ovl: permit overlayfs mounts in user namespaces (Closes: #913880)
Permit overlayfs mounts within user namespaces to allow utilisation of e.g. unprivileged LXC overlay snapshots. Except by the Ubuntu community [1], overlayfs mounts in user namespaces are expected to be a security risk [2] and thus are not enabled on upstream Linux kernels. For the non-Ubuntu users that have to stick to unprivileged overlay-based LXCs, this meant to patch and compile the kernel manually. Instead, adding the kernel tainting 'permit_mounts_in_userns' module parameter allows a kind of a user-friendly way to enable the feature. Testable with: sudo modprobe overlay permit_mounts_in_userns=1 sudo sysctl -w kernel.unprivileged_userns_clone=1 mkdir -p lower upper work mnt unshare --map-root-user --mount \ mount -t overlay none mnt \ -o lowerdir=lower,upperdir=upper,workdir=work [1]: Ubuntu allows unprivileged mounting of overlay filesystem https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html [2]: User namespaces + overlayfs = root privileges https://lwn.net/Articles/671641/ Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
This commit is contained in:
parent
014c728272
commit
3436e1c735
|
@ -44,6 +44,9 @@ linux (4.19.8-1~exp1) UNRELEASED; urgency=medium
|
|||
* debian/rules: Mark more targets as phony
|
||||
* libcpupower: Hide private function and drop it from .symbols file
|
||||
|
||||
[ Nicolas Schier ]
|
||||
* ovl: permit overlayfs mounts in user namespaces (Closes: #913880)
|
||||
|
||||
-- Uwe Kleine-König <ukleinek@debian.org> Wed, 28 Nov 2018 12:20:46 +0100
|
||||
|
||||
linux (4.19.5-1~exp1) experimental; urgency=medium
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
From: Nicolas Schier <nicolas@fjasle.eu>
|
||||
Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel)
|
||||
Date: Mon, 19 Nov 2018 20:36:14 +0100
|
||||
|
||||
Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
|
||||
unprivileged LXC overlay snapshots.
|
||||
|
||||
Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
|
||||
expected to be a security risk [2] and thus are not enabled on upstream
|
||||
Linux kernels. For the non-Ubuntu users that have to stick to unprivileged
|
||||
overlay-based LXCs, this meant to patch and compile the kernel manually.
|
||||
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
|
||||
parameter allows a kind of a user-friendly way to enable the feature.
|
||||
|
||||
Testable with:
|
||||
|
||||
sudo modprobe overlay permit_mounts_in_userns=1
|
||||
sudo sysctl -w kernel.unprivileged_userns_clone=1
|
||||
mkdir -p lower upper work mnt
|
||||
unshare --map-root-user --mount \
|
||||
mount -t overlay none mnt \
|
||||
-o lowerdir=lower,upperdir=upper,workdir=work
|
||||
|
||||
[1]: Ubuntu allows unprivileged mounting of overlay filesystem
|
||||
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
|
||||
|
||||
[2]: User namespaces + overlayfs = root privileges
|
||||
https://lwn.net/Articles/671641/
|
||||
|
||||
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
|
||||
|
||||
--- a/fs/overlayfs/super.c
|
||||
+++ b/fs/overlayfs/super.c
|
||||
@@ -56,6 +56,11 @@ module_param_named(xino_auto, ovl_xino_a
|
||||
MODULE_PARM_DESC(ovl_xino_auto_def,
|
||||
"Auto enable xino feature");
|
||||
|
||||
+static bool ovl_permit_mounts_in_userns;
|
||||
+module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns,
|
||||
+ bool, 0444);
|
||||
+MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces");
|
||||
+
|
||||
static void ovl_entry_stack_free(struct ovl_entry *oe)
|
||||
{
|
||||
unsigned int i;
|
||||
@@ -1567,6 +1572,11 @@ static int __init ovl_init(void)
|
||||
if (ovl_inode_cachep == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
+ if (unlikely(ovl_permit_mounts_in_userns)) {
|
||||
+ pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n");
|
||||
+ ovl_fs_type.fs_flags |= FS_USERNS_MOUNT;
|
||||
+ }
|
||||
+
|
||||
err = register_filesystem(&ovl_fs_type);
|
||||
if (err)
|
||||
kmem_cache_destroy(ovl_inode_cachep);
|
|
@ -156,4 +156,7 @@ debian/wireless-disable-regulatory.db-direct-loading.patch
|
|||
# Licence clarification
|
||||
bugfix/all/documentation-media-uapi-explicitly-say-there-are-no-invariant-sections.patch
|
||||
|
||||
# overlay: allow mounting in user namespaces
|
||||
debian/overlayfs-permit-mounts-in-userns.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
|
Loading…
Reference in New Issue