[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201217142025.GB1236412@miu.piliscsaba.redhat.com>
Date: Thu, 17 Dec 2020 15:20:25 +0100
From: Miklos Szeredi <miklos@...redi.hu>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-unionfs@...r.kernel.org,
"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: [GIT PULL] overlayfs update for 5.11
Hi Linus,
Please pull from:
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git tags/ovl-update-5.11
- Allow unprivileged mounting in a user namespace.
For quite some time the security model of overlayfs has been that
operations on underlying layers shall be performed with the privileges
of the mounting task.
This way an unprvileged user cannot gain privileges by the act of
mounting an overlayfs instance. A full audit of all function calls made
by the overlayfs code has been performed to see whether they conform to
this model, and this branch contains some fixes in this regard.
- Support running on copied filesystem images by optionally disabling UUID
verification.
- Bug fixes as well as documentation updates.
I was hoping to get feedback from Eric Biederman on the unprivileged
mounting feature, but even without that I feel quite good about enabling it
at this point. It's a trivial patch at the head of this branch, so
skipping it now or reverting later would also be options.
Thanks,
Miklos
---
Chengguang Xu (1):
ovl: fix incorrect extent info in metacopy case
Kevin Locke (2):
ovl: warn about orphan metacopy
ovl: document lower modification caveats
Miklos Szeredi (12):
ovl: doc clarification
ovl: expand warning in ovl_d_real()
vfs: move cap_convert_nscap() call into vfs_setxattr()
vfs: verify source area in vfs_dedupe_file_range_one()
ovl: check privs before decoding file handle
ovl: make ioctl() safe
ovl: simplify file splice
ovl: user xattr
ovl: do not fail when setting origin xattr
ovl: do not fail because of O_NOATIME
ovl: do not get metacopy for userxattr
ovl: unprivieged mounts
Pavel Tikhomirov (2):
ovl: propagate ovl_fs to ovl_decode_real_fh and ovl_encode_real_fh
ovl: introduce new "uuid=off" option for inodes index feature
---
Documentation/filesystems/overlayfs.rst | 36 ++++++--
fs/overlayfs/copy_up.c | 28 ++++---
fs/overlayfs/export.c | 10 ++-
fs/overlayfs/file.c | 144 +++++---------------------------
fs/overlayfs/inode.c | 14 +++-
fs/overlayfs/namei.c | 28 ++++---
fs/overlayfs/overlayfs.h | 22 +++--
fs/overlayfs/ovl_entry.h | 2 +
fs/overlayfs/super.c | 95 ++++++++++++++++++---
fs/overlayfs/util.c | 18 +++-
fs/remap_range.c | 10 ++-
fs/xattr.c | 17 ++--
include/linux/capability.h | 2 +-
security/commoncap.c | 3 +-
14 files changed, 233 insertions(+), 196 deletions(-)
Powered by blists - more mailing lists