The security bug hunter "halfdog" kindly told me that this problem can reproduce with AUFS.
I've confirmed and fixed. Here is aufs's approach hoping with a little help for overlayfs.
In copy-up, the internal sequence is
- create an entry on the upper writable layer.
- copy the all attributes from the inode on the lower readonly branch.
The essential fix is inserting vfs_removexattr(XATTR_NAME_POSIX_ACL_ACCESS) between them.
For dirs, XATTR_NAME_POSIX_ACL_DEFAULT should be removed too. And then copy the all attributes including XATTRs.
But removing all ACL_ACCESS may cause another problem since some fs (for example, NFS) may want ACL which is equivalent to the permission bits. So just after removing XATTR, posix_acl_chmod() should be called.
FYI
The security bug hunter "halfdog" kindly told me that this problem can reproduce with AUFS.
I've confirmed and fixed. Here is aufs's approach hoping with a little help for overlayfs.
In copy-up, the internal sequence is
- create an entry on the upper writable layer.
- copy the all attributes from the inode on the lower readonly branch.
The essential fix is inserting vfs_removexattr (XATTR_ NAME_POSIX_ ACL_ACCESS) between them. POSIX_ACL_ DEFAULT should be removed too. And then copy the all attributes including XATTRs.
For dirs, XATTR_NAME_
But removing all ACL_ACCESS may cause another problem since some fs (for example, NFS) may want ACL which is equivalent to the permission bits. So just after removing XATTR, posix_acl_chmod() should be called.