ovl: add config to disable unprivileged user namespace mounts

When disabled, unprivileged users will not be able to create new overlayfs mounts. This cuts the attack surface if no unprivileged user namespace mounts are required like for running rootless containers. Signed-off-by: Levente Polyak <levente@leventepolyak.net>
2021-03-11 23:09:50 +01:00 · 2021-03-11 23:09:50 +01:00 · 7ba8c9d673
parent 74bb8af8fa
commit 7ba8c9d673
2 changed files with 18 additions and 0 deletions
--- a/fs/overlayfs/Kconfig
+++ b/fs/overlayfs/Kconfig
@ -124,3 +124,19 @@ config OVERLAY_FS_METACOPY
 	  that doesn't support this feature will have unexpected results.

 	  If unsure, say N.
+
+config OVERLAY_FS_UNPRIVILEGED
+	bool "Overlayfs: turn on unprivileged user namespace mounts"
+	default n
+	depends on OVERLAY_FS
+	help
+	  When disabled, unprivileged users will not be able to create
+	  new overlayfs mounts. This cuts the attack surface if no
+	  unprivileged user namespace mounts are required like for
+	  running rootless containers.
+
+	  Overlayfs has been part of several recent local privilege
+	  escalation exploits, so if you are security-conscious
+	  you want to disable this.
+
+	  If unsure, say N.
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@ -2189,7 +2189,9 @@ static struct dentry *ovl_mount(struct file_system_type *fs_type, int flags,
 static struct file_system_type ovl_fs_type = {
 	.owner		= THIS_MODULE,
 	.name		= "overlay",
+#ifdef CONFIG_OVERLAY_FS_UNPRIVILEGED
 	.fs_flags	= FS_USERNS_MOUNT,
+#endif
 	.mount		= ovl_mount,
 	.kill_sb	= kill_anon_super,
 };