From acde3ceeaa152145fc64b8033d1ec0b8c96772cd Mon Sep 17 00:00:00 2001
From: Rodrigo Campos <rodrigoca@microsoft.com>
Date: Mon, 21 Aug 2023 16:21:07 +0200
Subject: [PATCH] features-linux: Expose idmap information

High level container runtimes need to know if the OCI runtime supports
idmap mounts or not, as the OCI runtime silently ignores unknown fields.

This means that if it doesn't support idmap mounts, a container with
userns will be started, without idmap mounts, and the files created on
the volumes will have a "garbage" owner/group. Furthermore, as the
userns mapping is not guaranteed to be stable over time, it will be
completely unusable.

Let's expose idmap support in the features subcommand, so high level
container runtimes use the feature safely.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
---
 features-linux.md             | 14 ++++++++++++++
 schema/features-linux.json    | 10 +++++++++-
 specs-go/features/features.go | 19 ++++++++++++++-----
 3 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/features-linux.md b/features-linux.md
index 452514387..791fa55c0 100644
--- a/features-linux.md
+++ b/features-linux.md
@@ -209,3 +209,17 @@ Irrelevant to the availability of Intel RDT on the host operating system.
   "enabled": true
 }
 ```
+
+## <a name="linuxFeaturesMountExtensions" />MountExtensions
+
+**`mountExtensions`** (object, OPTIONAL) represents the runtime's implementation status of different mount features.
+
+* **`idmap`** (bool, OPTIONAL) represents whether the runtime supports idmap mounts using the uidMappings and gidMappings properties of the mount.
+
+### Example
+
+```json
+"mountExtensions": {
+  "idmap": true
+}
+```
diff --git a/schema/features-linux.json b/schema/features-linux.json
index 723ee67b8..a022c96e0 100644
--- a/schema/features-linux.json
+++ b/schema/features-linux.json
@@ -97,7 +97,15 @@
                         "type": "boolean"
                     }
                 }
-            }
+            },
+            "mountExtensions": {
+                "type": "object",
+                "properties": {
+                    "idmap": {
+                        "type": "boolean"
+                    }
+		}
+	    }
         }
     }
 }
diff --git a/specs-go/features/features.go b/specs-go/features/features.go
index 230e88f56..401763ada 100644
--- a/specs-go/features/features.go
+++ b/specs-go/features/features.go
@@ -36,11 +36,12 @@ type Linux struct {
 	// Nil value means "unknown", not "no support for any capability".
 	Capabilities []string `json:"capabilities,omitempty"`
 
-	Cgroup   *Cgroup   `json:"cgroup,omitempty"`
-	Seccomp  *Seccomp  `json:"seccomp,omitempty"`
-	Apparmor *Apparmor `json:"apparmor,omitempty"`
-	Selinux  *Selinux  `json:"selinux,omitempty"`
-	IntelRdt *IntelRdt `json:"intelRdt,omitempty"`
+	Cgroup          *Cgroup          `json:"cgroup,omitempty"`
+	Seccomp         *Seccomp         `json:"seccomp,omitempty"`
+	Apparmor        *Apparmor        `json:"apparmor,omitempty"`
+	Selinux         *Selinux         `json:"selinux,omitempty"`
+	IntelRdt        *IntelRdt        `json:"intelRdt,omitempty"`
+	MountExtensions *MountExtensions `json:"mountExtensions,omitempty"`
 }
 
 // Cgroup represents the "cgroup" field.
@@ -123,3 +124,11 @@ type IntelRdt struct {
 	// Nil value means "unknown", not "false".
 	Enabled *bool `json:"enabled,omitempty"`
 }
+
+// MountExtensions represents the "mountExtensions" field.
+type MountExtensions struct {
+	// IDMap represents whether idmap mounts supports is compiled in.
+	// Unrelated to whether the host supports it or not.
+	// Nil value means "unknown", not "false".
+	IDMap *bool `json:"idmap,omitempty"`
+}