[SRU][K/L/Unstable][PATCH 1/1] UBUNTU: SAUCE: overlayfs: handle idmapped mounts in ovl_do_(set|remove)xattr
Alexander Mikhalitsyn
aleksandr.mikhalitsyn at canonical.com
Thu Mar 2 21:23:55 UTC 2023
BugLink: http://bugs.launchpad.net/bugs/2009065
We have to use ovl_upper_mnt_userns(ofs) helper to get proper user namespace
for idmapped layer. Otherwise we'll get -EPERM.
Right now, overlayfs on top of idmapped layer always mounted as read-only.
This is serious blocker for LXD/LXC unprivileged containers users who run
Docker containers inside.
Reproducer:
$ cd /idmapped/mount/path
$ mkdir {work,upper,lower,ovl}
$ mount -t overlay overlay -o lowerdir=lower,upperdir=upper,workdir=work ovl
$ touch ovl/test
touch: cannot touch 'ovl/test': Read-only file system
Error from dmesg:
overlayfs: failed to create directory work/work (errno: 1); mounting read-only
Reproducible on all Ubuntu kernels with the base >= 5.19
Fixes: eea996a46f ("UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs")
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn at canonical.com>
---
fs/overlayfs/overlayfs.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index e523d600da4e..3a85be75d64a 100644
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -255,7 +255,7 @@ static inline int ovl_do_setxattr(struct ovl_fs *ofs, struct dentry *dentry,
int err;
inode_lock(inode);
- err = __vfs_setxattr_noperm(&init_user_ns, dentry, name, value, size, flags);
+ err = __vfs_setxattr_noperm(ovl_upper_mnt_userns(ofs), dentry, name, value, size, flags);
inode_unlock(inode);
pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, %d) = %i\n",
@@ -277,7 +277,7 @@ static inline int ovl_do_removexattr(struct ovl_fs *ofs, struct dentry *dentry,
int err;
inode_lock(inode);
- err = __vfs_removexattr_noperm(&init_user_ns, dentry, name);
+ err = __vfs_removexattr_noperm(ovl_upper_mnt_userns(ofs), dentry, name);
inode_unlock(inode);
pr_debug("removexattr(%pd2, \"%s\") = %i\n", dentry, name, err);
--
2.34.1
More information about the kernel-team
mailing list