[PATCH v2 00/10] allow unprivileged overlay mounts
From: Miklos Szeredi
Date: Mon Dec 07 2020 - 11:35:35 EST
I've done some more work to verify that unprivileged mount of overlayfs is
safe.
One thing I did is to basically audit all function calls made by overlayfs
to see if it's normally called with any checks and whether overlayfs calls
it with the same (permission and other) checks.
Some of this work has already made it into 5.8 and this series contains
more fixes.
A general observation is that overlayfs does not call security_path_*()
hooks on the underlying fs. I don't see this as a problem, because a
simple bind mount done inside a private mount namespace also defeats the
path based security checks. Maybe I'm missing something here, so I'm
interested in comments from AppArmor and Tomoyo developers.
Eric, do you have thought about what to look for with respect to
unprivileged mount safety and whether you think this is ready for upstream?
Git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git#ovl-unpriv-v2
Thanks,
Miklos
Miklos Szeredi (10):
vfs: move cap_convert_nscap() call into vfs_setxattr()
vfs: verify source area in vfs_dedupe_file_range_one()
ovl: check privs before decoding file handle
ovl: make ioctl() safe
ovl: simplify file splice
ovl: user xattr
ovl: do not fail when setting origin xattr
ovl: do not fail because of O_NOATIME
ovl: do not get metacopy for userxattr
ovl: unprivieged mounts
fs/overlayfs/copy_up.c | 3 +-
fs/overlayfs/file.c | 126 +++----------------------------------
fs/overlayfs/inode.c | 10 ++-
fs/overlayfs/namei.c | 3 +
fs/overlayfs/overlayfs.h | 8 ++-
fs/overlayfs/ovl_entry.h | 1 +
fs/overlayfs/super.c | 56 +++++++++++++++--
fs/overlayfs/util.c | 12 +++-
fs/remap_range.c | 10 ++-
fs/xattr.c | 17 +++--
include/linux/capability.h | 2 +-
security/commoncap.c | 3 +-
12 files changed, 110 insertions(+), 141 deletions(-)
--
2.26.2