Hi,
We are using kernel v4.19.24 and have found that it can be successful
when we set IMMUTABLE_FL flag to a file in docker while the docker
didn't have the capability CAP_LINUX_IMMUTABLE.
# touch tmp
# chattr +i tmp
# lsattr tmp
----i--------e-- tmp
We have tested this case in older version such as 4.9 and it returned
-EPERM as expected.
We found that the commit d1d04ef8572b ("ovl: stack file ops") and
dab5ca8fd9dd ("ovl: add lsattr/chattr support") implemented chattr
operations on a regular overlay file. ovl_real_ioctl() overridden the
current process's subjective credentials with ofs->creator_cred which
have the capability CAP_LINUX_IMMUTABLE so that it will return success
in vfs_ioctl()->cap_capable().
I wondered is this kind of mechanism of overlayfs or a bug?
Thanks,
Jiufei
