Re: [PATCH] Data-only layer mount time validations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 5, 2024 at 7:25 AM Mike Baynton <mike@xxxxxxxxxxxx> wrote:
>
> There seem to be a few scenarios where it is possible to successfully
> mount up an overlay filesystem including data-only layer(s), but in
> configurations where it will never be possible to read data successfully
> from the data-only layers. I think this should result in a mount-time
> error instead of the current behavior of being unable to read data from
> the files that should normally return data from a data-only layer.
>
> Both cases were found by attempting to use data-only lower layers from a
> user namespace, a proposition that appears to be guaranteed to not end
> well since data-only lower layers requires use of trusted xattrs, but
> trusted xattrs can only be accessed in the initial user namespace.
>
> Case 1: upper dirs in use but xattrs cannot be written to the filesystem
> containing workdir (for any reason, user namespace-related or not.) This
> triggers a fallback behavior of disabling metacopy after an existing
> validation in ovl_fs_params_verify ensured metacopy is on when
> data-only layers are present. This is now rechecked after possibly
> disabling metacopy.
>
> Case 2: upper dirs are not in use, data-only layer(s) in use, mount
> initiated from a user namespace other than the initial one.
>
> When the filesystem consists of only lower layers, the test of xattrs
> is not performed and so metacopy remains on, satisfying Case 1.
> Therefore it is also neceessary to explicitly check for data-only layers
> in a mount whose initiator lacks CAP_SYS_ADMIN in the initial user
> namespace.
>
> Signed-off-by: Mike Baynton <mike@xxxxxxxxxxxx>
> ---
>  fs/overlayfs/super.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>
> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
> index 06a231970cb5..4382f21c36a0 100644
> --- a/fs/overlayfs/super.c
> +++ b/fs/overlayfs/super.c
> @@ -1394,6 +1394,19 @@ int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
>         if (IS_ERR(oe))
>                 goto out_err;
>
> +       if (ofs->numdatalayer) {
> +               if (!ofs->config.metacopy) {
> +                       pr_err("lower data-only dirs require metacopy support.\n");
> +                       err = -EINVAL;
> +                       goto out_err;
> +               }

Is that not already handled by?

int ovl_fs_params_verify(const struct ovl_fs_context *ctx,
                         struct ovl_config *config)
{
        struct ovl_opt_set set = ctx->set;

        if (ctx->nr_data > 0 && !config->metacopy) {
                pr_err("lower data-only dirs require metacopy support.\n");
                return -EINVAL;
        }

Probably because of:

                        ofs->config.metacopy = false;
                        pr_warn("...falling back to metacopy=off.\n");

in xattr check, but it could also happen from:

        /* Resolve userxattr -> !redirect && !metacopy && !verity dependency */
        if (config->userxattr) {
...
                /*
                 * Silently disable default setting of redirect and metacopy.
                 * This shall be the default in the future as well: these
                 * options must be explicitly enabled if used together with
                 * userxattr.
                 */
                config->redirect_mode = OVL_REDIRECT_NOFOLLOW;
                config->metacopy = false;
        }

So maybe also the lowerdatadirs vs metacopy conflict should be moved
to the end of
ovl_fs_params_verify()?

> +               if (!capable(CAP_SYS_ADMIN)) {
> +                       pr_err("lower data-only dirs require CAP_SYS_ADMIN in the initial user namespace.\n");
> +                       err = -EPERM;
> +                       goto out_err;
> +               }

This is too specific IMO.

If we really want to check CAP_SYS_ADMIN at mount time, we should error
on any configuration that requires trusted xattrs and suggest that the user
will use -o userxattr, and maybe disable the conflicting config if it was not
explicitly specified in mount options.

Of course, userxattr conflicts with some other options including
redirect_dir, metacopy and verity, but that just means that the errors
will have to be smarter and the check for CAP_SYS_ADMIN should
definitely be in ovl_fs_params_verify() if we add them.

Thanks,
Amir.





[Index of Archives]     [Linux Filesystems Devel]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux