On Thu, Feb 11, 2021 at 5:41 PM Daniel Walsh <dwalsh@xxxxxxxxxx> wrote: > On 2/11/21 16:24, Paul Moore wrote: > > On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > >> Now overlayfs allow unpriviliged mounts. That is root inside a non-init > >> user namespace can mount overlayfs. This is being added in 5.11 kernel. > >> > >> Giuseppe tried to mount overlayfs with option "context" and it failed > >> with error -EACCESS. > >> > >> $ su test > >> $ unshare -rm > >> $ mkdir -p lower upper work merged > >> $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged > >> > >> This fails with -EACCESS. It works if option "-o context" is not specified. > >> > >> Little debugging showed that selinux_set_mnt_opts() returns -EACCESS. > >> > >> So this patch adds "overlay" to the list, where it is fine to specific > >> context from non init_user_ns. > >> > >> v2: Fixed commit message to reflect that unpriveleged overlayfs mount is > >> being added in 5.11 and not in 5.10 kernel. > >> > >> Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx> > >> Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> > >> --- > >> security/selinux/hooks.c | 3 ++- > >> 1 file changed, 2 insertions(+), 1 deletion(-) > > Thanks Vivek, once the merge window closes I'll merge this into > > selinux/next and send a note to this thread. > > In order for us to take advantage of rootless overlay we need this > feature ASAP. It will get merged into selinux/next *after* this upcoming merge window. I'm sorry, but -rc7 is just too late for new functionality; kernel changes need to soak before hitting Linus' tree and with the merge window opening in about three days that simply isn't enough time. Come on Dan, even you have to know that ... -- paul moore www.paul-moore.com