On 2/11/21 16:24, Paul Moore wrote:
On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
Now overlayfs allow unpriviliged mounts. That is root inside a non-init
user namespace can mount overlayfs. This is being added in 5.11 kernel.
Giuseppe tried to mount overlayfs with option "context" and it failed
with error -EACCESS.
$ su test
$ unshare -rm
$ mkdir -p lower upper work merged
$ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
This fails with -EACCESS. It works if option "-o context" is not specified.
Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
So this patch adds "overlay" to the list, where it is fine to specific
context from non init_user_ns.
v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
being added in 5.11 and not in 5.10 kernel.
Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
---
security/selinux/hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Thanks Vivek, once the merge window closes I'll merge this into
selinux/next and send a note to this thread.
In order for us to take advantage of rootless overlay we need this
feature ASAP.