From 3436e1c735fe32f6a434cc129d7bac8b1d170d9b Mon Sep 17 00:00:00 2001
From: Nicolas Schier <nicolas@fjasle.eu>
Date: Mon, 19 Nov 2018 21:16:26 +0100
Subject: [PATCH] ovl: permit overlayfs mounts in user namespaces (Closes:
 #913880)

Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.

Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream
Linux kernels.  For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
parameter allows a kind of a user-friendly way to enable the feature.

Testable with:

    sudo modprobe overlay permit_mounts_in_userns=1
    sudo sysctl -w kernel.unprivileged_userns_clone=1
    mkdir -p lower upper work mnt
    unshare --map-root-user --mount \
        mount -t overlay none mnt \
              -o lowerdir=lower,upperdir=upper,workdir=work

[1]: Ubuntu allows unprivileged mounting of overlay filesystem
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html

[2]: User namespaces + overlayfs = root privileges
https://lwn.net/Articles/671641/

Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
---
 debian/changelog                              |  3 +
 .../overlayfs-permit-mounts-in-userns.patch   | 57 +++++++++++++++++++
 debian/patches/series                         |  3 +
 3 files changed, 63 insertions(+)
 create mode 100644 debian/patches/debian/overlayfs-permit-mounts-in-userns.patch

diff --git a/debian/changelog b/debian/changelog
index d4c09f3a5..a039c7bec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,9 @@ linux (4.19.8-1~exp1) UNRELEASED; urgency=medium
   * debian/rules: Mark more targets as phony
   * libcpupower: Hide private function and drop it from .symbols file
 
+  [ Nicolas Schier ]
+  * ovl: permit overlayfs mounts in user namespaces (Closes: #913880)
+
  -- Uwe Kleine-König <ukleinek@debian.org>  Wed, 28 Nov 2018 12:20:46 +0100
 
 linux (4.19.5-1~exp1) experimental; urgency=medium
diff --git a/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
new file mode 100644
index 000000000..79856ddcb
--- /dev/null
+++ b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
@@ -0,0 +1,57 @@
+From: Nicolas Schier <nicolas@fjasle.eu>
+Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel)
+Date: Mon, 19 Nov 2018 20:36:14 +0100
+
+Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
+unprivileged LXC overlay snapshots.
+
+Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
+expected to be a security risk [2] and thus are not enabled on upstream
+Linux kernels.  For the non-Ubuntu users that have to stick to unprivileged
+overlay-based LXCs, this meant to patch and compile the kernel manually.
+Instead, adding the kernel tainting 'permit_mounts_in_userns' module
+parameter allows a kind of a user-friendly way to enable the feature.
+
+Testable with:
+
+    sudo modprobe overlay permit_mounts_in_userns=1
+    sudo sysctl -w kernel.unprivileged_userns_clone=1
+    mkdir -p lower upper work mnt
+    unshare --map-root-user --mount \
+        mount -t overlay none mnt \
+              -o lowerdir=lower,upperdir=upper,workdir=work
+
+[1]: Ubuntu allows unprivileged mounting of overlay filesystem
+https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
+
+[2]: User namespaces + overlayfs = root privileges
+https://lwn.net/Articles/671641/
+
+Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -56,6 +56,11 @@ module_param_named(xino_auto, ovl_xino_a
+ MODULE_PARM_DESC(ovl_xino_auto_def,
+ 		 "Auto enable xino feature");
+ 
++static bool ovl_permit_mounts_in_userns;
++module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns,
++			  bool, 0444);
++MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces");
++
+ static void ovl_entry_stack_free(struct ovl_entry *oe)
+ {
+ 	unsigned int i;
+@@ -1567,6 +1572,11 @@ static int __init ovl_init(void)
+ 	if (ovl_inode_cachep == NULL)
+ 		return -ENOMEM;
+ 
++	if (unlikely(ovl_permit_mounts_in_userns)) {
++		pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n");
++		ovl_fs_type.fs_flags |= FS_USERNS_MOUNT;
++	}
++
+ 	err = register_filesystem(&ovl_fs_type);
+ 	if (err)
+ 		kmem_cache_destroy(ovl_inode_cachep);
diff --git a/debian/patches/series b/debian/patches/series
index b5191ac9b..0b570a6eb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -156,4 +156,7 @@ debian/wireless-disable-regulatory.db-direct-loading.patch
 # Licence clarification
 bugfix/all/documentation-media-uapi-explicitly-say-there-are-no-invariant-sections.patch
 
+# overlay: allow mounting in user namespaces
+debian/overlayfs-permit-mounts-in-userns.patch
+
 # ABI maintenance