I need some clarification on how the ‘security.syscalls.intercept.mount.fuse’ configuration is supposed to work. I have the following set currently on a container:
security.syscalls.intercept.mount: “true”
security.syscalls.intercept.mount.allowed: nfs
security.syscalls.intercept.mount.fuse: ext4=fuse2fs
I have the ‘fuse2fs’ package installed on the host as well as in the container, both at this version:
# apt-cache policy fuse2fs fuse2fs: Installed: 1.44.1-1ubuntu1.3 Candidate: 1.44.1-1ubuntu1.3
I have a loopback device added to the container with the following profile:
$ lxc profile show loop config: {} description: "" devices: loop-control: gid: "6" major: "10" minor: "237" path: /dev/loop-control required: "true" type: unix-char loop63: gid: "6" major: "7" minor: "63" path: /dev/loop63 required: "true" type: unix-block name: loop used_by: - /1.0/instances/fuse2fs-test
I am trying to mount an ext4 filesystem from a file as follows:
root@fuse2fs-test:~# truncate -s2GiB /tmp/ext4.img root@fuse2fs-test:~# mkfs.ext4 /tmp/ext4.img mke2fs 1.44.1 (24-Mar-2018) Discarding device blocks: done Creating filesystem with 524288 4k blocks and 131072 inodes Filesystem UUID: 26eb2bad-809f-4608-a6f5-f36f78622623 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done root@fuse2fs-test:~# losetup /dev/loop63 /tmp/ext4.img root@fuse2fs-test:~# losetup -a /dev/loop63: [0076]:35051 (/tmp/ext4.img) root@fuse2fs-test:~# mount -o ro,noload /dev/loop63 /mnt mount: /mnt: permission denied.
I don’t understand where the ‘permission denied’ is coming from. The LXD daemon log in debug mode shows:
t=2020-04-22T14:54:30-0700 lvl=dbug msg=“Handling mount syscall” audit_architecture=3221225534 container=fuse2fs-test fuse_ignored_flags=0 fuse_opts=noload,ro fuse_source=fuse2fs#/dev/loop63 fuse_target=/mnt project=default seccomp_notify_flags=0 seccomp_notify_id=16771764576638936099 syscall_continue=true syscall_number=165
Oddly, the following works from within the container:
root@fuse2fs-test:~# fuse2fs /dev/loop63 /mnt /dev/loop63: Writing to the journal is not supported. root@fuse2fs-test:~# ls -la /mnt total 162 drwxr-xr-x 3 root root 4096 Apr 22 21:53 . drwxr-xr-x 22 root root 22 Apr 7 15:52 .. drwx------ 2 root root 16384 Apr 22 21:53 lost+found
So, I am wondering that the difference is between using ‘fuse2fs’ directly inside the container vs adding ‘ext4=fuse2fs’ to ‘security.syscalls.intercept.mount.fuse’? When the fuse intercept is defined from what context/namespace is the fuse2fs call being made? The host or the container?