Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp211963pxb;
        Thu, 21 Jan 2021 05:31:27 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwsJp4004X4TwsOWBQe4zmH8m/KQewVZ1Bmnk1eI/2kae4ot+GFOWeY+N9fEuIDLM+TTAcf
X-Received: by 2002:aa7:d60f:: with SMTP id c15mr10937677edr.232.1611235886862;
        Thu, 21 Jan 2021 05:31:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611235886; cv=none;
        d=google.com; s=arc-20160816;
        b=gTGPYhTE7DgWJY/mT7MVwdhigp38GYRI09hthIdB/JDjNGo2OtiPEK/P3JsrJtqzwN
         FRxUAqPU528joMe3mx5IiZFvE3eDObmkVa67Dvx/ASKB5YKuP4L6zJnyLt3mAcwp8eYK
         sZfY6jv8KbZGWph/JJSxJY/rRPAvxL/3p03qFUOVkn1ff2KeKAIPpaVn681cWRr6Z/Gb
         LmcWNveriFCnkFC0gclE/ItXgGagNHQfQibPp785z2lt+5LZC3sQgrGYgWirJnm5SzCE
         VoPDVFv+qFJ7ylYY5GS5xMWfGd8fkW0oy+NMh78F+ryzQHmkYT1LlQ018o2u2BjQsdhb
         jkBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=KAp1qPTWU7aeuCYY3x3b8nWTuB6LqkC9mwQbKO9TV0I=;
        b=Fu6BX7a320N9N3gpgE7pWT59scDN2wFbQ8oJZBwawIo+W4poqVrVbUlBqV9DCy9Kne
         Xyh2D5i0VoKaPOkgu216cPHaa2s1C60WJbFLRk3BsBokq0IV7XdC/+DBMGCAELWYR6oU
         zU93ys6QUlvRXXT0avjWq7SimAGYu5T+DvT+CE8ExzFtQvup66V5ZfA1gM/Kw5rgcEwb
         +CXg26UO1xXSbUmMbMFr++CksbM0s4LE/31H0P71DvTDazJ1zHAECmtJPyLJEbTOZ9lF
         TTbYLsj4rYjnShMdYFcxlqEqHshqvXrqabq/s1diZTPvFZNyk3hyGZIRqKaSbmI5H4vv
         khFg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a59si2318612edf.278.2021.01.21.05.31.01;
        Thu, 21 Jan 2021 05:31:26 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732039AbhAUNaT (ORCPT <rfc822;pdaejun@gmail.com> + 99 others);
        Thu, 21 Jan 2021 08:30:19 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:54813 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1731290AbhAUN2s (ORCPT
        <rfc822;linux-ext4@vger.kernel.org>); Thu, 21 Jan 2021 08:28:48 -0500
Received: from ip5f5af0a0.dynamic.kabel-deutschland.de ([95.90.240.160] helo=wittgenstein.fritz.box)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <christian.brauner@ubuntu.com>)
        id 1l2Zuk-0005g7-A7; Thu, 21 Jan 2021 13:22:18 +0000
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     Alexander Viro <viro@zeniv.linux.org.uk>,
        Christoph Hellwig <hch@lst.de>, linux-fsdevel@vger.kernel.org
Cc:     John Johansen <john.johansen@canonical.com>,
        James Morris <jmorris@namei.org>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Andreas Dilger <adilger.kernel@dilger.ca>,
        OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>,
        Geoffrey Thomas <geofft@ldpreload.com>,
        Mrunal Patel <mpatel@redhat.com>,
        Josh Triplett <josh@joshtriplett.org>,
        Andy Lutomirski <luto@kernel.org>,
        Theodore Tso <tytso@mit.edu>, Alban Crequy <alban@kinvolk.io>,
        Tycho Andersen <tycho@tycho.ws>,
        David Howells <dhowells@redhat.com>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Lennart Poettering <lennart@poettering.net>,
        "Eric W. Biederman" <ebiederm@xmission.com>, smbarber@chromium.org,
        Phil Estes <estesp@gmail.com>, Serge Hallyn <serge@hallyn.com>,
        Kees Cook <keescook@chromium.org>,
        Todd Kjos <tkjos@google.com>, Paul Moore <paul@paul-moore.com>,
        Jonathan Corbet <corbet@lwn.net>,
        containers@lists.linux-foundation.org,
        linux-security-module@vger.kernel.org, linux-api@vger.kernel.org,
        linux-ext4@vger.kernel.org, linux-xfs@vger.kernel.org,
        linux-integrity@vger.kernel.org, selinux@vger.kernel.org,
        Christian Brauner <christian.brauner@ubuntu.com>
Subject: [PATCH v6 28/40] overlayfs: do not mount on top of idmapped mounts
Date:   Thu, 21 Jan 2021 14:19:47 +0100
Message-Id: <20210121131959.646623-29-christian.brauner@ubuntu.com>
X-Mailer: git-send-email 2.30.0
In-Reply-To: <20210121131959.646623-1-christian.brauner@ubuntu.com>
References: <20210121131959.646623-1-christian.brauner@ubuntu.com>
MIME-Version: 1.0
X-Patch-Hashes: v=1; h=sha256; i=NKxYXgYXk9li+XoJbSjFMyv4GqDFR/v23AHTzF/JMUU=; m=ypgpaladR0B+T529H8++Mq9zCwr5KRu9f1XcKEdCto8=; p=zW+2p8lkcLUR7GoIjNSpvniO3IeSXEpL+zsJSI4ISsA=; g=020ad20f9fcdeb9417e00e21c4b4fe526c9f39ef
X-Patch-Sig: m=pgp; i=christian.brauner@ubuntu.com; s=0x0x91C61BC06578DCA2; b=iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCYAl9pgAKCRCRxhvAZXjcotk/AP93/cy xQTf8sN9k+skVh5513VCqiuPVYRe+4d52LVJKewEAiwgcDIygERxios0PkXXmd8u0IhgfSRGUtmAg fJQ4+AI=
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

Prevent overlayfs from being mounted on top of idmapped mounts.
Stacking filesystems need to be prevented from being mounted on top of
idmapped mounts until they have have been converted to handle this.

Link: https://lore.kernel.org/r/20210112220124.837960-40-christian.brauner@ubuntu.com
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
/* v2 */
patch introduced

/* v3 */
- Amir Goldstein <amir73il@gmail.com>:
  - Move check for idmapped lower layers into ovl_mount_dir_noesc().
- David Howells <dhowells@redhat.com>:
  - Adapt check after removing mnt_idmapped() helper.

/* v4 */
unchanged

/* v5 */
unchanged
base-commit: 7c53f6b671f4aba70ff15e1b05148b10d58c2837

/* v6 */
unchanged
base-commit: 19c329f6808995b142b3966301f217c831e7cf31
---
 fs/overlayfs/super.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index c04612b19054..b702c576e783 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -858,6 +858,10 @@ static int ovl_mount_dir_noesc(const char *name, struct path *path)
 		pr_err("filesystem on '%s' not supported\n", name);
 		goto out_put;
 	}
+	if (mnt_user_ns(path->mnt) != &init_user_ns) {
+		pr_err("idmapped layers are currently not supported\n");
+		goto out_put;
+	}
 	if (!d_is_dir(path->dentry)) {
 		pr_err("'%s' not a directory\n", name);
 		goto out_put;
-- 
2.30.0