Bug#969223: Can't rm directory on overlayfs in userns

To: 969223@bugs.debian.org
Cc: Shengjing Zhu <zhsj@debian.org>
Subject: Bug#969223: Can't rm directory on overlayfs in userns
From: Nicolas Schier <nicolas@fjasle.eu>
Date: Wed, 3 Mar 2021 08:35:14 +0100
Message-id: <[🔎] YD88Mhxr7gJnexuD@lillesand.fjasle.eu>
Reply-to: Nicolas Schier <nicolas@fjasle.eu>, 969223@bugs.debian.org
In-reply-to: <X9MpdYkfWLeSc8Rl@lillesand.fjasle.eu>
References: <CAFyCLW-+iW1aSWxSQOmJGC9+O+HySmb7orazW2AOm8v3i=M=pg@mail.gmail.com> <20200916075317.GQ18520@fjasle.eu> <20200829141322.GA197496@local.zhsj.me> <CAFyCLW-2k5rw+hrXeYGXuFiTERSaiugGCNpu8Pw=r8Low3pLYA@mail.gmail.com> <20200916184647.GS18520@fjasle.eu> <20200829141322.GA197496@local.zhsj.me> <CAFyCLW-9-=kdTbzOwSn71YRDFTH-4Q6s08ejzWJu_tjBmiATJA@mail.gmail.com> <20200829141322.GA197496@local.zhsj.me> <X9MpdYkfWLeSc8Rl@lillesand.fjasle.eu> <20200829141322.GA197496@local.zhsj.me>

On Fri, Dec 11, 2020 09:10 AM Nicolas Schier wrote:
> 
> On Tue, Sep 17, 2020 at 2:57 AM Shengjing Zhu wrote:
> > 
> > On Thu, Sep 17, 2020 at 2:52 AM Nicolas Schier <nicolas@fjasle.eu> wrote:
> > >
> > > > I think I just mess up when debugging. It seems it never works.
> > > >
> > > > Maybe we should revert permit_mounts_in_userns? as it doesn't seem to
> > > > work. Buster is also affected.
> > >
> > > Please, don't be too fast when thinking about a revert.  Several of my
> > > colleagues (Debian users) cling to the feature since they need it for
> > > using the company's LXC containers; if permit_mounts_in_userns is
> > > removed again, they might be forced to switch to non-Debian kernels or
> > > to live-patch the kernel with fragile stuff like [1], cp. #913880.
> > 
> > I mean if you can't even remove a directory with files, it's too broken to use.
> > So your colleagues find the userns overlay works?
> > Or you mean we should take Ubuntu's patch to fix the issue?
> 
> sorry for the long delay.  My colleagues are using unpriviledged LXC 
> with overlay fs for building purposes only, thus, read-only access is 
> sufficient and works.  (But yes, the incomplete write-support leads to 
> annoyance.)
> 
> Currently, there is a patch on linux-unionfs that allows using user 
> xattrs for overlay fs meta data [1].  If the related patchset [2] is 
> going to be merged, the Debian patch will become obsolete; otherwise we 
> could think about picking up the patch from [1].
> 
> As far as I have seen, the Ubuntu patch allows unpriviledged users to 
> modify 'trusted.overlay.*' xattrs, which probably has security 
> implications.  ("Probably" as just had a superficial look at it.)
> 
> I would prefer to keep a watch on [2] and dicuss further, if it has 
> been merged or rejected.
> 
> Kind regards,
> Nicolas
> 
> 
> 
> [1]: [PATCH v2 06/10] ovl: user xattr
>      https://lore.kernel.org/linux-unionfs/20201207163255.564116-7-mszeredi@redhat.com/
> 
> [2]: https://lore.kernel.org/linux-unionfs/CAJfpegsiuf8ib5cvVrr=zHZ+Xu7BMMTT2eYapsEUdmPcRBUiwQ@mail.gmail.com/T/#t

The overlay fs patchset [2] has been merged and with v5.10.13 (tested 
on linux-image-5.10.0-3-arm64) the issue is no more reproducible for 
me.  Might you want to re-check on your site?

Kind regards,
Nicolas


-- 
epost: nicolas@fjasle.eu               irc://oftc.net/nsc
↳ gpg: 18ed 52db e34f 860e e9fb  c82b 7d97 0932 55a0 ce7f
     -- frykten for herren er opphav til kunnskap --

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#969223: Can't rm directory on overlayfs in userns
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Bug#982304: linux-headers-5.10.0-3-amd64: File include/generated/autoconf.h missed to compile virtualbox-dkms
Next by Date: linux-signed-i386_5.10.19+1_source.changes ACCEPTED into unstable, unstable
Previous by thread: Bug#982304: linux-headers-5.10.0-3-amd64: File include/generated/autoconf.h missed to compile virtualbox-dkms
Next by thread: Bug#969223: Can't rm directory on overlayfs in userns
Index(es):
- Date
- Thread