[PATCH v6 28/40] overlayfs: do not mount on top of idmapped mounts

Christian Brauner christian.brauner at ubuntu.com
Thu Jan 21 13:19:47 UTC 2021

Prevent overlayfs from being mounted on top of idmapped mounts.
Stacking filesystems need to be prevented from being mounted on top of
idmapped mounts until they have have been converted to handle this.

Link: https://lore.kernel.org/r/20210112220124.837960-40-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch at lst.de>
Cc: David Howells <dhowells at redhat.com>
Cc: Al Viro <viro at zeniv.linux.org.uk>
Cc: linux-fsdevel at vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
/* v2 */
patch introduced

/* v3 */
- Amir Goldstein <amir73il at gmail.com>:
  - Move check for idmapped lower layers into ovl_mount_dir_noesc().
- David Howells <dhowells at redhat.com>:
  - Adapt check after removing mnt_idmapped() helper.

/* v4 */

/* v5 */
base-commit: 7c53f6b671f4aba70ff15e1b05148b10d58c2837

/* v6 */
base-commit: 19c329f6808995b142b3966301f217c831e7cf31
 fs/overlayfs/super.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index c04612b19054..b702c576e783 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -858,6 +858,10 @@ static int ovl_mount_dir_noesc(const char *name, struct path *path)
 		pr_err("filesystem on '%s' not supported\n", name);
 		goto out_put;
+	if (mnt_user_ns(path->mnt) != &init_user_ns) {
+		pr_err("idmapped layers are currently not supported\n");
+		goto out_put;
+	}
 	if (!d_is_dir(path->dentry)) {
 		pr_err("'%s' not a directory\n", name);
 		goto out_put;

More information about the Linux-security-module-archive mailing list