shiftfs: lock security sensitive superblock flags

Bug #1827122 reported by Christian Brauner
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Christian Brauner

Bug Description

Felix Abecassis from Nvidia recently reported the following bug:

"I recently upgraded to Ubuntu 19.04, and decided to experiment with shiftfs and unprivileged overlay.
My goal was to have root (in my case, the docker daemon) download overlay layers and then have multiple users leveraging shiftfs + unprivileged overlay to assemble the rootfs without copying and chowning.
For obvious security reasons, I want root to expose these layers as read-only, any change will be to the user-owned "upper" filesystem.

Here's what I'm currently doing:
# Exposing the root-owned docker layers, the "ro" option seems to have no impact on later userns mounts.
sudo mount -t shiftfs -o mark,ro /var/lib/docker/overlay2 /mnt

# Creating a userns as uid 1000, then mounting the shiftfs.
unshare -U -m -r
cd $(mktemp -d)
mkdir shiftfs upper work merged
# I can pass "ro" to the mount to get the behavior I want.
mount -t shiftfs -o ro /mnt shiftfs

mount -t overlay overlay -o 'lowerdir=shiftfs/c34c048514dcab5fc1bddf6d99681645786021e4a5b239972ec688386852a666/diff:[...],upperdir=upper,workdir=work' merged

This works fine (excluding the xattrs issue with unprivileged overlay), but I can't rely on users to pass the "ro" option to their mounts. Without it, any user would be able to write to /var/lib/docker/overlay2 through the shiftfs mountpoint.

I couldn't find a way to enforce do that, is there one? Is it possible to have one?
I quickly attempted to have root do the shiftfs mounts for the users, but it seems the shift is always for the root of the current userns, and can't be done for another user."

Changed in linux (Ubuntu):
status: New → Confirmed
assignee: nobody → Christian Brauner (cbrauner)
status: Confirmed → In Progress
Revision history for this message
Christian Brauner (cbrauner) wrote :
tags: added: patch
Seth Forshee (sforshee)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: New → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
Revision history for this message
Felix Abecassis (flx42) wrote :

Verified on 5.0.0-16, it works as expected, thank you Christian!

tags: added: verification-done-disco
removed: verification-needed-disco
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (24.0 KiB)

This bug was fixed in the package linux - 5.0.0-16.17

linux (5.0.0-16.17) disco; urgency=medium

  * linux: 5.0.0-16.17 -proposed tracker (LP: #1829173)

  * shiftfs: lock security sensitive superblock flags (LP: #1827122)
    - SAUCE: shiftfs: lock down certain superblock flags

  * Please package libbpf (which is done out of the kernel src) in Debian [for
    19.10] (LP: #1826410)
    - SAUCE: tools -- fix add ability to disable libbfd

  * Disco update: 5.0.8 upstream stable release (LP: #1828415)
    - drm/i915/gvt: do not let pin count of shadow mm go negative
    - kbuild: pkg: use -f $(srctree)/Makefile to recurse to top Makefile
    - netfilter: nft_compat: use .release_ops and remove list of extension
    - netfilter: nf_tables: use-after-free in dynamic operations
    - netfilter: nf_tables: add missing ->release_ops() in error path of newrule()
    - hv_netvsc: Fix unwanted wakeup after tx_disable
    - ibmvnic: Fix completion structure initialization
    - ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type
    - ipv6: Fix dangling pointer when ipv6 fragment
    - ipv6: sit: reset ip header pointer in ipip6_rcv
    - kcm: switch order of device registration to fix a crash
    - net: ethtool: not call vzalloc for zero sized memory request
    - net-gro: Fix GRO flush when receiving a GSO packet.
    - net/mlx5: Decrease default mr cache size
    - netns: provide pure entropy for net_hash_mix()
    - net: rds: force to destroy connection if t_sock is NULL in
    - net/sched: act_sample: fix divide by zero in the traffic path
    - net/sched: fix ->get helper of the matchall cls
    - qmi_wwan: add Olicard 600
    - r8169: disable ASPM again
    - sctp: initialize _pad of sockaddr_in before copying to user memory
    - tcp: Ensure DCTCP reacts to losses
    - tcp: fix a potential NULL pointer dereference in tcp_sk_exit
    - vrf: check accept_source_route on the original netdevice
    - net/mlx5e: Fix error handling when refreshing TIRs
    - net/mlx5e: Add a lock on tir list
    - nfp: validate the return code from dev_queue_xmit()
    - nfp: disable netpoll on representors
    - bnxt_en: Improve RX consumer index validity check.
    - bnxt_en: Reset device on RX buffer errors.
    - net: ip_gre: fix possible use-after-free in erspan_rcv
    - net: ip6_gre: fix possible use-after-free in ip6erspan_rcv
    - net: bridge: always clear mcast matching struct on reports and leaves
    - net: thunderx: fix NULL pointer dereference in nicvf_open/nicvf_stop
    - net: vrf: Fix ping failed when vrf mtu is set to 0
    - net: core: netif_receive_skb_list: unlist skb before passing to pt->func
    - r8169: disable default rx interrupt coalescing on RTL8168
    - net: mlx5: Add a missing check on idr_find, free buf
    - net/mlx5e: Update xoff formula
    - net/mlx5e: Update xon formula
    - kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD
    - lib/string.c: implement a basic bcmp
    - Revert "clk: meson: clean-up clock registration"
    - tty: mark Siemens R3964 line discipline as BROKEN
    - [Config]: remove CONFIG_R3964
    - [Config]: add CONFIG_LDISC_AUTOLOAD=y
    - tty: ldisc: add sysctl to p...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers