Bug#969223: Can't rm directory on overlayfs in userns

To: Shengjing Zhu <zhsj@debian.org>, 969223@bugs.debian.org
Subject: Bug#969223: Can't rm directory on overlayfs in userns
From: Nicolas Schier <nicolas@fjasle.eu>
Date: Wed, 16 Sep 2020 09:53:18 +0200
Message-id: <[🔎] 20200916075317.GQ18520@fjasle.eu>
Reply-to: Nicolas Schier <nicolas@fjasle.eu>, 969223@bugs.debian.org
In-reply-to: <[🔎] CAFyCLW-+iW1aSWxSQOmJGC9+O+HySmb7orazW2AOm8v3i=M=pg@mail.gmail.com>
References: <20200829141322.GA197496@local.zhsj.me> <20200829141322.GA197496@local.zhsj.me> <[🔎] CAFyCLW-+iW1aSWxSQOmJGC9+O+HySmb7orazW2AOm8v3i=M=pg@mail.gmail.com> <20200829141322.GA197496@local.zhsj.me>

On Wed, Sep 02, 2020 at 11:52:41AM +0800, Shengjing Zhu wrote:
> On Sat, Aug 29, 2020 at 10:13 PM Shengjing Zhu <zhsj@debian.org> wrote:
> >
> > Source: linux
> > Version: 5.7.10-1
> > Severity: normal
> >
> > Hi,
> >
> > After enabling overlayfs for userns, I find it doesn't work as expected.
> >
> > $ cat /sys/module/overlay/parameters/permit_mounts_in_userns
> > Y
> >
> > zsj@debian:~/test$ pwd
> > /home/zsj/test
> > zsj@debian:~/test$ tree
> > .
> > ├── lower
> > │   └── a
> > │       └── a
> > ├── merged
> > ├── upper
> > └── work
> >
> > zsj@debian:~/test$ unshare -m -U -r
> > root@debian:~/test# mount -t overlay -o rw,lowerdir=/home/zsj/test/lower,upperdir=/home/zsj/test/upper,workdir=/home/zsj/test/work overlay /home/zsj/test/merged
> > root@debian:~/test# rm -rf merged/a
> > rm: cannot remove 'merged/a': Input/output error
> >

Hi,

overlayfs uses filesystem xattrs to mark "whiteouts" and redirects of
directories, which are only accessable for root (CAP_SYS_ADMIN), thus,
not when overlay is mounted in a user namespace, cp. e.g. [1,2].

Ubuntu kernel "solves" this by skipping the "trusted."-xattr check, thus
allowing setting and removal of 'trusted.overlay.*' xattrs from within
user namespaces; but those are still visible in all other namespaces.  A
following overlayfs mount done by the real root user will use these
modified xattrs.

To me it would seem to be more adequate if overlayfs would use
'overlay.*' instead of 'trusted.overlay.*', if it is mounted in an
unpriviledged user namespace.  But this would make overlay mounts done
by root incompatible with those done in a user namespace.

Maybe you find #836211 to be related to this.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/xattr.c?h=linux-5.7.y#n113
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/xattr.c?h=linux-5.7.y#n1049
[3]: https://kernel.ubuntu.com/git/ubuntu/ubuntu-focal.git/commit/?id=111cd1a9840ce187e28b49fe4e77b9b5e84386b1

> If I upgrade a debian10 VM to testing, it seems to work.
> However if I boot a new debian testing VM, it seems not to work.
> Both VMs are downloaded from http://cdimage.debian.org/cdimage/cloud/
> What can be the difference here? I'm lost on debugging this..

This confuses me.  Are you sure, you used the same kernel version on
both VMs when mounting overlayfs in userns?

Kind regards,
Nicolas

-- 
epost: nicolas@fjasle.eu               irc://oftc.net/nsc
↳ gpg: 18ed 52db e34f 860e e9fb  c82b 7d97 0932 55a0 ce7f
     -- frykten for herren er opphav til kunnskap --

Reply to:

Follow-Ups:
- Bug#969223: Can't rm directory on overlayfs in userns
  - From: Shengjing Zhu <zhsj@debian.org>

References:
- Bug#969223: Can't rm directory on overlayfs in userns
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: firmware-nonfree_20190114-2~deb9u1_amd64.changes REJECTED
Next by Date: Bug#969223: Can't rm directory on overlayfs in userns
Previous by thread: Bug#969223: Can't rm directory on overlayfs in userns
Next by thread: Bug#969223: Can't rm directory on overlayfs in userns
Index(es):
- Date
- Thread