@@ -391,6 +391,8 @@ static int ovl_show_options(struct seq_file *m, struct dentry *dentry)
seq_puts(m, ",volatile");
if (ofs->config.userxattr)
seq_puts(m, ",userxattr");
+ else
+ seq_puts(m, ",nouserxattr");
return 0;
}
@@ -439,6 +441,7 @@ enum {
OPT_UUID_OFF,
OPT_NFS_EXPORT_ON,
OPT_USERXATTR,
+ OPT_NOUSERXATTR,
OPT_NFS_EXPORT_OFF,
OPT_XINO_ON,
OPT_XINO_OFF,
@@ -458,6 +461,7 @@ static const match_table_t ovl_tokens = {
{OPT_INDEX_ON, "index=on"},
{OPT_INDEX_OFF, "index=off"},
{OPT_USERXATTR, "userxattr"},
+ {OPT_NOUSERXATTR, "nouserxattr"},
{OPT_UUID_ON, "uuid=on"},
{OPT_UUID_OFF, "uuid=off"},
{OPT_NFS_EXPORT_ON, "nfs_export=on"},
@@ -628,6 +632,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config)
config->userxattr = true;
break;
+ case OPT_NOUSERXATTR:
+ config->userxattr = false;
+ break;
+
default:
pr_err("unrecognized mount option \"%s\" or missing value\n",
p);
@@ -1926,6 +1934,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
ofs->config.nfs_export = ovl_nfs_export_def;
ofs->config.xino = ovl_xino_def();
ofs->config.metacopy = ovl_metacopy_def;
+ if (sb->s_user_ns != &init_user_ns)
+ ofs->config.userxattr = true;
err = ovl_parse_opt((char *) data, &ofs->config);
if (err)
goto out_err;
Also add a nouserxattr for the cases where it is desirable to mount without userxattr under such namespaces. This allows cases where such xattrs are necessary for certain operations to work out, instead of failing due to not being able to use the trusted.overlay.* xattrs. CVE-2023-2640 CVE-2023-32629 LP: #1531747 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> --- fs/overlayfs/super.c | 10 ++++++++++ 1 file changed, 10 insertions(+)