On Thu, Feb 11, 2021 at 4:24 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Thu, Feb 11, 2021 at 1:03 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > > > > Now overlayfs allow unpriviliged mounts. That is root inside a non-init > > user namespace can mount overlayfs. This is being added in 5.11 kernel. > > > > Giuseppe tried to mount overlayfs with option "context" and it failed > > with error -EACCESS. > > > > $ su test > > $ unshare -rm > > $ mkdir -p lower upper work merged > > $ mount -t overlay -o lowerdir=lower,workdir=work,upperdir=upper,userxattr,context='system_u:object_r:container_file_t:s0' none merged > > > > This fails with -EACCESS. It works if option "-o context" is not specified. > > > > Little debugging showed that selinux_set_mnt_opts() returns -EACCESS. > > > > So this patch adds "overlay" to the list, where it is fine to specific > > context from non init_user_ns. > > > > v2: Fixed commit message to reflect that unpriveleged overlayfs mount is > > being added in 5.11 and not in 5.10 kernel. > > > > Reported-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx> > > Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> > > --- > > security/selinux/hooks.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > Thanks Vivek, once the merge window closes I'll merge this into > selinux/next and send a note to this thread. I just merged this into my local selinux/next and will be pushing it to kernel.org later tonight. Thanks! -- paul moore www.paul-moore.com