[Devel] [PATCH RH9] ovl: replace capable by ve_capable for indexing feature
Alexander Mikhalitsyn
alexander.mikhalitsyn at virtuozzo.com
Wed Nov 10 12:49:23 MSK 2021
After unpriviledged overlayfs mounts was introduced in mainstream,
priviledge model was changed.
Commit c846af050f ("ovl: check privs before decoding file handle")
adds capable(CAP_DAC_READ_SEARCH) checks into ovl_decode_real_fh
and ovl_can_decode_fh functions. This breaks checkpoint/restore
of fanotifies because during ovl mounting we call
ovl_can_decode_fh to check if underlying fs supports file handles,
with capable(CAP_DAC_READ_SEARCH) ovl_can_decode_fh always
returns zero inside the container. On HN dmesg we can see:
[..] overlayfs: upper fs does not support file handles, falling back to index=off.
[..] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
But nfs_export and indexing features are required to make C/R
work.
It looks safe to replace capable checks to ve_capable. This
should not lead to priviledge escalaction scenarious because
user inside the container works in isolated mount namespace.
It's important to notice that open_by_handle_at syscall
is still prohibited from inside the CT because we have
corresponding CAP_DAC_READ_SEARCH check in the handle_to_path()
function.
See also:
1d2a838ec ("configs: Set overlayfs nfs_export option to true")
for additional information about the original problem.
https://jira.sw.ru/browse/PSBM-135561
Fixes: c846af050f ("ovl: check privs before decoding file handle")
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
fs/overlayfs/namei.c | 2 +-
fs/overlayfs/util.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index 4aec6b29f717..169cd0244bdf 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -156,7 +156,7 @@ struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
struct dentry *real;
int bytes;
- if (!capable(CAP_DAC_READ_SEARCH))
+ if (!ve_capable(CAP_DAC_READ_SEARCH))
return NULL;
/*
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 0dd8356e1145..aec536653ad2 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -52,7 +52,7 @@ const struct cred *ovl_override_creds(struct super_block *sb)
*/
int ovl_can_decode_fh(struct super_block *sb)
{
- if (!capable(CAP_DAC_READ_SEARCH))
+ if (!ve_capable(CAP_DAC_READ_SEARCH))
return 0;
if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry)
--
2.31.1
More information about the Devel
mailing list