[Devel] [PATCH RHEL9 COMMIT] ovl: replace capable by ve_capable for indexing feature

Konstantin Khorenko khorenko at virtuozzo.com
Mon Nov 15 16:09:17 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.10.27
------>
commit 6c5412d0288c2de931d2051482245800dbb585ab
Author: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
Date:   Mon Nov 15 16:09:17 2021 +0300

    ovl: replace capable by ve_capable for indexing feature
    
    After unpriviledged overlayfs mounts was introduced in mainstream,
    priviledge model was changed.
    
    Commit c846af050f ("ovl: check privs before decoding file handle")
    adds capable(CAP_DAC_READ_SEARCH) checks into ovl_decode_real_fh
    and ovl_can_decode_fh functions. This breaks checkpoint/restore
    of fanotifies because during ovl mounting we call
    ovl_can_decode_fh to check if underlying fs supports file handles,
    with capable(CAP_DAC_READ_SEARCH) ovl_can_decode_fh always
    returns zero inside the container. On HN dmesg we can see:
    [..] overlayfs: upper fs does not support file handles, falling back to index=off.
    [..] overlayfs: NFS export requires "index=on", falling back to nfs_export=off.
    
    But nfs_export and indexing features are required to make C/R
    work.
    
    It looks safe to replace capable checks to ve_capable. This
    should not lead to priviledge escalaction scenarious because
    user inside the container works in isolated mount namespace.
    
    It's important to notice that open_by_handle_at syscall
    is still prohibited from inside the CT because we have
    corresponding CAP_DAC_READ_SEARCH check in the handle_to_path()
    function.
    
    See also:
    1d2a838ec ("configs: Set overlayfs nfs_export option to true")
    for additional information about the original problem.
    
    https://jira.sw.ru/browse/PSBM-135561
    
    Fixes: c846af050f ("ovl: check privs before decoding file handle")
    
    Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
 fs/overlayfs/namei.c | 2 +-
 fs/overlayfs/util.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index 4aec6b29f717..169cd0244bdf 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -156,7 +156,7 @@ struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
 	struct dentry *real;
 	int bytes;
 
-	if (!capable(CAP_DAC_READ_SEARCH))
+	if (!ve_capable(CAP_DAC_READ_SEARCH))
 		return NULL;
 
 	/*
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 0dd8356e1145..aec536653ad2 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -52,7 +52,7 @@ const struct cred *ovl_override_creds(struct super_block *sb)
  */
 int ovl_can_decode_fh(struct super_block *sb)
 {
-	if (!capable(CAP_DAC_READ_SEARCH))
+	if (!ve_capable(CAP_DAC_READ_SEARCH))
 		return 0;
 
 	if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry)

More information about the Devel mailing list