Comment 0 for bug 1947718

Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works.

An easy way to test this is the following command:
mkdir /tmp/test /tmp/test/upper /tmp/test/work
unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work

On an older kernel, this works and outputs nothing.
On the affected kernels, it outputs

mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error.

I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this).

My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels.

Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior.

My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.)

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-image-5.4.0-89-generic 5.4.0-89.100
ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143
Uname: Linux 5.4.0-89-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Oct 19 04:42 seq
 crw-rw---- 1 root audio 116, 33 Oct 19 04:42 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.11-0ubuntu27.20
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser'
CasperMD5CheckResult: skip
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
Date: Tue Oct 19 12:15:01 2021
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb:
 Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
 Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Lsusb-t:
 /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
     |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcEnviron:
 TERM=screen-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
ProcFB: 0 bochs-drmdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0
RelatedPackageVersions:
 linux-restricted-modules-5.4.0-89-generic N/A
 linux-backports-modules-5.4.0-89-generic N/A
 linux-firmware 1.187.19
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
acpidump:

dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-5.2
dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-5.2
dmi.sys.vendor: QEMU