[Devel] [PATCH RH9] ovl: replace capable by ve_capable for indexing feature

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Wed Nov 10 13:33:06 MSK 2021 

Looks reasonable.

Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

On 10.11.2021 12:49, Alexander Mikhalitsyn wrote:
> After unpriviledged overlayfs mounts was introduced in mainstream,
> priviledge model was changed.
> 
> Commit c846af050f ("ovl: check privs before decoding file handle")
> adds capable(CAP_DAC_READ_SEARCH) checks into ovl_decode_real_fh
> and ovl_can_decode_fh functions. This breaks checkpoint/restore
> of fanotifies because during ovl mounting we call
> ovl_can_decode_fh to check if underlying fs supports file handles,
> with capable(CAP_DAC_READ_SEARCH) ovl_can_decode_fh always
> returns zero inside the container. On HN dmesg we can see:
> [..] overlayfs: upper fs does not support file handles, falling back to index=off.
> [..] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
> 
> But nfs_export and indexing features are required to make C/R
> work.
> 
> It looks safe to replace capable checks to ve_capable. This
> should not lead to priviledge escalaction scenarious because
> user inside the container works in isolated mount namespace.
> 
> It's important to notice that open_by_handle_at syscall
> is still prohibited from inside the CT because we have
> corresponding CAP_DAC_READ_SEARCH check in the handle_to_path()
> function.
> 
> See also:
> 1d2a838ec ("configs: Set overlayfs nfs_export option to true")
> for additional information about the original problem.
> 
> https://jira.sw.ru/browse/PSBM-135561
> 
> Fixes: c846af050f ("ovl: check privs before decoding file handle")
> 
> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
> ---
>   fs/overlayfs/namei.c | 2 +-
>   fs/overlayfs/util.c  | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
> index 4aec6b29f717..169cd0244bdf 100644
> --- a/fs/overlayfs/namei.c
> +++ b/fs/overlayfs/namei.c
> @@ -156,7 +156,7 @@ struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
>   	struct dentry *real;
>   	int bytes;
>   
> -	if (!capable(CAP_DAC_READ_SEARCH))
> +	if (!ve_capable(CAP_DAC_READ_SEARCH))
>   		return NULL;
>   
>   	/*
> diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
> index 0dd8356e1145..aec536653ad2 100644
> --- a/fs/overlayfs/util.c
> +++ b/fs/overlayfs/util.c
> @@ -52,7 +52,7 @@ const struct cred *ovl_override_creds(struct super_block *sb)
>    */
>   int ovl_can_decode_fh(struct super_block *sb)
>   {
> -	if (!capable(CAP_DAC_READ_SEARCH))
> +	if (!ve_capable(CAP_DAC_READ_SEARCH))
>   		return 0;
>   
>   	if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry)
> 

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.

More information about the Devel mailing list