Now overlayfs allow unpriviliged mounts. That is root inside a non-init
user namespace can mount overlayfs. This is being added in 5.11 kernel.
Giuseppe tried to mount overlayfs with option "context" and it failed
with error -EACCESS.
$ su test
$ unshare -rm
$ mkdir -p lower upper work merged
$ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
This fails with -EACCESS. It works if option "-o context" is not specified.
Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
So this patch adds "overlay" to the list, where it is fine to specific
context from non init_user_ns.
v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
being added in 5.11 and not in 5.10 kernel.
Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
---
security/selinux/hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: redhat-linux/security/selinux/hooks.c
===================================================================
--- redhat-linux.orig/security/selinux/hooks.c 2021-02-09 10:56:12.954988476 -0500
+++ redhat-linux/security/selinux/hooks.c 2021-02-09 14:36:33.136205330 -0500
@@ -733,7 +733,8 @@ static int selinux_set_mnt_opts(struct s
if (sb->s_user_ns != &init_user_ns &&
strcmp(sb->s_type->name, "tmpfs") &&
strcmp(sb->s_type->name, "ramfs") &&
- strcmp(sb->s_type->name, "devpts")) {
+ strcmp(sb->s_type->name, "devpts") &&
+ strcmp(sb->s_type->name, "overlay")) {
if (context_sid || fscontext_sid || rootcontext_sid ||
defcontext_sid) {
rc = -EACCES;
