[PATCH v2 06/10] ovl: user xattr
Amir Goldstein
amir73il at gmail.com
Tue Dec 8 13:10:55 UTC 2020
On Mon, Dec 7, 2020 at 6:37 PM Miklos Szeredi <mszeredi at redhat.com> wrote:
>
> Optionally allow using "user.overlay." namespace instead of
> "trusted.overlay."
There are several occurrences of "trusted.overlay" string in code and
Documentation, which is fine. But maybe only adjust the comment for
testing xattr support:
* Check if upper/work fs supports trusted.overlay.* xattr
>
> This is necessary for overlayfs to be able to be mounted in an unprivileged
> namepsace.
>
> Make the option explicit, since it makes the filesystem format be
> incompatible.
>
> Disable redirect_dir and metacopy options, because these would allow
> privilege escalation through direct manipulation of the
> "user.overlay.redirect" or "user.overlay.metacopy" xattrs.
>
> Signed-off-by: Miklos Szeredi <mszeredi at redhat.com>
> ---
Reviewed-by: Amir Goldstein <amir73il at gmail.com>
> --- a/fs/overlayfs/util.c
> +++ b/fs/overlayfs/util.c
> @@ -582,9 +582,10 @@ bool ovl_check_dir_xattr(struct super_block *sb, struct dentry *dentry,
> #define OVL_XATTR_METACOPY_POSTFIX "metacopy"
>
> #define OVL_XATTR_TAB_ENTRY(x) \
> - [x] = OVL_XATTR_PREFIX x ## _POSTFIX
> + [x] = { [false] = OVL_XATTR_TRUSTED_PREFIX x ## _POSTFIX, \
> + [true] = OVL_XATTR_USER_PREFIX x ## _POSTFIX }
>
> -const char *ovl_xattr_table[] = {
> +const char *ovl_xattr_table[][2] = {
> OVL_XATTR_TAB_ENTRY(OVL_XATTR_OPAQUE),
> OVL_XATTR_TAB_ENTRY(OVL_XATTR_REDIRECT),
> OVL_XATTR_TAB_ENTRY(OVL_XATTR_ORIGIN),
> --
Can you constify this 2D array? I don't even know the syntax for that...
Thanks,
Amir.
More information about the Linux-security-module-archive
mailing list