[Devel] [PATCH RH9] ovl: replace capable by ve_capable for indexing feature

Alexander Mikhalitsyn alexander.mikhalitsyn at virtuozzo.com
Wed Nov 10 12:49:23 MSK 2021 

After unpriviledged overlayfs mounts was introduced in mainstream,
priviledge model was changed.

Commit c846af050f ("ovl: check privs before decoding file handle")
adds capable(CAP_DAC_READ_SEARCH) checks into ovl_decode_real_fh
and ovl_can_decode_fh functions. This breaks checkpoint/restore
of fanotifies because during ovl mounting we call
ovl_can_decode_fh to check if underlying fs supports file handles,
with capable(CAP_DAC_READ_SEARCH) ovl_can_decode_fh always
returns zero inside the container. On HN dmesg we can see:
[..] overlayfs: upper fs does not support file handles, falling back to index=off.
[..] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.

But nfs_export and indexing features are required to make C/R
work.

It looks safe to replace capable checks to ve_capable. This
should not lead to priviledge escalaction scenarious because
user inside the container works in isolated mount namespace.

It's important to notice that open_by_handle_at syscall
is still prohibited from inside the CT because we have
corresponding CAP_DAC_READ_SEARCH check in the handle_to_path()
function.

See also:
1d2a838ec ("configs: Set overlayfs nfs_export option to true")
for additional information about the original problem.

https://jira.sw.ru/browse/PSBM-135561

Fixes: c846af050f ("ovl: check privs before decoding file handle")

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
 fs/overlayfs/namei.c | 2 +-
 fs/overlayfs/util.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index 4aec6b29f717..169cd0244bdf 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -156,7 +156,7 @@ struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
 	struct dentry *real;
 	int bytes;
 
-	if (!capable(CAP_DAC_READ_SEARCH))
+	if (!ve_capable(CAP_DAC_READ_SEARCH))
 		return NULL;
 
 	/*
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 0dd8356e1145..aec536653ad2 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -52,7 +52,7 @@ const struct cred *ovl_override_creds(struct super_block *sb)
  */
 int ovl_can_decode_fh(struct super_block *sb)
 {
-	if (!capable(CAP_DAC_READ_SEARCH))
+	if (!ve_capable(CAP_DAC_READ_SEARCH))
 		return 0;
 
 	if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry)
-- 
2.31.1

More information about the Devel mailing list