Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works.
An easy way to test this is the following command:
mkdir /tmp/test /tmp/test/upper /tmp/test/work
unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work
On an older kernel, this works and outputs nothing.
On the affected kernels, it outputs
mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error.
I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this).
My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels.
Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior.
My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.)
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-image-5.4.0-89-generic 5.4.0-89.100
ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143
Uname: Linux 5.4.0-89-generic x86_64
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Oct 19 04:42 seq
crw-rw---- 1 root audio 116, 33 Oct 19 04:42 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.11-0ubuntu27.20
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser'
CasperMD5CheckResult: skip
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
Date: Tue Oct 19 12:15:01 2021
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb:
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Lsusb-t:
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:
ProcEnviron:
TERM=screen-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=C.UTF-8
SHELL=/bin/bash
ProcFB: 0 bochs-drmdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0
RelatedPackageVersions:
linux-restricted-modules-5.4.0-89-generic N/A
linux-backports-modules-5.4.0-89-generic N/A
linux-firmware 1.187.19
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
acpidump:
Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works.
An easy way to test this is the following command: /,upperdir= /tmp/test/ upper,workdir= /tmp/test/ work
mkdir /tmp/test /tmp/test/upper /tmp/test/work
unshare -m -U -r mount -t overlay none / -o lowerdir=
On an older kernel, this works and outputs nothing.
On the affected kernels, it outputs
mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error.
I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https:/ /github. com/torvalds/ linux/commit/ 427215d85e8d147 6da1a86b8d67ace b485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this).
My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels.
Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior.
My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.)
ProblemType: Bug 5.4.0-89- generic 5.4.0-89.100 ature: User Name 5.4.0-89. 100-generic 5.4.143 0ubuntu27. 20 esult: skip
DistroRelease: Ubuntu 20.04
Package: linux-image-
ProcVersionSign
Uname: Linux 5.4.0-89-generic x86_64
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Oct 19 04:42 seq
crw-rw---- 1 root audio 116, 33 Oct 19 04:42 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.11-
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser'
CasperMD5CheckR
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
Date: Tue Oct 19 12:15:01 2021
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb:
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Lsusb-t:
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
|__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:
ProcEnviron: 256color DIR=<set> /boot/vmlinuz- 5.4.0-89- generic root=PARTUUID= 59ea2f51- 599c-49f2- b9b3-77197e3338 65 ro console=tty1 console=ttyS0 ersions: restricted- modules- 5.4.0-89- generic N/A backports- modules- 5.4.0-89- generic N/A
TERM=screen-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=C.UTF-8
SHELL=/bin/bash
ProcFB: 0 bochs-drmdrmfb
ProcKernelCmdLine: BOOT_IMAGE=
RelatedPackageV
linux-
linux-
linux-firmware 1.187.19
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
acpidump:
dmi.bios.date: 04/01/2014 0-0-g155821a199 0b-prebuilt. qemu.org version: pc-i440fx-5.2 bvrrel- 1.14.0- 0-g155821a1990b -prebuilt. qemu.org: bd04/01/ 2014:svnQEMU: pnStandardPC( i440FX+ PIIX,1996) :pvrpc- i440fx- 5.2:cvnQEMU: ct1:cvrpc- i440fx- 5.2: version: pc-i440fx-5.2
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.14.
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.
dmi.modalias: dmi:bvnSeaBIOS:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.
dmi.sys.vendor: QEMU