From: Nicolas Schier Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel) Date: Mon, 19 Nov 2018 20:36:14 +0100 Permit overlayfs mounts within user namespaces to allow utilisation of e.g. unprivileged LXC overlay snapshots. Except by the Ubuntu community [1], overlayfs mounts in user namespaces are expected to be a security risk [2] and thus are not enabled on upstream Linux kernels. For the non-Ubuntu users that have to stick to unprivileged overlay-based LXCs, this meant to patch and compile the kernel manually. Instead, adding the kernel tainting 'permit_mounts_in_userns' module parameter allows a kind of a user-friendly way to enable the feature. Testable with: sudo modprobe overlay permit_mounts_in_userns=1 sudo sysctl -w kernel.unprivileged_userns_clone=1 mkdir -p lower upper work mnt unshare --map-root-user --mount \ mount -t overlay none mnt \ -o lowerdir=lower,upperdir=upper,workdir=work [1]: Ubuntu allows unprivileged mounting of overlay filesystem https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html [2]: User namespaces + overlayfs = root privileges https://lwn.net/Articles/671641/ Signed-off-by: Nicolas Schier Index: linux/fs/overlayfs/super.c =================================================================== --- linux.orig/fs/overlayfs/super.c +++ linux/fs/overlayfs/super.c @@ -56,6 +56,11 @@ module_param_named(xino_auto, ovl_xino_a MODULE_PARM_DESC(ovl_xino_auto_def, "Auto enable xino feature"); +static bool ovl_permit_mounts_in_userns; +module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns, + bool, 0444); +MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces"); + static void ovl_entry_stack_free(struct ovl_entry *oe) { unsigned int i; @@ -1715,6 +1720,11 @@ static int __init ovl_init(void) if (ovl_inode_cachep == NULL) return -ENOMEM; + if (unlikely(ovl_permit_mounts_in_userns)) { + pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n"); + ovl_fs_type.fs_flags |= FS_USERNS_MOUNT; + } + err = register_filesystem(&ovl_fs_type); if (err) kmem_cache_destroy(ovl_inode_cachep);