  
        atomic_inc(&sb->s_active);
        mnt->mnt.mnt_userns = mnt_user_ns(&old->mnt);
-       if (mnt->mnt.mnt_userns != &init_user_ns)
+       if (!initial_idmapping(mnt->mnt.mnt_userns))
                mnt->mnt.mnt_userns = get_user_ns(mnt->mnt.mnt_userns);
        mnt->mnt.mnt_sb = sb;
        mnt->mnt.mnt_root = dget(root);
@@@ -3927,28 -3933,32 +3933,32 @@@ static unsigned int recalc_flags(struc
  static int can_idmap_mount(const struct mount_kattr *kattr, struct mount *mnt)
  {
        struct vfsmount *m = &mnt->mnt;
+       struct user_namespace *fs_userns = m->mnt_sb->s_user_ns;
  
        if (!kattr->mnt_userns)
                return 0;
  
+       /*
+        * Creating an idmapped mount with the filesystem wide idmapping
+        * doesn't make sense so block that. We don't allow mushy semantics.
+        */
+       if (kattr->mnt_userns == fs_userns)
+               return -EINVAL;
+ 
        /*
         * Once a mount has been idmapped we don't allow it to change its
         * mapping. It makes things simpler and callers can just create
         * another bind-mount they can idmap if they want to.
         */
-       if (mnt_user_ns(m) != &init_user_ns)
+       if (is_idmapped_mnt(m))
                return -EPERM;
  
        /* The underlying filesystem doesn't support idmapped mounts yet. */
        if (!(m->mnt_sb->s_type->fs_flags & FS_ALLOW_IDMAP))
                return -EINVAL;
  
-       /* Don't yet support filesystem mountable in user namespaces. */
-       if (m->mnt_sb->s_user_ns != &init_user_ns)
-               return -EINVAL;
- 
        /* We're not controlling the superblock. */
-       if (!capable(CAP_SYS_ADMIN))
+       if (!ns_capable(fs_userns, CAP_SYS_ADMIN))
                return -EPERM;
  
        /* Mount has already been visible in the filesystem hierarchy. */
@@@ -4002,14 -4012,27 +4012,27 @@@ out
  
  static void do_idmap_mount(const struct mount_kattr *kattr, struct mount *mnt)
  {
-       struct user_namespace *mnt_userns;
+       struct user_namespace *mnt_userns, *old_mnt_userns;
  
        if (!kattr->mnt_userns)
                return;
  
+       /*
+        * We're the only ones able to change the mount's idmapping. So
+        * mnt->mnt.mnt_userns is stable and we can retrieve it directly.
+        */
+       old_mnt_userns = mnt->mnt.mnt_userns;
+ 
        mnt_userns = get_user_ns(kattr->mnt_userns);
        /* Pairs with smp_load_acquire() in mnt_user_ns(). */
        smp_store_release(&mnt->mnt.mnt_userns, mnt_userns);
+ 
+       /*
+        * If this is an idmapped filesystem drop the reference we've taken
+        * in vfs_create_mount() before.
+        */
+       if (!initial_idmapping(old_mnt_userns))
+               put_user_ns(old_mnt_userns);
  }
  
  static void mount_setattr_commit(struct mount_kattr *kattr,
@@@ -4133,13 -4156,15 +4156,15 @@@ static int build_mount_idmapped(const s
        }
  
        /*
-        * The init_user_ns is used to indicate that a vfsmount is not idmapped.
-        * This is simpler than just having to treat NULL as unmapped. Users
-        * wanting to idmap a mount to init_user_ns can just use a namespace
-        * with an identity mapping.
+        * The initial idmapping cannot be used to create an idmapped
+        * mount. We use the initial idmapping as an indicator of a mount
+        * that is not idmapped. It can simply be passed into helpers that
+        * are aware of idmapped mounts as a convenient shortcut. A user
+        * can just create a dedicated identity mapping to achieve the same
+        * result.
         */
        mnt_userns = container_of(ns, struct user_namespace, ns);
-       if (mnt_userns == &init_user_ns) {
+       if (initial_idmapping(mnt_userns)) {
                err = -EPERM;
                goto out_fput;
        }
@@@ -4263,11 -4288,12 +4288,11 @@@ SYSCALL_DEFINE5(mount_setattr, int, dfd
                return err;
  
        err = user_path_at(dfd, path, kattr.lookup_flags, &target);
 -      if (err)
 -              return err;
 -
 -      err = do_mount_setattr(&target, &kattr);
 +      if (!err) {
 +              err = do_mount_setattr(&target, &kattr);
 +              path_put(&target);
 +      }
        finish_mount_kattr(&kattr);
 -      path_put(&target);
        return err;
  }
  

diff --combined fs/xfs/xfs_inode.c
index 6771f357ad2cce9738c4bdbc9720763e1a3f5025,5ca689459bed4fce92002b3d289692207da8a3fc..04bf467b1090e611e0d34e9ccb85f4c745248582
--- 1/fs/xfs/xfs_inode.c
--- 2/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@@ -988,8 -988,8 +988,8 @@@ xfs_create
        /*
         * Make sure that we have allocated dquot(s) on disk.
         */
-       error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns),
-                       mapped_fsgid(mnt_userns), prid,
+       error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, &init_user_ns),
+                       mapped_fsgid(mnt_userns, &init_user_ns), prid,
                        XFS_QMOPT_QUOTALL | XFS_QMOPT_INHERIT,
                        &udqp, &gdqp, &pdqp);
        if (error)
@@@ -1142,8 -1142,8 +1142,8 @@@ xfs_create_tmpfile
        /*
         * Make sure that we have allocated dquot(s) on disk.
         */
-       error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns),
-                       mapped_fsgid(mnt_userns), prid,
+       error = xfs_qm_vop_dqalloc(dp, mapped_fsuid(mnt_userns, &init_user_ns),
+                       mapped_fsgid(mnt_userns, &init_user_ns), prid,
                        XFS_QMOPT_QUOTALL | XFS_QMOPT_INHERIT,
                        &udqp, &gdqp, &pdqp);
        if (error)
@@@ -3122,6 -3122,7 +3122,6 @@@ xfs_rename
         * appropriately.
         */
        if (flags & RENAME_WHITEOUT) {
 -              ASSERT(!(flags & (RENAME_NOREPLACE | RENAME_EXCHANGE)));
                error = xfs_rename_alloc_whiteout(mnt_userns, target_dp, &wip);
                if (error)
                        return error;