UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non …

…initial user namespace Also add a nouserxattr for the cases where it is desirable to mount without userxattr under such namespaces. This allows cases where such xattrs are necessary for certain operations to work out, instead of failing due to not being able to use the trusted.overlay.* xattrs. CVE-2023-2640 CVE-2023-32629 LP: #1531747 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com> Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com> Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
mariux64 · Jul 7, 2023 · b054a83 · b054a83
1 parent a981c5c
commit b054a83
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
@@ -391,6 +391,8 @@ static int ovl_show_options(struct seq_file *m, struct dentry *dentry)
 		seq_puts(m, ",volatile");
 	if (ofs->config.userxattr)
 		seq_puts(m, ",userxattr");
+	else
+		seq_puts(m, ",nouserxattr");
 	return 0;
 }
 
@@ -439,6 +441,7 @@ enum {
 	OPT_UUID_OFF,
 	OPT_NFS_EXPORT_ON,
 	OPT_USERXATTR,
+	OPT_NOUSERXATTR,
 	OPT_NFS_EXPORT_OFF,
 	OPT_XINO_ON,
 	OPT_XINO_OFF,
@@ -458,6 +461,7 @@ static const match_table_t ovl_tokens = {
 	{OPT_INDEX_ON,			"index=on"},
 	{OPT_INDEX_OFF,			"index=off"},
 	{OPT_USERXATTR,			"userxattr"},
+	{OPT_NOUSERXATTR,		"nouserxattr"},
 	{OPT_UUID_ON,			"uuid=on"},
 	{OPT_UUID_OFF,			"uuid=off"},
 	{OPT_NFS_EXPORT_ON,		"nfs_export=on"},
@@ -628,6 +632,10 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config)
 			config->userxattr = true;
 			break;
 
+		case OPT_NOUSERXATTR:
+			config->userxattr = false;
+			break;
+
 		default:
 			pr_err("unrecognized mount option \"%s\" or missing value\n",
 					p);
@@ -1926,6 +1934,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
 	ofs->config.nfs_export = ovl_nfs_export_def;
 	ofs->config.xino = ovl_xino_def();
 	ofs->config.metacopy = ovl_metacopy_def;
+	if (sb->s_user_ns != &init_user_ns)
+		ofs->config.userxattr = true;
 	err = ovl_parse_opt((char *) data, &ofs->config);
 	if (err)
 		goto out_err;