ovl: permit overlayfs mounts in user namespaces (Closes: #913880)

Permit overlayfs mounts within user namespaces to allow utilisation of e.g. unprivileged LXC overlay snapshots. Except by the Ubuntu community [1], overlayfs mounts in user namespaces are expected to be a security risk [2] and thus are not enabled on upstream Linux kernels. For the non-Ubuntu users that have to stick to unprivileged overlay-based LXCs, this meant to patch and compile the kernel manually. Instead, adding the kernel tainting 'permit_mounts_in_userns' module parameter allows a kind of a user-friendly way to enable the feature. Testable with: sudo modprobe overlay permit_mounts_in_userns=1 sudo sysctl -w kernel.unprivileged_userns_clone=1 mkdir -p lower upper work mnt unshare --map-root-user --mount \ mount -t overlay none mnt \ -o lowerdir=lower,upperdir=upper,workdir=work [1]: Ubuntu allows unprivileged mounting of overlay filesystem https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html [2]: User namespaces + overlayfs = root privileges https://lwn.net/Articles/671641/ Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
2018-11-19 21:16:26 +01:00 · 2018-11-19 21:16:26 +01:00 · 3436e1c735
parent 014c728272
commit 3436e1c735
3 changed files with 63 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -44,6 +44,9 @@ linux (4.19.8-1~exp1) UNRELEASED; urgency=medium
  * debian/rules: Mark more targets as phony
  * libcpupower: Hide private function and drop it from .symbols file

+  [ Nicolas Schier ]
+  * ovl: permit overlayfs mounts in user namespaces (Closes: #913880)
+
 -- Uwe Kleine-König <ukleinek@debian.org>  Wed, 28 Nov 2018 12:20:46 +0100

 linux (4.19.5-1~exp1) experimental; urgency=medium
--- a/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
+++ b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
@ -0,0 +1,57 @@
+From: Nicolas Schier <nicolas@fjasle.eu>
+Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel)
+Date: Mon, 19 Nov 2018 20:36:14 +0100
+
+Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
+unprivileged LXC overlay snapshots.
+
+Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
+expected to be a security risk [2] and thus are not enabled on upstream
+Linux kernels.  For the non-Ubuntu users that have to stick to unprivileged
+overlay-based LXCs, this meant to patch and compile the kernel manually.
+Instead, adding the kernel tainting 'permit_mounts_in_userns' module
+parameter allows a kind of a user-friendly way to enable the feature.
+
+Testable with:
+
+    sudo modprobe overlay permit_mounts_in_userns=1
+    sudo sysctl -w kernel.unprivileged_userns_clone=1
+    mkdir -p lower upper work mnt
+    unshare --map-root-user --mount \
+        mount -t overlay none mnt \
+              -o lowerdir=lower,upperdir=upper,workdir=work
+
+[1]: Ubuntu allows unprivileged mounting of overlay filesystem
+https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
+
+[2]: User namespaces + overlayfs = root privileges
+https://lwn.net/Articles/671641/
+
+Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
+
+--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
+@@ -56,6 +56,11 @@ module_param_named(xino_auto, ovl_xino_a
+ MODULE_PARM_DESC(ovl_xino_auto_def,
+ 		 "Auto enable xino feature");
+ 
+static bool ovl_permit_mounts_in_userns;
+module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns,
+			  bool, 0444);
+MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces");
+
+ static void ovl_entry_stack_free(struct ovl_entry *oe)
+ {
+ 	unsigned int i;
+@@ -1567,6 +1572,11 @@ static int __init ovl_init(void)
+ 	if (ovl_inode_cachep == NULL)
+ 		return -ENOMEM;
+ 
+	if (unlikely(ovl_permit_mounts_in_userns)) {
+		pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n");
+		ovl_fs_type.fs_flags |= FS_USERNS_MOUNT;
+	}
+
+ 	err = register_filesystem(&ovl_fs_type);
+ 	if (err)
+ 		kmem_cache_destroy(ovl_inode_cachep);
--- a/debian/patches/series
+++ b/debian/patches/series
@ -156,4 +156,7 @@ debian/wireless-disable-regulatory.db-direct-loading.patch
 # Licence clarification
 bugfix/all/documentation-media-uapi-explicitly-say-there-are-no-invariant-sections.patch

+# overlay: allow mounting in user namespaces
+debian/overlayfs-permit-mounts-in-userns.patch
+
 # ABI maintenance