Optionally allow using "user.overlay." namespace instead of
"trusted.overlay."

This is necessary for overlayfs to be able to be mounted in an unprivileged
namepsace.

Make the option explicit, since it makes the filesystem format be
incompatible.

Disable redirect_dir and metacopy options, because these would allow
privilege escalation through direct manipulation of the
"user.overlay.redirect" or "user.overlay.metacopy" xattrs.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
This commit is contained in:
Miklos Szeredi 2020-12-14 15:26:14 +01:00
Родитель 82a763e61e
Коммит 2d2f2d7322
6 изменённых файлов: 82 добавлений и 18 удалений

Просмотреть файл

@ -102,8 +102,8 @@ but not all filesystems that are mountable by Linux have the features
needed for OverlayFS to work. The lower filesystem does not need to be needed for OverlayFS to work. The lower filesystem does not need to be
writable. The lower filesystem can even be another overlayfs. The upper writable. The lower filesystem can even be another overlayfs. The upper
filesystem will normally be writable and if it is it must support the filesystem will normally be writable and if it is it must support the
creation of trusted.* extended attributes, and must provide valid d_type in creation of trusted.* and/or user.* extended attributes, and must provide
readdir responses, so NFS is not suitable. valid d_type in readdir responses, so NFS is not suitable.
A read-only overlay of two read-only filesystems may use any A read-only overlay of two read-only filesystems may use any
filesystem type. filesystem type.
@ -594,6 +594,15 @@ fresh one. In very limited cases where the user knows that the system has
not crashed and contents of upperdir are intact, The "volatile" directory not crashed and contents of upperdir are intact, The "volatile" directory
can be removed. can be removed.
User xattr
----------
The the "-o userxattr" mount option forces overlayfs to use the
"user.overlay." xattr namespace instead of "trusted.overlay.". This is
useful for unprivileged mounting of overlayfs.
Testsuite Testsuite
--------- ---------

Просмотреть файл

@ -329,8 +329,14 @@ static const char *ovl_get_link(struct dentry *dentry,
bool ovl_is_private_xattr(struct super_block *sb, const char *name) bool ovl_is_private_xattr(struct super_block *sb, const char *name)
{ {
return strncmp(name, OVL_XATTR_PREFIX, struct ovl_fs *ofs = sb->s_fs_info;
sizeof(OVL_XATTR_PREFIX) - 1) == 0;
if (ofs->config.userxattr)
return strncmp(name, OVL_XATTR_USER_PREFIX,
sizeof(OVL_XATTR_USER_PREFIX) - 1) == 0;
else
return strncmp(name, OVL_XATTR_TRUSTED_PREFIX,
sizeof(OVL_XATTR_TRUSTED_PREFIX) - 1) == 0;
} }
int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name, int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
@ -690,7 +696,7 @@ static void ovl_fill_inode(struct inode *inode, umode_t mode, dev_t rdev)
* For the first, copy up case, the union nlink does not change, whether the * For the first, copy up case, the union nlink does not change, whether the
* operation succeeds or fails, but the upper inode nlink may change. * operation succeeds or fails, but the upper inode nlink may change.
* Therefore, before copy up, we store the union nlink value relative to the * Therefore, before copy up, we store the union nlink value relative to the
* lower inode nlink in the index inode xattr trusted.overlay.nlink. * lower inode nlink in the index inode xattr .overlay.nlink.
* *
* For the second, upper hardlink case, the union nlink should be incremented * For the second, upper hardlink case, the union nlink should be incremented
* or decremented IFF the operation succeeds, aligned with nlink change of the * or decremented IFF the operation succeeds, aligned with nlink change of the

Просмотреть файл

@ -22,7 +22,9 @@ enum ovl_path_type {
#define OVL_TYPE_MERGE(type) ((type) & __OVL_PATH_MERGE) #define OVL_TYPE_MERGE(type) ((type) & __OVL_PATH_MERGE)
#define OVL_TYPE_ORIGIN(type) ((type) & __OVL_PATH_ORIGIN) #define OVL_TYPE_ORIGIN(type) ((type) & __OVL_PATH_ORIGIN)
#define OVL_XATTR_PREFIX XATTR_TRUSTED_PREFIX "overlay." #define OVL_XATTR_NAMESPACE "overlay."
#define OVL_XATTR_TRUSTED_PREFIX XATTR_TRUSTED_PREFIX OVL_XATTR_NAMESPACE
#define OVL_XATTR_USER_PREFIX XATTR_USER_PREFIX OVL_XATTR_NAMESPACE
enum ovl_xattr { enum ovl_xattr {
OVL_XATTR_OPAQUE, OVL_XATTR_OPAQUE,
@ -113,10 +115,10 @@ struct ovl_fh {
#define OVL_FH_FID_OFFSET (OVL_FH_WIRE_OFFSET + \ #define OVL_FH_FID_OFFSET (OVL_FH_WIRE_OFFSET + \
offsetof(struct ovl_fb, fid)) offsetof(struct ovl_fb, fid))
extern const char *ovl_xattr_table[]; extern const char *const ovl_xattr_table[][2];
static inline const char *ovl_xattr(struct ovl_fs *ofs, enum ovl_xattr ox) static inline const char *ovl_xattr(struct ovl_fs *ofs, enum ovl_xattr ox)
{ {
return ovl_xattr_table[ox]; return ovl_xattr_table[ox][ofs->config.userxattr];
} }
static inline int ovl_do_rmdir(struct inode *dir, struct dentry *dentry) static inline int ovl_do_rmdir(struct inode *dir, struct dentry *dentry)

Просмотреть файл

@ -18,6 +18,7 @@ struct ovl_config {
bool nfs_export; bool nfs_export;
int xino; int xino;
bool metacopy; bool metacopy;
bool userxattr;
bool ovl_volatile; bool ovl_volatile;
}; };

Просмотреть файл

@ -418,6 +418,7 @@ enum {
OPT_UUID_ON, OPT_UUID_ON,
OPT_UUID_OFF, OPT_UUID_OFF,
OPT_NFS_EXPORT_ON, OPT_NFS_EXPORT_ON,
OPT_USERXATTR,
OPT_NFS_EXPORT_OFF, OPT_NFS_EXPORT_OFF,
OPT_XINO_ON, OPT_XINO_ON,
OPT_XINO_OFF, OPT_XINO_OFF,
@ -436,6 +437,7 @@ static const match_table_t ovl_tokens = {
{OPT_REDIRECT_DIR, "redirect_dir=%s"}, {OPT_REDIRECT_DIR, "redirect_dir=%s"},
{OPT_INDEX_ON, "index=on"}, {OPT_INDEX_ON, "index=on"},
{OPT_INDEX_OFF, "index=off"}, {OPT_INDEX_OFF, "index=off"},
{OPT_USERXATTR, "userxattr"},
{OPT_UUID_ON, "uuid=on"}, {OPT_UUID_ON, "uuid=on"},
{OPT_UUID_OFF, "uuid=off"}, {OPT_UUID_OFF, "uuid=off"},
{OPT_NFS_EXPORT_ON, "nfs_export=on"}, {OPT_NFS_EXPORT_ON, "nfs_export=on"},
@ -602,6 +604,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config)
config->ovl_volatile = true; config->ovl_volatile = true;
break; break;
case OPT_USERXATTR:
config->userxattr = true;
break;
default: default:
pr_err("unrecognized mount option \"%s\" or missing value\n", pr_err("unrecognized mount option \"%s\" or missing value\n",
p); p);
@ -705,6 +711,28 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config)
} }
} }
/* Resolve userxattr -> !redirect && !metacopy dependency */
if (config->userxattr) {
if (config->redirect_follow && redirect_opt) {
pr_err("conflicting options: userxattr,redirect_dir=%s\n",
config->redirect_mode);
return -EINVAL;
}
if (config->metacopy && metacopy_opt) {
pr_err("conflicting options: userxattr,metacopy=on\n");
return -EINVAL;
}
/*
* Silently disable default setting of redirect and metacopy.
* This shall be the default in the future as well: these
* options must be explicitly enabled if used together with
* userxattr.
*/
config->redirect_dir = config->redirect_follow = false;
config->metacopy = false;
}
return 0; return 0;
} }
@ -1054,8 +1082,14 @@ ovl_posix_acl_default_xattr_handler = {
.set = ovl_posix_acl_xattr_set, .set = ovl_posix_acl_xattr_set,
}; };
static const struct xattr_handler ovl_own_xattr_handler = { static const struct xattr_handler ovl_own_trusted_xattr_handler = {
.prefix = OVL_XATTR_PREFIX, .prefix = OVL_XATTR_TRUSTED_PREFIX,
.get = ovl_own_xattr_get,
.set = ovl_own_xattr_set,
};
static const struct xattr_handler ovl_own_user_xattr_handler = {
.prefix = OVL_XATTR_USER_PREFIX,
.get = ovl_own_xattr_get, .get = ovl_own_xattr_get,
.set = ovl_own_xattr_set, .set = ovl_own_xattr_set,
}; };
@ -1066,12 +1100,22 @@ static const struct xattr_handler ovl_other_xattr_handler = {
.set = ovl_other_xattr_set, .set = ovl_other_xattr_set,
}; };
static const struct xattr_handler *ovl_xattr_handlers[] = { static const struct xattr_handler *ovl_trusted_xattr_handlers[] = {
#ifdef CONFIG_FS_POSIX_ACL #ifdef CONFIG_FS_POSIX_ACL
&ovl_posix_acl_access_xattr_handler, &ovl_posix_acl_access_xattr_handler,
&ovl_posix_acl_default_xattr_handler, &ovl_posix_acl_default_xattr_handler,
#endif #endif
&ovl_own_xattr_handler, &ovl_own_trusted_xattr_handler,
&ovl_other_xattr_handler,
NULL
};
static const struct xattr_handler *ovl_user_xattr_handlers[] = {
#ifdef CONFIG_FS_POSIX_ACL
&ovl_posix_acl_access_xattr_handler,
&ovl_posix_acl_default_xattr_handler,
#endif
&ovl_own_user_xattr_handler,
&ovl_other_xattr_handler, &ovl_other_xattr_handler,
NULL NULL
}; };
@ -1334,7 +1378,7 @@ static int ovl_make_workdir(struct super_block *sb, struct ovl_fs *ofs,
pr_warn("upper fs does not support RENAME_WHITEOUT.\n"); pr_warn("upper fs does not support RENAME_WHITEOUT.\n");
/* /*
* Check if upper/work fs supports trusted.overlay.* xattr * Check if upper/work fs supports (trusted|user).overlay.* xattr
*/ */
err = ovl_do_setxattr(ofs, ofs->workdir, OVL_XATTR_OPAQUE, "0", 1); err = ovl_do_setxattr(ofs, ofs->workdir, OVL_XATTR_OPAQUE, "0", 1);
if (err) { if (err) {
@ -1473,10 +1517,10 @@ static int ovl_get_indexdir(struct super_block *sb, struct ovl_fs *ofs,
/* /*
* Verify upper root is exclusively associated with index dir. * Verify upper root is exclusively associated with index dir.
* Older kernels stored upper fh in "trusted.overlay.origin" * Older kernels stored upper fh in ".overlay.origin"
* xattr. If that xattr exists, verify that it is a match to * xattr. If that xattr exists, verify that it is a match to
* upper dir file handle. In any case, verify or set xattr * upper dir file handle. In any case, verify or set xattr
* "trusted.overlay.upper" to indicate that index may have * ".overlay.upper" to indicate that index may have
* directory entries. * directory entries.
*/ */
if (ovl_check_origin_xattr(ofs, ofs->indexdir)) { if (ovl_check_origin_xattr(ofs, ofs->indexdir)) {
@ -2014,7 +2058,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
cap_lower(cred->cap_effective, CAP_SYS_RESOURCE); cap_lower(cred->cap_effective, CAP_SYS_RESOURCE);
sb->s_magic = OVERLAYFS_SUPER_MAGIC; sb->s_magic = OVERLAYFS_SUPER_MAGIC;
sb->s_xattr = ovl_xattr_handlers; sb->s_xattr = ofs->config.userxattr ? ovl_user_xattr_handlers :
ovl_trusted_xattr_handlers;
sb->s_fs_info = ofs; sb->s_fs_info = ofs;
sb->s_flags |= SB_POSIXACL; sb->s_flags |= SB_POSIXACL;
sb->s_iflags |= SB_I_SKIP_SYNC; sb->s_iflags |= SB_I_SKIP_SYNC;

Просмотреть файл

@ -585,9 +585,10 @@ bool ovl_check_dir_xattr(struct super_block *sb, struct dentry *dentry,
#define OVL_XATTR_METACOPY_POSTFIX "metacopy" #define OVL_XATTR_METACOPY_POSTFIX "metacopy"
#define OVL_XATTR_TAB_ENTRY(x) \ #define OVL_XATTR_TAB_ENTRY(x) \
[x] = OVL_XATTR_PREFIX x ## _POSTFIX [x] = { [false] = OVL_XATTR_TRUSTED_PREFIX x ## _POSTFIX, \
[true] = OVL_XATTR_USER_PREFIX x ## _POSTFIX }
const char *ovl_xattr_table[] = { const char *const ovl_xattr_table[][2] = {
OVL_XATTR_TAB_ENTRY(OVL_XATTR_OPAQUE), OVL_XATTR_TAB_ENTRY(OVL_XATTR_OPAQUE),
OVL_XATTR_TAB_ENTRY(OVL_XATTR_REDIRECT), OVL_XATTR_TAB_ENTRY(OVL_XATTR_REDIRECT),
OVL_XATTR_TAB_ENTRY(OVL_XATTR_ORIGIN), OVL_XATTR_TAB_ENTRY(OVL_XATTR_ORIGIN),