Re: [PATCH][v2] selinux: Allow context mounts for unpriviliged overlayfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/11/21 16:24, Paul Moore wrote:
On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
Now overlayfs allow unpriviliged mounts. That is root inside a non-init
user namespace can mount overlayfs. This is being added in 5.11 kernel.

Giuseppe tried to mount overlayfs with option "context" and it failed
with error -EACCESS.

$ su test
$ unshare -rm
$ mkdir -p lower upper work merged
$ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged

This fails with -EACCESS. It works if option "-o context" is not specified.

Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.

So this patch adds "overlay" to the list, where it is fine to specific
context from non init_user_ns.

v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
     being added in 5.11 and not in 5.10 kernel.

Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
---
  security/selinux/hooks.c |    3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
Thanks Vivek, once the merge window closes I'll merge this into
selinux/next and send a note to this thread.

In order for us to take advantage of rootless overlay we need this feature ASAP.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux