Skip to content

ovl: permit overlayfs mounts in user namespaces (Closes: #913880)

Nicolas Schier requested to merge nsc/linux:master into master

Permit overlayfs mounts within user namespaces to allow utilisation of e.g. unprivileged LXC overlay snapshots.

Except by the Ubuntu community [1], overlayfs mounts in user namespaces are expected to be a security risk [2] and thus are not enabled on upstream Linux kernels. For the non-Ubuntu users that have to stick to unprivileged overlay-based LXCs, this meant to patch and compile the kernel manually. Instead, adding the kernel tainting 'permit_mounts_in_userns' module parameter allows a kind of a user-friendly way to enable the feature.

Testable with:

sudo modprobe overlay permit_mounts_in_userns=1
sudo sysctl -w kernel.unprivileged_userns_clone=1
mkdir -p lower upper work mnt
unshare --map-root-user --mount \
    mount -t overlay none mnt -o lowerdir=lower,upperdir=upper,workdir=work

[1]: Ubuntu allows unprivileged mounting of overlay filesystem https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html

[2]: User namespaces + overlayfs = root privileges https://lwn.net/Articles/671641/

Signed-off-by: Nicolas Schier nicolas@fjasle.eu

Merge request reports