From patchwork Thu Jul 6 20:45:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1804502 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=qD6R/nKA; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QxpV41N3sz20bY for ; Fri, 7 Jul 2023 06:46:36 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qHVrz-0001ha-TV; Thu, 06 Jul 2023 20:46:31 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qHVrz-0001gq-5U for kernel-team@lists.ubuntu.com; Thu, 06 Jul 2023 20:46:31 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id A48F74214C for ; Thu, 6 Jul 2023 20:46:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1688676390; bh=dj+tCVjYYoUGyq0k+LEU+HwT2ogQ5cfnxsIAOBYo7iU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qD6R/nKAd6HFyOqfhi2L/UxbU1Ol5kM6RFh2cuqH0U/pJQ13nn2YkaO3SPmGXBq1g Ja2lH+0l5+O9c8ZKI0RSTj5tutBwfKMn4HuyZwDEToiVjDQl3frz62g4mvU7XoiyHz 8BxOUkii+XkhLxHvvcbijWQ8ZjIl+5I9xsXyUCpLAGsSkD5sIdLCvsSSNRHgp5TAQT siBqpsZ3ig6VW7NLmBzTk/DmglNzxEkNgJorxJMKc62LjkZSaoLctbYI/E3Mp2Nvf6 yRY7sGtCd+Iey60VBMZlxVDxZX1hxtMLYMU1Yfp8e1hur/d8Ke2kThCgpnmb/sANt6 YhlZPwPRmazsQ== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU Kinetic, Lunar, OEM-6.0, OEM-6.1 3/3] UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non initial user namespace Date: Thu, 6 Jul 2023 17:45:17 -0300 Message-Id: <20230706204517.1071559-5-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230706204517.1071559-1-cascardo@canonical.com> References: <20230706204517.1071559-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Also add a nouserxattr for the cases where it is desirable to mount without userxattr under such namespaces. This allows cases where such xattrs are necessary for certain operations to work out, instead of failing due to not being able to use the trusted.overlay.* xattrs. CVE-2023-2640 CVE-2023-32629 LP: #1531747 Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/overlayfs/super.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index 85b891152a2c..bf031d88a842 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -391,6 +391,8 @@ static int ovl_show_options(struct seq_file *m, struct dentry *dentry) seq_puts(m, ",volatile"); if (ofs->config.userxattr) seq_puts(m, ",userxattr"); + else + seq_puts(m, ",nouserxattr"); return 0; } @@ -439,6 +441,7 @@ enum { OPT_UUID_OFF, OPT_NFS_EXPORT_ON, OPT_USERXATTR, + OPT_NOUSERXATTR, OPT_NFS_EXPORT_OFF, OPT_XINO_ON, OPT_XINO_OFF, @@ -458,6 +461,7 @@ static const match_table_t ovl_tokens = { {OPT_INDEX_ON, "index=on"}, {OPT_INDEX_OFF, "index=off"}, {OPT_USERXATTR, "userxattr"}, + {OPT_NOUSERXATTR, "nouserxattr"}, {OPT_UUID_ON, "uuid=on"}, {OPT_UUID_OFF, "uuid=off"}, {OPT_NFS_EXPORT_ON, "nfs_export=on"}, @@ -628,6 +632,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config) config->userxattr = true; break; + case OPT_NOUSERXATTR: + config->userxattr = false; + break; + default: pr_err("unrecognized mount option \"%s\" or missing value\n", p); @@ -1926,6 +1934,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) ofs->config.nfs_export = ovl_nfs_export_def; ofs->config.xino = ovl_xino_def(); ofs->config.metacopy = ovl_metacopy_def; + if (sb->s_user_ns != &init_user_ns) + ofs->config.userxattr = true; err = ovl_parse_opt((char *) data, &ofs->config); if (err) goto out_err;