lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250819-neuralgisch-ehren-8926ca85db7a@brauner>
Date: Tue, 19 Aug 2025 13:18:01 +0200
From: Christian Brauner <brauner@...nel.org>
To: Amir Goldstein <amir73il@...il.com>
Cc: Sohan Kunkerkar <sohank2602@...il.com>, miklos@...redi.hu, 
	linux-unionfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] overlayfs: add FS_ALLOW_IDMAP flag to enable idmapped
 mounts

On Fri, Aug 15, 2025 at 05:30:09PM +0200, Amir Goldstein wrote:
> On Fri, Aug 15, 2025 at 5:06 PM Sohan Kunkerkar <sohank2602@...il.com> wrote:
> >
> > OverlayFS already has comprehensive support for idmapped mounts through
> > its ovl_copyattr() function and proper mnt_idmap() handling throughout
> > the codebase. The infrastructure correctly maps UIDs/GIDs from idmapped
> > upper and lower layers.
> >
> > However, the filesystem was missing the FS_ALLOW_IDMAP flag, which
> > caused mount_setattr() calls with MOUNT_ATTR_IDMAP to fail with -EINVAL.
> >
> > This change enables idmapped mount support by adding the FS_ALLOW_IDMAP
> > flag to the overlayfs file_system_type, allowing containers and other
> > applications to use idmapped mounts with overlay filesystems.
> >
> > Signed-off-by: Sohan Kunkerkar <sohank2602@...il.com>
> > ---
> >  fs/overlayfs/super.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
> > index e19940d64..c628f9179 100644
> > --- a/fs/overlayfs/super.c
> > +++ b/fs/overlayfs/super.c
> > @@ -1516,7 +1516,7 @@ struct file_system_type ovl_fs_type = {
> >         .name                   = "overlay",
> >         .init_fs_context        = ovl_init_fs_context,
> >         .parameters             = ovl_parameter_spec,
> > -       .fs_flags               = FS_USERNS_MOUNT,
> > +       .fs_flags               = FS_USERNS_MOUNT | FS_ALLOW_IDMAP,
> >         .kill_sb                = kill_anon_super,
> >  };
> >  MODULE_ALIAS_FS("overlay");
> > --
> > 2.50.1
> 
> So Christian just forgot to do that?
> 
> Somehow I find that hard to believe.
> 
> I am guessing there were either some known issues or
> more code audits that needed to be done.
> 
> Christian? WDYT?

This is very wrong.

For overlayfs supporting idmapped mounts can mean two distinct things:

(1) mounting overlayfs on top of idmapped layers
(2) idmapping overlayfs itself

So far only (1) is supported. In order to support (2) further changes
are required. To support (2) it is necessary to also take idmappings
into account on the overlayfs idmapping layer itself and overlayfs
internally needs to be made aware that it needs to do a double
translation. One for the overlayfs layer itself and then one for the
lower and upper layers.

It is possible as I've written that code years ago but it introduces a
lot more subtle behavior. So only if someone really needs this.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ