On Wed, Feb 10, 2021 at 06:50:57PM -0500, Paul Moore wrote: > On Tue, Feb 9, 2021 at 3:02 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > > > > Now overlayfs allow unpriviliged mounts. That is root inside a non-init > > user namespace can mount overlayfs. This was added in 5.10 kernel. Actually this is being added in 5.11 kernel (and not 5.10 kernel). Paul, can you please fix this while committing. If you want me to report, let me know. > > > > Giuseppe tried to mount overlayfs with option "context" and it failed > > with error -EACCESS. > > > > $ su test > > $ unshare -rm > > $ mkdir -p lower upper work merged > > $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged > > > > This fails with -EACCESS. It works if option "-o context" is not specified. > > > > Little debugging showed that selinux_set_mnt_opts() returns -EACCESS. > > > > So this patch adds "overlay" to the list, where it is fine to specific > > context from non init_user_ns. > > > > Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx> > > Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> > > --- > > security/selinux/hooks.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > This seems reasonable, but since we are at -rc7 this week it will need > to wait until after the upcoming merge window. It's too late in the > cycle for new features. I am fine with this going in 5.12 kernel. Thanks Paul. Vivek