ovl: add config to disable unprivileged user namespace mounts
When disabled, unprivileged users will not be able to create new overlayfs mounts. This cuts the attack surface if no unprivileged user namespace mounts are required like for running rootless containers. Signed-off-by: Levente Polyak <levente@leventepolyak.net>
This commit is contained in:
parent
74bb8af8fa
commit
7ba8c9d673
|
@ -124,3 +124,19 @@ config OVERLAY_FS_METACOPY
|
|||
that doesn't support this feature will have unexpected results.
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
config OVERLAY_FS_UNPRIVILEGED
|
||||
bool "Overlayfs: turn on unprivileged user namespace mounts"
|
||||
default n
|
||||
depends on OVERLAY_FS
|
||||
help
|
||||
When disabled, unprivileged users will not be able to create
|
||||
new overlayfs mounts. This cuts the attack surface if no
|
||||
unprivileged user namespace mounts are required like for
|
||||
running rootless containers.
|
||||
|
||||
Overlayfs has been part of several recent local privilege
|
||||
escalation exploits, so if you are security-conscious
|
||||
you want to disable this.
|
||||
|
||||
If unsure, say N.
|
||||
|
|
|
@ -2189,7 +2189,9 @@ static struct dentry *ovl_mount(struct file_system_type *fs_type, int flags,
|
|||
static struct file_system_type ovl_fs_type = {
|
||||
.owner = THIS_MODULE,
|
||||
.name = "overlay",
|
||||
#ifdef CONFIG_OVERLAY_FS_UNPRIVILEGED
|
||||
.fs_flags = FS_USERNS_MOUNT,
|
||||
#endif
|
||||
.mount = ovl_mount,
|
||||
.kill_sb = kill_anon_super,
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue