diff options
author | Bastian Blank <waldi@debian.org> | 2021-08-20 23:04:47 +0200 |
---|---|---|
committer | Bastian Blank <waldi@debian.org> | 2021-08-20 23:05:02 +0200 |
commit | cbb3d275adee2a3cd23f5215132ac7495c8ea1e1 (patch) | |
tree | e10ad04ee14ab751ad33e3f3037f0ac4fb60360d | |
parent | 91ad1695d4f98d3cd1ad4152c44d5c672c43c83d (diff) | |
download | kernel_replicant_linux-cbb3d275adee2a3cd23f5215132ac7495c8ea1e1.tar.gz kernel_replicant_linux-cbb3d275adee2a3cd23f5215132ac7495c8ea1e1.tar.bz2 kernel_replicant_linux-cbb3d275adee2a3cd23f5215132ac7495c8ea1e1.zip |
Drop redundant patch for overlay in user namespace
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/debian/overlayfs-permit-mounts-in-userns.patch | 58 | ||||
-rw-r--r-- | debian/patches/series | 3 |
3 files changed, 1 insertions, 61 deletions
diff --git a/debian/changelog b/debian/changelog index 29caab2cce18..2fa6ba02100d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,7 @@ linux (5.13.12-1~exp1) UNRELEASED; urgency=medium * Fix external modules build. (closes: #992219) * Force more compressions modules into main installer package. (closes: #992221) + * Drop redundant patch for overlay in user namespace. [ Uwe Kleine-König ] * [x86] Enable X86_PLATFORM_DRIVERS_DELL which is needed to keep some Dell diff --git a/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch deleted file mode 100644 index 2cba9b70e8c6..000000000000 --- a/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Nicolas Schier <nicolas@fjasle.eu> -Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel) -Date: Mon, 19 Nov 2018 20:36:14 +0100 - -Permit overlayfs mounts within user namespaces to allow utilisation of e.g. -unprivileged LXC overlay snapshots. - -Except by the Ubuntu community [1], overlayfs mounts in user namespaces are -expected to be a security risk [2] and thus are not enabled on upstream -Linux kernels. For the non-Ubuntu users that have to stick to unprivileged -overlay-based LXCs, this meant to patch and compile the kernel manually. -Instead, adding the kernel tainting 'permit_mounts_in_userns' module -parameter allows a kind of a user-friendly way to enable the feature. - -Testable with: - - sudo modprobe overlay permit_mounts_in_userns=1 - sudo sysctl -w kernel.unprivileged_userns_clone=1 - mkdir -p lower upper work mnt - unshare --map-root-user --mount \ - mount -t overlay none mnt \ - -o lowerdir=lower,upperdir=upper,workdir=work - -[1]: Ubuntu allows unprivileged mounting of overlay filesystem -https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html - -[2]: User namespaces + overlayfs = root privileges -https://lwn.net/Articles/671641/ - -Signed-off-by: Nicolas Schier <nicolas@fjasle.eu> -[bwh: Forward-ported to 5.6: adjust context] ---- ---- a/fs/overlayfs/super.c -+++ b/fs/overlayfs/super.c -@@ -53,6 +53,11 @@ module_param_named(xino_auto, ovl_xino_a - MODULE_PARM_DESC(xino_auto, - "Auto enable xino feature"); - -+static bool ovl_permit_mounts_in_userns; -+module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns, -+ bool, 0444); -+MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces"); -+ - static void ovl_entry_stack_free(struct ovl_entry *oe) - { - unsigned int i; -@@ -1777,6 +1782,11 @@ static int __init ovl_init(void) - if (ovl_inode_cachep == NULL) - return -ENOMEM; - -+ if (unlikely(ovl_permit_mounts_in_userns)) { -+ pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n"); -+ ovl_fs_type.fs_flags |= FS_USERNS_MOUNT; -+ } -+ - err = ovl_aio_request_cache_init(); - if (!err) { - err = register_filesystem(&ovl_fs_type); diff --git a/debian/patches/series b/debian/patches/series index 54e544ee249c..f3fdb95d84a1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -127,7 +127,4 @@ bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch bugfix/all/tools-include-uapi-fix-errno.h.patch -# overlay: allow mounting in user namespaces -debian/overlayfs-permit-mounts-in-userns.patch - # ABI maintenance |