Changes to overlay lowerdir produce kernel file-caps error

Bug #1736808 reported by dana on 2017-12-06
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Artful
Medium
Unassigned
Bionic
Medium
Unassigned

Bug Description

In 4.13+ kernels, if you replace an executable file on the lowerdir of an Overlay union (such that its inode changes), the system will no longer allow you to execute the file via the upperdir. The changes introduced to the kernel in this commit...

https://github.com/torvalds/linux/commit/8db6c34f1dbc8e06aa016a9b829b06902c3e1340

... cause it to report a file security capabilities error.

---

Replication steps and result:

1. Set up an Overlay union containing some executable files. In my case i have an ext4 lowerdir and a tmpfs upperdir, but i don't think it matters.

2. Verify that executing some file (/bin/true for example) on the upperdir works.

3. Replace that file on the lowerdir using mv, rsync, or similar.

4. Attempt to execute the file on the upperdir again — it will fail. The shell will give either 126 or 127 as the return status.

5. Check the kernel log. A message like the following appears:

>kernel: Invalid argument reading file caps for /bin/true

I replicated this on Xenial using the HWE-edge kernel (4.13). The error does NOT occur on the HWE kernel (4.10).

---

NOTE: I am aware that the result of changing files on the lowerdir of an Overlay union, per the documentation, is undefined — so this is probably not a 'bug' per se. However, i wasn't sure it was deliberate, either, and it seemed like maybe the previous undefined behaviour was nicer than the new undefined behaviour, so i thought i'd report it anyway.

---

Config information:

Ubuntu release: 16.04.3 (Xenial)
Kernel package: linux-image-generic-hwe-16.04-edge 4.13.0.17.24
Kernel version signature: Ubuntu 4.13.0-17.20~16.04.1-generic 4.13.8

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1736808

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
dana (okdana) wrote :

The `apport-bug` output had some sensitive information in it so i pruned it a little.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
tags: added: kernel-da-key
tags: added: artful bionic
Changed in linux (Ubuntu Artful):
status: New → Triaged
Changed in linux (Ubuntu Bionic):
status: Confirmed → Triaged
Changed in linux (Ubuntu Artful):
importance: Undecided → Medium
Changed in linux (Ubuntu Bionic):
importance: Undecided → Medium
Joseph Salisbury (jsalisbury) wrote :

I built a test kernel with a revert of commit 8db6c34f1dbc8. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1736808

Can you test this kernel and see if it resolves this bug?

dana (okdana) wrote :

Thanks for looking at this!

I tested your change in Xenial (couldn't install the tools package since i assume you built it against Artful's libraries, but it didn't matter) and it does appear to restore the previous behaviour:

% lsb_release -ds
Ubuntu 16.04.3 LTS
% uname -r
4.13.0-19-generic

% ls -Ali /bin/true /ro/bin/true
131819 -rwxr-xr-x 1 root root 27280 Mar 2 2017 /bin/true
131819 -rwxr-xr-x 1 root root 27280 Mar 2 2017 /ro/bin/true
% /bin/true --version | head -1
true (GNU coreutils) 8.25

% sudo cp /bin/true /tmp/
% sudo mv /tmp/true /ro/bin/

% ls -Ali /bin/true /ro/bin/true
131819 -rwxr-xr-x 0 root root 27280 Mar 2 2017 /bin/true
131110 -rwxr-xr-x 1 root root 27280 Dec 8 11:57 /ro/bin/true
% /bin/true --version | head -1
true (GNU coreutils) 8.25

(On the 'stock' kernel the last command would produce an error.)

I don't see any error messages in the kernel log either.

This bug was nominated against a series that is no longer supported, ie artful. The bug task representing the artful nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Artful):
status: Triaged → Won't Fix
Jeff Zignego (jlzignego) wrote :

I think I just ran into this bug on bionic. I was building a yocto distribution like this user here:
https://www.spinics.net/lists/linux-unionfs/msg05363.html

I was I was two point releases behind at :
$ uname -a
Linux ses-docker50c 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

So I updated that machine to 4.15.0-36-generic, but I wanted to know what the status of this was. I think as a workaround I will use a docker mount for the entire build directory.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers