[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#969223: Can't rm directory on overlayfs in userns



On Fri, Dec 11, 2020 09:10 AM Nicolas Schier wrote:
> 
> On Tue, Sep 17, 2020 at 2:57 AM Shengjing Zhu wrote:
> > 
> > On Thu, Sep 17, 2020 at 2:52 AM Nicolas Schier <nicolas@fjasle.eu> wrote:
> > >
> > > > I think I just mess up when debugging. It seems it never works.
> > > >
> > > > Maybe we should revert permit_mounts_in_userns? as it doesn't seem to
> > > > work. Buster is also affected.
> > >
> > > Please, don't be too fast when thinking about a revert.  Several of my
> > > colleagues (Debian users) cling to the feature since they need it for
> > > using the company's LXC containers; if permit_mounts_in_userns is
> > > removed again, they might be forced to switch to non-Debian kernels or
> > > to live-patch the kernel with fragile stuff like [1], cp. #913880.
> > 
> > I mean if you can't even remove a directory with files, it's too broken to use.
> > So your colleagues find the userns overlay works?
> > Or you mean we should take Ubuntu's patch to fix the issue?
> 
> sorry for the long delay.  My colleagues are using unpriviledged LXC 
> with overlay fs for building purposes only, thus, read-only access is 
> sufficient and works.  (But yes, the incomplete write-support leads to 
> annoyance.)
> 
> Currently, there is a patch on linux-unionfs that allows using user 
> xattrs for overlay fs meta data [1].  If the related patchset [2] is 
> going to be merged, the Debian patch will become obsolete; otherwise we 
> could think about picking up the patch from [1].
> 
> As far as I have seen, the Ubuntu patch allows unpriviledged users to 
> modify 'trusted.overlay.*' xattrs, which probably has security 
> implications.  ("Probably" as just had a superficial look at it.)
> 
> I would prefer to keep a watch on [2] and dicuss further, if it has 
> been merged or rejected.
> 
> Kind regards,
> Nicolas
> 
> 
> 
> [1]: [PATCH v2 06/10] ovl: user xattr
>      https://lore.kernel.org/linux-unionfs/20201207163255.564116-7-mszeredi@redhat.com/
> 
> [2]: https://lore.kernel.org/linux-unionfs/CAJfpegsiuf8ib5cvVrr=zHZ+Xu7BMMTT2eYapsEUdmPcRBUiwQ@mail.gmail.com/T/#t

The overlay fs patchset [2] has been merged and with v5.10.13 (tested 
on linux-image-5.10.0-3-arm64) the issue is no more reproducible for 
me.  Might you want to re-check on your site?

Kind regards,
Nicolas


-- 
epost: nicolas@fjasle.eu               irc://oftc.net/nsc
↳ gpg: 18ed 52db e34f 860e e9fb  c82b 7d97 0932 55a0 ce7f
     -- frykten for herren er opphav til kunnskap --

Attachment: signature.asc
Description: PGP signature


Reply to: