On 2/11/21 18:28, Paul Moore wrote:
On Thu, Feb 11, 2021 at 5:41 PM Daniel Walsh <dwalsh@xxxxxxxxxx> wrote:
On 2/11/21 16:24, Paul Moore wrote:
On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
Now overlayfs allow unpriviliged mounts. That is root inside a non-init
user namespace can mount overlayfs. This is being added in 5.11 kernel.
Giuseppe tried to mount overlayfs with option "context" and it failed
with error -EACCESS.
$ su test
$ unshare -rm
$ mkdir -p lower upper work merged
$ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged
This fails with -EACCESS. It works if option "-o context" is not specified.
Little debugging showed that selinux_set_mnt_opts() returns -EACCESS.
So this patch adds "overlay" to the list, where it is fine to specific
context from non init_user_ns.
v2: Fixed commit message to reflect that unpriveleged overlayfs mount is
being added in 5.11 and not in 5.10 kernel.
Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
---
security/selinux/hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Thanks Vivek, once the merge window closes I'll merge this into
selinux/next and send a note to this thread.
In order for us to take advantage of rootless overlay we need this
feature ASAP.
It will get merged into selinux/next *after* this upcoming merge
window. I'm sorry, but -rc7 is just too late for new functionality;
kernel changes need to soak before hitting Linus' tree and with the
merge window opening in about three days that simply isn't enough
time. Come on Dan, even you have to know that ...
Well if that is ASAP, then fine, next window. Sadly this delays us three
months
from getting this feature out and tested, but we can live with this.
Once it gets into
a Release candidate we can push people to Rawhide to begin testing it.