[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#913880: ITP: overlay-userns -- Overlay mounting in user namespaces (DKMS)

Dear Ben,

> Why don't you talk to the kernel team about adding a module parameter
> enable this, rather than packaging a fragile hack?

thanks for the pointer.  Do you think about something like the attached 
patch?  Would you recommend a post in debian-kernel@l.d.o about it or 
better a salsa merge request?

Kind regards,
Nicolas



From 8e09f86b72903c29bff005425bee997fa9521147 Mon Sep 17 00:00:00 2001
From: Nicolas Schier <nicolas@fjasle.eu>
Date: Mon, 19 Nov 2018 21:16:26 +0100
Subject: [PATCH] ovl: permit overlayfs mounts in user namespaces (taints
 kernel)

Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.

Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream Linux
kernels.  For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module parameter
allows a kind of a user-friendly way to enable the feature.

Testable with:

    sudo modprobe overlay permit_mounts_in_userns=1
    sudo sysctl -w kernel.unprivileged_userns_clone=1
    mkdir -p lower upper work mnt
    unshare --map-root-user --mount \
        mount -t overlay none mnt -o lowerdir=lower,upperdir=upper,workdir=work

[1]: Ubuntu allows unprivileged mounting of overlay filesystem
     https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html

[2]: User namespaces + overlayfs = root privileges
     https://lwn.net/Articles/671641/

Signed-off-by: Nicolas Schier <n.schier@avm.de>
---
 .../overlayfs-permit-mounts-in-userns.patch   | 55 +++++++++++++++++++
 debian/patches/series                         |  3 +
 2 files changed, 58 insertions(+)
 create mode 100644 debian/patches/debian/overlayfs-permit-mounts-in-userns.patch

diff --git a/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
new file mode 100644
index 000000000000..3697d8cf7708
--- /dev/null
+++ b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch
@@ -0,0 +1,55 @@
+From: Nicolas Schier <nicolas@fjasle.eu>
+Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel)
+Date: Mon, 19 Nov 2018 20:36:14 +0100
+
+Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
+unprivileged LXC overlay snapshots.
+
+Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
+expected to be a security risk [2] and thus are not enabled on upstream Linux
+kernels.  For the non-Ubuntu users that have to stick to unprivileged
+overlay-based LXCs, this meant to patch and compile the kernel manually.
+Instead, adding the kernel tainting 'permit_mounts_in_userns' module parameter
+allows a kind of a user-friendly way to enable the feature.
+
+Testable with:
+
+    sudo modprobe overlay permit_mounts_in_userns=1
+    sudo sysctl -w kernel.unprivileged_userns_clone=1
+    mkdir -p lower upper work mnt
+    unshare --map-root-user --mount \
+        mount -t overlay none mnt -o lowerdir=lower,upperdir=upper,workdir=work
+
+[1]: Ubuntu allows unprivileged mounting of overlay filesystem
+     https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
+
+[2]: User namespaces + overlayfs = root privileges
+     https://lwn.net/Articles/671641/
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -56,6 +56,12 @@
+ MODULE_PARM_DESC(ovl_xino_auto_def,
+ 		 "Auto enable xino feature");
+ 
++static bool ovl_permit_mounts_in_userns;
++module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns,
++			  bool, 0444);
++MODULE_PARM_DESC(ovl_permit_mounts_in_userns,
++		 "Permit mounts in user namespaces");
++
+ static void ovl_entry_stack_free(struct ovl_entry *oe)
+ {
+ 	unsigned int i;
+@@ -1545,6 +1551,11 @@
+ 	if (ovl_inode_cachep == NULL)
+ 		return -ENOMEM;
+ 
++	if (unlikely(ovl_permit_mounts_in_userns)) {
++		pr_warn("Allowing overlay mounts in user namespaces bears security risks\n");
++		ovl_fs_type.fs_flags |= FS_USERNS_MOUNT;
++	}
++
+ 	err = register_filesystem(&ovl_fs_type);
+ 	if (err)
+ 		kmem_cache_destroy(ovl_inode_cachep);
diff --git a/debian/patches/series b/debian/patches/series
index 57872c847500..2f45ed47d44a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -152,4 +152,7 @@ bugfix/x86/tools-turbostat-Add-checks-for-failure-of-fgets-and-.patch
 # wireless: Disable regulatory.db direct loading (until we sort out signing)
 debian/wireless-disable-regulatory.db-direct-loading.patch
 
+# overlay: allow mounting in user namespaces
+debian/overlayfs-permit-mounts-in-userns.patch
+
 # ABI maintenance
-- 
2.19.1

Attachment: signature.asc
Description: PGP signature

Reply to: