On Mon, Dec 7, 2020 at 6:37 PM Miklos Szeredi <mszeredi@xxxxxxxxxx> wrote: > > Optionally allow using "user.overlay." namespace instead of > "trusted.overlay." There are several occurrences of "trusted.overlay" string in code and Documentation, which is fine. But maybe only adjust the comment for testing xattr support: * Check if upper/work fs supports trusted.overlay.* xattr > > This is necessary for overlayfs to be able to be mounted in an unprivileged > namepsace. > > Make the option explicit, since it makes the filesystem format be > incompatible. > > Disable redirect_dir and metacopy options, because these would allow > privilege escalation through direct manipulation of the > "user.overlay.redirect" or "user.overlay.metacopy" xattrs. > > Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> > --- Reviewed-by: Amir Goldstein <amir73il@xxxxxxxxx> > --- a/fs/overlayfs/util.c > +++ b/fs/overlayfs/util.c > @@ -582,9 +582,10 @@ bool ovl_check_dir_xattr(struct super_block *sb, struct dentry *dentry, > #define OVL_XATTR_METACOPY_POSTFIX "metacopy" > > #define OVL_XATTR_TAB_ENTRY(x) \ > - [x] = OVL_XATTR_PREFIX x ## _POSTFIX > + [x] = { [false] = OVL_XATTR_TRUSTED_PREFIX x ## _POSTFIX, \ > + [true] = OVL_XATTR_USER_PREFIX x ## _POSTFIX } > > -const char *ovl_xattr_table[] = { > +const char *ovl_xattr_table[][2] = { > OVL_XATTR_TAB_ENTRY(OVL_XATTR_OPAQUE), > OVL_XATTR_TAB_ENTRY(OVL_XATTR_REDIRECT), > OVL_XATTR_TAB_ENTRY(OVL_XATTR_ORIGIN), > -- Can you constify this 2D array? I don't even know the syntax for that... Thanks, Amir.