Squashfs mount doesn't work

mpeterma commented

2025-04-19 19:21:12 +00:00

Owner

Code defect - squashfs is not mounted when used with overlay

mpeterma commented

2025-04-20 08:24:08 +00:00

Author

Owner

Mounting SquashFS images requires elevated privileges on most Linux systems. This is a limitation of the kernel itself — mounting a filesystem like SquashFS, even in read-only mode, is not permitted for unprivileged users, even inside a user namespace.

Unlike OverlayFS (which can work in rootless mode with the right kernel configuration), SquashFS is a filesystem driver, and using it always requires CAP_SYS_ADMIN within the relevant mount namespace.

This means that rootless users cannot mount SquashFS directly unless:

A privileged helper is used (sudo, setuid binary, etc.)
Or a userspace alternative like squashfuse is employed (less performant and limited)

To maintain the rootless and minimalist philosophy of ljexec, we're considering introducing a dedicated setuid helper tool with a very narrow purpose:

A small binary that only mounts .squashfs files into specific, controlled locations such as /tmp/ljexec-img-*.

This would:

Allow rootless users to still work with compressed SquashFS images
Avoid the complexity of a full container engine
Keep the codebase small, auditable, and secure

We’re actively working on a prototype that:

Validates input paths to prevent abuse
Performs the mount operation with minimal privileges
Fails cleanly and logs meaningful errors if anything goes wrong

Mounting SquashFS images requires elevated privileges on most Linux systems. This is a limitation of the kernel itself — mounting a filesystem like SquashFS, even in read-only mode, is not permitted for unprivileged users, even inside a user namespace. Unlike OverlayFS (which can work in rootless mode with the right kernel configuration), SquashFS is a filesystem driver, and using it always requires CAP_SYS_ADMIN within the relevant mount namespace. This means that rootless users cannot mount SquashFS directly unless: - A privileged helper is used (sudo, setuid binary, etc.) - Or a userspace alternative like squashfuse is employed (less performant and limited) To maintain the rootless and minimalist philosophy of ljexec, we're considering introducing a dedicated setuid helper tool with a very narrow purpose: > A small binary that only mounts .squashfs files into specific, controlled locations such as /tmp/ljexec-img-*. This would: - Allow rootless users to still work with compressed SquashFS images - Avoid the complexity of a full container engine - Keep the codebase small, auditable, and secure We’re actively working on a prototype that: - Validates input paths to prevent abuse - Performs the mount operation with minimal privileges - Fails cleanly and logs meaningful errors if anything goes wrong

mpeterma referenced this issue from a commit

2025-04-20 10:32:22 +00:00

Some refactoring and introduction of mount_squashfs prototype, see #1

mpeterma commented

2025-04-20 10:35:13 +00:00

Author

Owner

Test case:

mpeterma@t480s ~/P/o/ljexec (main)> sudo ./mount_squashfs /home/mpeterma/alpine-3.21.3.squashfs /run/user/1000/ljexec/
mpeterma@t480s ~/P/o/ljexec (main)> LJEXEC_CGROOT=/tmp/mycg ./ljexec --root /run/user/1000/ljexec/ --overlay-dir /tmp/myoverlay --mem 512 --cpu 50
[ljexec] Using cgroot: /tmp/mycg
[ljexec] Mounting overlay at /tmp/ljexec-1
[ljexec] Executing: /bin/sh
[ljexec] Cgroup set up at /tmp/mycg/ljexec-26516
/ #

Test case: ``` mpeterma@t480s ~/P/o/ljexec (main)> sudo ./mount_squashfs /home/mpeterma/alpine-3.21.3.squashfs /run/user/1000/ljexec/ mpeterma@t480s ~/P/o/ljexec (main)> LJEXEC_CGROOT=/tmp/mycg ./ljexec --root /run/user/1000/ljexec/ --overlay-dir /tmp/myoverlay --mem 512 --cpu 50 [ljexec] Using cgroot: /tmp/mycg [ljexec] Mounting overlay at /tmp/ljexec-1 [ljexec] Executing: /bin/sh [ljexec] Cgroup set up at /tmp/mycg/ljexec-26516 / # ```

mpeterma self-assigned this

2025-04-20 11:11:02 +00:00

Rows
Columns

Squashfs mount doesn't work #1