[PATCH] Data-only layer mount time validations

Mike Baynton <mike@xxxxxxxxxxxx> · Thu, 4 Jul 2024 23:25:42 -0500

There seem to be a few scenarios where it is possible to successfully
mount up an overlay filesystem including data-only layer(s), but in
configurations where it will never be possible to read data successfully
from the data-only layers. I think this should result in a mount-time
error instead of the current behavior of being unable to read data from
the files that should normally return data from a data-only layer.

Both cases were found by attempting to use data-only lower layers from a
user namespace, a proposition that appears to be guaranteed to not end
well since data-only lower layers requires use of trusted xattrs, but
trusted xattrs can only be accessed in the initial user namespace.

Case 1: upper dirs in use but xattrs cannot be written to the filesystem
containing workdir (for any reason, user namespace-related or not.) This
triggers a fallback behavior of disabling metacopy after an existing
validation in ovl_fs_params_verify ensured metacopy is on when
data-only layers are present. This is now rechecked after possibly
disabling metacopy.

Case 2: upper dirs are not in use, data-only layer(s) in use, mount
initiated from a user namespace other than the initial one.

When the filesystem consists of only lower layers, the test of xattrs
is not performed and so metacopy remains on, satisfying Case 1.
Therefore it is also neceessary to explicitly check for data-only layers
in a mount whose initiator lacks CAP_SYS_ADMIN in the initial user
namespace.

Signed-off-by: Mike Baynton <mike@xxxxxxxxxxxx>
---
 fs/overlayfs/super.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 06a231970cb5..4382f21c36a0 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1394,6 +1394,19 @@ int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
 	if (IS_ERR(oe))
 		goto out_err;
 
+	if (ofs->numdatalayer) {
+		if (!ofs->config.metacopy) {
+			pr_err("lower data-only dirs require metacopy support.\n");
+			err = -EINVAL;
+			goto out_err;
+		}
+		if (!capable(CAP_SYS_ADMIN)) {
+			pr_err("lower data-only dirs require CAP_SYS_ADMIN in the initial user namespace.\n");
+			err = -EPERM;
+			goto out_err;
+		}
+	}
+
 	/* If the upper fs is nonexistent, we mark overlayfs r/o too */
 	if (!ovl_upper_mnt(ofs))
 		sb->s_flags |= SB_RDONLY;
-- 
2.34.1








