optionally use image driver for squashfs and gocryptfs in setuid mode

Signed-off-by: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com>

.github/workflows/ci.yml

@@ -324,9 +324,6 @@ jobs:
         if: env.run_tests
         run: sudo apt-get -q update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential uidmap squashfs-tools squashfuse fuse-overlayfs fakeroot fuse2fs libseccomp-dev cryptsetup dbus-user-session
 
-      - name: Fetch gocryptfs
-        run: wget -O gocryptfs.tar.gz https://github.com/rfjakob/gocryptfs/releases/download/v2.3/gocryptfs_v2.3_linux-static_amd64.tar.gz && sudo tar xzvf gocryptfs.tar.gz -C /usr/local/bin gocryptfs
-
       # The fuse-overlayfs version from ubuntu-22.04, 1.7, is buggy,
       # so update to version 1.9
       # See https://github.com/apptainer/apptainer/issues/796
@@ -344,17 +341,33 @@ jobs:
           EOF
           sudo systemctl daemon-reload
 
-      - name: Build and install Apptainer
-        if: env.run_tests
+      # Build and install packages instead of compiling directly from source
+      # because that makes available the best versions of included tools
+      - name: Build and install deb packages
+        env:
+          OS_TYPE: ubuntu
+          OS_VERSION: 22.04
+          GO_ARCH: linux-amd64
         run: |
-          ./mconfig -v -p /usr/local --with-suid
-          make -C ./builddir all && sudo make -C ./builddir install
+          set -ex
+          # work on a copy of the source code because ci-docker-run modifies it
+          mkdir debsrc
+          rsync -a --stats --exclude debsrc . debsrc
+          cd debsrc
+          ./scripts/ci-docker-run
+          sudo dpkg -i *.deb
+          cd ..
+          # E2E tests expect apptainer to be under /usr/local
+          sudo mkdir -p /usr/local/bin
+          sudo ln -s /usr/bin/apptainer /usr/local/bin
 
       - name: Run E2E tests
         if: env.run_tests
         env:
           E2E_PARALLEL: 8
         run: |
+          ./mconfig -v -p /usr/local --with-suid
+          make -C ./builddir $PWD/scripts/go-test
           # Set up systemd for the rootless cgroups tests
           systemctl --user daemon-reload
           systemctl --user start dbus

CHANGELOG.md

@@ -9,6 +9,16 @@ For older changes see the [archived Singularity change log](https://github.com/a
 
 ### Changed defaults / behaviours
 
+- In setuid privileged mode, if `allow setuid-mount squashfs = no` then
+  the squashfuse image driver will be used to mount squash images
+  instead of the kernel squashfs driver.  This eliminates the
+  vulnerability of using a kernel filesystem driver to mount a file
+  writable by an unprivileged user.  Likewise, if
+  `allow setuid-mount encrypted = no` then the unprivileged gocryptfs
+  format will be used for encrypting SIF files instead of the kernel
+  device-mapper.  If a SIF file was encrypted using the gocryptfs
+  format, it can now be mounted in setuid mode in addition to
+  non-setuid mode.
 - `--cwd` is now the preferred form of the flag for setting the container's
   working directory, though `--pwd` is still supported for compatibility.
 - When building RPM, we will now use `/var/lib/apptainer` (rather than

INSTALL.md

@@ -28,6 +28,7 @@ sudo apt-get install -y \
     fuse-overlayfs \
     fakeroot \
     cryptsetup \
+    tzdata \
     curl wget git
 ```
 

examples/plugins/ubuntu-userns-overlay-plugin/main.go

@@ -13,6 +13,7 @@ import (
 	"fmt"
 	"os/exec"
 	"strings"
+	"syscall"
 
 	"github.com/apptainer/apptainer/pkg/image"
 	pluginapi "github.com/apptainer/apptainer/pkg/plugin"
@@ -70,6 +71,10 @@ func (d *ubuntuOvlDriver) Stop(target string) error {
 	return nil
 }
 
+func (d *ubuntuOvlDriver) Stopped(int, syscall.WaitStatus) error {
+	return nil
+}
+
 // setConfiguration sets "image driver" and "enable overlay" configuration directives
 // during apptainer plugin install step.
 func setConfiguration(_ string) error {