← Back to team overview

kernel-packages team mailing list archive

[Bug 1531747] Re: overlay: mkdir fails if directory exists in lowerdir in a user namespace

 

I don't know why #2 is that much grosser than what's there now. It's
already only taking the cap for setting the xattr, and taking
CAP_SYS_ADMIN in init_user_ns seems to be what it's really wanting to do
there. The difference now though is that before that capability would
have been required to do the mount and now it isn't.

If we were to use ns_capable, which namespace do we use?
current_user_ns? Then that check becomes worthless because any user can
make a new namespace to bypass it. If we had the s_user_ns patches it
might make sense to use that, but that probably doesn't solve the
problem anyway since the lower mount was probably mounted in
init_user_ns.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1531747

Title:
  overlay: mkdir fails if directory exists in lowerdir in a user
  namespace

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Wily:
  Triaged
Status in linux source package in Xenial:
  Triaged

Bug description:
  If a directory exists in the lowerdir but not in the mounted
  overlay, then mkdir of the directory in the target dir results
  in a mysterious -EPERM.  I've seen this both in wily kernel
  (4.2.0-22-generic #27-Ubuntu) and in a hand-built xenial
  master-next (with unrelated patches added).

  =====================================================
  #!/bin/sh -ex
  dir=`mktemp -d`
  cleanup() {
   umount -l $dir/t
   rm -rf $dir
  }

  trap cleanup EXIT

  echo "dir is $dir"
  mkdir -p $dir/l $dir/u $dir/w $dir/t
  mkdir $dir/l/dev
  mount -t overlay -o lowerdir=$dir/l,upperdir=$dir/u,workdir=$dir/w o $dir/t
  stat $dir/t/dev
  rmdir $dir/t/dev
  mkdir $dir/t/dev
  echo $?
  echo "mkdir should have succeeded"
  =====================================================

  The above will work on the host, but fail in a user namespace, i.e
  in a regular lxd container.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1531747/+subscriptions


Follow ups

References