archive mirror
 help / color / mirror / Atom feed
From: Miklos Szeredi <>
To: Linus Torvalds <>
	"Eric W. Biederman" <>
Subject: [GIT PULL] overlayfs update for 5.11
Date: Thu, 17 Dec 2020 15:20:25 +0100	[thread overview]
Message-ID: <> (raw)

Hi Linus,

Please pull from:

  git:// tags/ovl-update-5.11

 - Allow unprivileged mounting in a user namespace.

   For quite some time the security model of overlayfs has been that
   operations on underlying layers shall be performed with the privileges
   of the mounting task.

   This way an unprvileged user cannot gain privileges by the act of
   mounting an overlayfs instance.  A full audit of all function calls made
   by the overlayfs code has been performed to see whether they conform to
   this model, and this branch contains some fixes in this regard.

 - Support running on copied filesystem images by optionally disabling UUID

 - Bug fixes as well as documentation updates.

I was hoping to get feedback from Eric Biederman on the unprivileged
mounting feature, but even without that I feel quite good about enabling it
at this point.  It's a trivial patch at the head of this branch, so
skipping it now or reverting later would also be options.


Chengguang Xu (1):
      ovl: fix incorrect extent info in metacopy case

Kevin Locke (2):
      ovl: warn about orphan metacopy
      ovl: document lower modification caveats

Miklos Szeredi (12):
      ovl: doc clarification
      ovl: expand warning in ovl_d_real()
      vfs: move cap_convert_nscap() call into vfs_setxattr()
      vfs: verify source area in vfs_dedupe_file_range_one()
      ovl: check privs before decoding file handle
      ovl: make ioctl() safe
      ovl: simplify file splice
      ovl: user xattr
      ovl: do not fail when setting origin xattr
      ovl: do not fail because of O_NOATIME
      ovl: do not get metacopy for userxattr
      ovl: unprivieged mounts

Pavel Tikhomirov (2):
      ovl: propagate ovl_fs to ovl_decode_real_fh and ovl_encode_real_fh
      ovl: introduce new "uuid=off" option for inodes index feature

 Documentation/filesystems/overlayfs.rst |  36 ++++++--
 fs/overlayfs/copy_up.c                  |  28 ++++---
 fs/overlayfs/export.c                   |  10 ++-
 fs/overlayfs/file.c                     | 144 +++++---------------------------
 fs/overlayfs/inode.c                    |  14 +++-
 fs/overlayfs/namei.c                    |  28 ++++---
 fs/overlayfs/overlayfs.h                |  22 +++--
 fs/overlayfs/ovl_entry.h                |   2 +
 fs/overlayfs/super.c                    |  95 ++++++++++++++++++---
 fs/overlayfs/util.c                     |  18 +++-
 fs/remap_range.c                        |  10 ++-
 fs/xattr.c                              |  17 ++--
 include/linux/capability.h              |   2 +-
 security/commoncap.c                    |   3 +-
 14 files changed, 233 insertions(+), 196 deletions(-)

             reply	other threads:[~2020-12-17 14:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-17 14:20 Miklos Szeredi [this message]
2020-12-17 20:21 ` [GIT PULL] overlayfs update for 5.11 pr-tracker-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).