overlayfs + linux user namespace issue

overlayfs + linux user namespace issue

[Alexey Naidyonov]

Hello;

I found that writing to overlayfs mount may be denied to a process
with own user namespace and uid=0 inside that namespace, unless I
explicitly chown lower-work/work directory to a parent namespace uid
corresponding to that user namespace uid 0.

The test case might be found at
https://unix.stackexchange.com/questions/229782/overlayfs-doesnt-work-with-unprivileged-user-namespace

Tried with debian's 4.1.6 and 4.2-trunk.

Could someone please clarify if this is a bug or a feature, and if
this might be changed in future?

Thank you!

Regards,
-- 
 Alexey Naidyonov

Re: overlayfs + linux user namespace issue

[Andy Whitcroft]

On Thu, Sep 24, 2015 at 01:43:23PM +0300, Alexey Naidyonov wrote:
> Hello;
> 
> I found that writing to overlayfs mount may be denied to a process
> with own user namespace and uid=0 inside that namespace, unless I
> explicitly chown lower-work/work directory to a parent namespace uid
> corresponding to that user namespace uid 0.
> 
> The test case might be found at
> https://unix.stackexchange.com/questions/229782/overlayfs-doesnt-work-with-unprivileged-user-namespace
> 
> Tried with debian's 4.1.6 and 4.2-trunk.
> 
> Could someone please clarify if this is a bug or a feature, and if
> this might be changed in future?

Which directory are you saying must belong to namespace root here?
You should not be able to read things in the underlay that the namespace
root could not read, and not write to overlay directories that your
namepsace root cannot write.  If you could you could copy up protected
files into an overlay by specifying a protected underlay (think ~/over
overlaying on /etc) or overwrite profiled files by specifying a protected
overlay (think ~/under overlayed by /etc).

-apw

Re: overlayfs + linux user namespace issue

[Alexey Naidyonov]

Hello Andy;

> Which directory are you saying must belong to namespace root here?
> You should not be able to read things in the underlay that the namespace
> root could not read, and not write to overlay directories that your
> namepsace root cannot write.  If you could you could copy up protected
> files into an overlay by specifying a protected underlay (think ~/over
> overlaying on /etc) or overwrite profiled files by specifying a protected
> overlay (think ~/under overlayed by /etc).

Both upper and lower directory belong to uid 200 000 (which is uid 0
inside user namespace). The work directory is created by overlayfs
itself under directory specified by workdir= option, with uid=0
ownership.

I would like to emphasize that non-root process can write to a
overlayfs mount with no problem. The issue arises only when process
switches to its own user namespace.

So, we have two scenarios:
1) a non-root process with uid of the owner of upper directory can
perfectly write to an overlayfs mount
2) a non-root process with uid of the owner of upper directory
sometimes gets denied writing to an overlayfs mount, but only if this
process is inside its own user namespace and has uid=0 there

Thank you.

Regards,
--
 Alexey Naidyonov