I've done some more work to verify that unprivileged mount of overlayfs is safe. One thing I did is to basically audit all function calls made by overlayfs to see if it's normally called with any checks and whether overlayfs calls it with the same (permission and other) checks. Some of this work has already made it into 5.8 and this series contains more fixes. A general observation is that overlayfs does not call security_path_*() hooks on the underlying fs. I don't see this as a problem, because a simple bind mount done inside a private mount namespace also defeats the path based security checks. Maybe I'm missing something here, so I'm interested in comments from AppArmor and Tomoyo developers. Eric, do you have thought about what to look for with respect to unprivileged mount safety and whether you think this is ready for upstream? Git tree: git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git#ovl-unpriv-v2 Thanks, Miklos Miklos Szeredi (10): vfs: move cap_convert_nscap() call into vfs_setxattr() vfs: verify source area in vfs_dedupe_file_range_one() ovl: check privs before decoding file handle ovl: make ioctl() safe ovl: simplify file splice ovl: user xattr ovl: do not fail when setting origin xattr ovl: do not fail because of O_NOATIME ovl: do not get metacopy for userxattr ovl: unprivieged mounts fs/overlayfs/copy_up.c | 3 +- fs/overlayfs/file.c | 126 +++---------------------------------- fs/overlayfs/inode.c | 10 ++- fs/overlayfs/namei.c | 3 + fs/overlayfs/overlayfs.h | 8 ++- fs/overlayfs/ovl_entry.h | 1 + fs/overlayfs/super.c | 56 +++++++++++++++-- fs/overlayfs/util.c | 12 +++- fs/remap_range.c | 10 ++- fs/xattr.c | 17 +++-- include/linux/capability.h | 2 +- security/commoncap.c | 3 +- 12 files changed, 110 insertions(+), 141 deletions(-) -- 2.26.2
