[PATCH v2 06/10] ovl: user xattr

Amir Goldstein amir73il at gmail.com
Tue Dec 8 13:10:55 UTC 2020


On Mon, Dec 7, 2020 at 6:37 PM Miklos Szeredi <mszeredi at redhat.com> wrote:
>
> Optionally allow using "user.overlay." namespace instead of
> "trusted.overlay."

There are several occurrences of "trusted.overlay" string in code and
Documentation, which is fine. But maybe only adjust the comment for
testing xattr support:

         * Check if upper/work fs supports trusted.overlay.* xattr

>
> This is necessary for overlayfs to be able to be mounted in an unprivileged
> namepsace.
>
> Make the option explicit, since it makes the filesystem format be
> incompatible.
>
> Disable redirect_dir and metacopy options, because these would allow
> privilege escalation through direct manipulation of the
> "user.overlay.redirect" or "user.overlay.metacopy" xattrs.
>
> Signed-off-by: Miklos Szeredi <mszeredi at redhat.com>
> ---

Reviewed-by: Amir Goldstein <amir73il at gmail.com>

> --- a/fs/overlayfs/util.c
> +++ b/fs/overlayfs/util.c
> @@ -582,9 +582,10 @@ bool ovl_check_dir_xattr(struct super_block *sb, struct dentry *dentry,
>  #define OVL_XATTR_METACOPY_POSTFIX     "metacopy"
>
>  #define OVL_XATTR_TAB_ENTRY(x) \
> -       [x] = OVL_XATTR_PREFIX x ## _POSTFIX
> +       [x] = { [false] = OVL_XATTR_TRUSTED_PREFIX x ## _POSTFIX, \
> +               [true] = OVL_XATTR_USER_PREFIX x ## _POSTFIX }
>
> -const char *ovl_xattr_table[] = {
> +const char *ovl_xattr_table[][2] = {
>         OVL_XATTR_TAB_ENTRY(OVL_XATTR_OPAQUE),
>         OVL_XATTR_TAB_ENTRY(OVL_XATTR_REDIRECT),
>         OVL_XATTR_TAB_ENTRY(OVL_XATTR_ORIGIN),
> --

Can you constify this 2D array? I don't even know the syntax for that...

Thanks,
Amir.



More information about the Linux-security-module-archive mailing list