virtio-fs permissions support

[spencerpogo]

Is your feature request related to a problem? Please describe.
I have a directory with files owned by root. I'd like to share this filesystem so that non-admin users (or even no users at all) on the guest can read these files but not modify them.

Describe the solution you'd like
A couple ideas (I'm not sure if these would solve the problem on their own)

• Something similar to what was removed in RHBZ#2112559: VirtIO-FS: set guest side owner UID/GID to Everyone #803. Could you clarify the motivation behind that PR?
• a registry key/command-line to set LocalUid/LocalGid

Describe alternatives you've considered
The host system is a container so making a read-only mount would be non-trivial (mount is blocked by seccomp and I'm not 100% clea on the security implications of allowing it).
I could run the host virtiofsd as a non-privileged host user, however, I want to keep these root owned files from being read by unprivileged users on the host.

Additional context
N/A

[viktor-prutyanov]

Hi

The motivation is that it is hard to reliably set the file owner to the current user ID, especially when virtiofs runs as a Windows service or when Active Directory is enabled. Please also take into account that such permissions should be mapped somehow to host POSIX permissions.

It is possible to adjust LocalUid and LocalGid, but I'm not sure this can solve your problem.

From my point of view, the problem of securing host files should be solved on the host side (virtiofsd).

[spencerpogo]

OK, I suppose this is a niche use-case. I solved it by adding a startup script to my VM that reads the file off of the bridge, copies it into the C drive, makes it only readable by admins, and then removes the original file from the bridge. I suppose this solves the problem.