mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-21 22:41:09 +02:00
Merge pull request #2808 from euank/ovl-regression
sys-kernel/coreos-*: add overlay ebusy fix
This commit is contained in:
Euan Kemp
GitHub
commit
ae786ddec4
@ -12,7 +12,7 @@ if [[ ${PV} == *9999 ]]; then
|
||||
DOCKER_GITCOMMIT="unknown"
|
||||
KEYWORDS="~amd64 ~arm64"
|
||||
else
|
||||
CROS_WORKON_COMMIT="a662a4c026af44b573f6f7851ae467d8e86f2162" # coreos-17.03.2-ce
|
||||
CROS_WORKON_COMMIT="236043027bc7199ec691f98c49bb2f0ec6a316d5" # coreos-17.03.2-ce
|
||||
DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
|
||||
KEYWORDS="amd64 arm64"
|
||||
fi
|
||||
@ -74,9 +74,7 @@ RESTRICT="installsources strip"
|
||||
|
||||
S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
|
||||
|
||||
ENGINE_PATCHES=(
|
||||
"${FILESDIR}/patches/engine/revert-make-overlay-home-dir-private.patch"
|
||||
)
|
||||
ENGINE_PATCHES=()
|
||||
|
||||
# see "contrib/check-config.sh" from upstream's sources
|
||||
CONFIG_CHECK="
|
||||
@ -212,7 +210,7 @@ src_unpack() {
|
||||
DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
|
||||
DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct")
|
||||
fi
|
||||
eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}"
|
||||
[ "${#ENGINE_PATCHES[@]}" -gt 0 ] && eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}"
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
|
||||
@ -1,111 +0,0 @@
|
||||
From 699fab4877c3ff5d7f935bd3977e413c31269c7c Mon Sep 17 00:00:00 2001
|
||||
From: Euan Kemp <euan.kemp@coreos.com>
|
||||
Date: Fri, 22 Sep 2017 12:01:04 -0700
|
||||
Subject: [PATCH] Revert "Make overlay home dir Private mount"
|
||||
|
||||
This reverts commit e076bccb458aeadab9380ce0636456ad6317a85f.
|
||||
It also reverts it for the overlay2 package, which didn't exist at the
|
||||
time the commit was made but is a direct successor with copy-pasted
|
||||
code.
|
||||
|
||||
The original commit was meant to fix a bug whereby `docker cp`
|
||||
(implemented via chrootarchive) could inadvertantly lead to shared
|
||||
mounts getting unmounted on the host too.
|
||||
|
||||
The fix, however, had side effects. It results in overlay mounts being
|
||||
private, and thus being quite easy to leak copies that are hard to
|
||||
umount into other mount namespaces on the box.
|
||||
|
||||
This hasn't been noticed until now because on kernels prior to v4.13,
|
||||
temporarily leaking overlayfs mounts to other namespaces didn't have any
|
||||
ill effects.
|
||||
|
||||
Starting with v4.13, setting the mount to private and thus leaking
|
||||
mounts results in errors. See https://github.com/moby/moby/issues/34672
|
||||
|
||||
The correct fix for the original issue was implemented later in
|
||||
https://github.com/moby/moby/pull/27609, and since that code is now
|
||||
merged we can safely throw away this less ideal fix.
|
||||
|
||||
Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
|
||||
---
|
||||
daemon/graphdriver/overlay/overlay.go | 12 +++---------
|
||||
daemon/graphdriver/overlay2/overlay.go | 12 +++---------
|
||||
2 files changed, 6 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
|
||||
index 9012722c20d..8ed51e6c384 100644
|
||||
--- a/daemon/graphdriver/overlay/overlay.go
|
||||
+++ b/daemon/graphdriver/overlay/overlay.go
|
||||
@@ -19,7 +19,6 @@ import (
|
||||
"github.com/docker/docker/pkg/fsutils"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/locker"
|
||||
- "github.com/docker/docker/pkg/mount"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
"github.com/opencontainers/selinux/go-selinux/label"
|
||||
"github.com/sirupsen/logrus"
|
||||
@@ -139,10 +138,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||
return nil, err
|
||||
}
|
||||
|
||||
- if err := mount.MakePrivate(home); err != nil {
|
||||
- return nil, err
|
||||
- }
|
||||
-
|
||||
supportsDType, err := fsutils.SupportsDType(home)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -227,11 +222,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
|
||||
return metadata, nil
|
||||
}
|
||||
|
||||
-// Cleanup any state created by overlay which should be cleaned when daemon
|
||||
-// is being shutdown. For now, we just have to unmount the bind mounted
|
||||
-// we had created.
|
||||
+// Cleanup simply returns nil and do not change the existing filesystem.
|
||||
+// This is required to satisfy the graphdriver.Driver interface.
|
||||
func (d *Driver) Cleanup() error {
|
||||
- return mount.Unmount(d.home)
|
||||
+ return nil
|
||||
}
|
||||
|
||||
// CreateReadWrite creates a layer that is writable for use as a container
|
||||
diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
|
||||
index f350ca9c0b8..5aaf8c0cefe 100644
|
||||
--- a/daemon/graphdriver/overlay2/overlay.go
|
||||
+++ b/daemon/graphdriver/overlay2/overlay.go
|
||||
@@ -28,7 +28,6 @@ import (
|
||||
"github.com/docker/docker/pkg/fsutils"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/locker"
|
||||
- "github.com/docker/docker/pkg/mount"
|
||||
"github.com/docker/docker/pkg/parsers"
|
||||
"github.com/docker/docker/pkg/parsers/kernel"
|
||||
"github.com/docker/docker/pkg/system"
|
||||
@@ -175,10 +174,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||
return nil, err
|
||||
}
|
||||
|
||||
- if err := mount.MakePrivate(home); err != nil {
|
||||
- return nil, err
|
||||
- }
|
||||
-
|
||||
supportsDType, err := fsutils.SupportsDType(home)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -314,11 +309,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
|
||||
return metadata, nil
|
||||
}
|
||||
|
||||
-// Cleanup any state created by overlay which should be cleaned when daemon
|
||||
-// is being shutdown. For now, we just have to unmount the bind mounted
|
||||
-// we had created.
|
||||
+// Cleanup simply returns nil and do not change the existing filesystem.
|
||||
+// This is required to satisfy the graphdriver.Driver interface.
|
||||
func (d *Driver) Cleanup() error {
|
||||
- return mount.Unmount(d.home)
|
||||
+ return nil
|
||||
}
|
||||
|
||||
// CreateReadWrite creates a layer that is writable for use as a container
|
||||
@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"
|
||||
|
||||
# Explicitly list all packages that will be built into the image.
|
||||
RDEPEND="
|
||||
=app-emulation/docker-17.03.2
|
||||
=app-emulation/docker-17.03.2-r1
|
||||
=app-emulation/containerd-0.2.6
|
||||
=app-emulation/docker-proxy-0.8.0_p20161019
|
||||
=app-emulation/docker-runc-1.0.0_rc2_p136
|
||||
|
||||
@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"
|
||||
|
||||
# Explicitly list all packages that will be built into the image.
|
||||
RDEPEND="
|
||||
=app-emulation/docker-17.09.0
|
||||
=app-emulation/docker-17.09.0-r1
|
||||
=app-emulation/containerd-0.2.9_p27
|
||||
=app-emulation/docker-proxy-0.8.0_p20170917
|
||||
=app-emulation/docker-runc-1.0.0_rc4_p25
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=5
|
||||
COREOS_SOURCE_REVISION=""
|
||||
COREOS_SOURCE_REVISION="-r1"
|
||||
inherit coreos-kernel
|
||||
|
||||
DESCRIPTION="CoreOS Linux kernel"
|
||||
@ -2,7 +2,7 @@
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=5
|
||||
COREOS_SOURCE_REVISION=""
|
||||
COREOS_SOURCE_REVISION="-r1"
|
||||
inherit coreos-kernel savedconfig
|
||||
|
||||
DESCRIPTION="CoreOS Linux kernel modules"
|
||||
@ -55,4 +55,5 @@ UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
|
||||
${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
|
||||
${PATCH_DIR}/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch \
|
||||
"
|
||||
@ -1,7 +1,7 @@
|
||||
From f1837934545ec345d6509fe6b70d5a8e7fb48c06 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
that can be passed to efi_enabled() to find out whether secure boot is
|
||||
@ -42,5 +42,5 @@ index 8269bcb8ccf7..7952dd3ffa73 100644
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 07584ac35f055643fbb7d3db977edb1667761cdd Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:36:17 +0000
|
||||
Subject: [PATCH 02/24] Add the ability to lock down access to the running
|
||||
Subject: [PATCH 02/25] Add the ability to lock down access to the running
|
||||
kernel image
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
@ -145,5 +145,5 @@ index 000000000000..5788c60ff4e1
|
||||
+}
|
||||
+EXPORT_SYMBOL(kernel_is_locked_down);
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 50ee015df6059aafabbde1ca24cc93ed9a5d4dec Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Mon, 21 Nov 2016 23:55:55 +0000
|
||||
Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
|
||||
Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
only load signed bootloaders and kernels. Certain use cases may also
|
||||
@ -65,5 +65,5 @@ index 319995f58345..d0128aef43ce 100644
|
||||
default:
|
||||
pr_info("Secure boot could not be determined\n");
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 76bf27c180ae82174aa7429c24c815b7d69f4580 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 23 Nov 2016 13:22:22 +0000
|
||||
Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
|
||||
Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
|
||||
|
||||
If the kernel is locked down, require that all modules have valid
|
||||
signatures that we can verify.
|
||||
@ -25,5 +25,5 @@ index 40f983cbea81..e5b878b26906 100644
|
||||
|
||||
return err;
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 9062089abfaf7e47d6f734d84c27c1cbea3c04c6 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
|
||||
locked down
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel to
|
||||
@ -39,5 +39,5 @@ index 593a8818aca9..ba68add9677f 100644
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From a4a18f7a7c9f4dc853d1ed84e100bfad45ca768d Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
|
||||
Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
is something that lock-down is meant to prevent. It makes sense to disable
|
||||
@ -20,20 +20,20 @@ diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index e62ec4dc6620..37f75d0b75de 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -201,6 +201,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
|
||||
@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
return -EPERM;
|
||||
|
||||
+ /*
|
||||
/*
|
||||
+ * kexec can be used to circumvent module loading restrictions, so
|
||||
+ * prevent loading in that case
|
||||
+ */
|
||||
+ if (kernel_is_locked_down())
|
||||
+ return -EPERM;
|
||||
+
|
||||
/*
|
||||
+ /*
|
||||
* Verify we have a legal set of flags
|
||||
* This leaves us room for future extensions.
|
||||
*/
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d3aa49c4e2c3fc2db64a67802d2d1ca7682f3e43 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Young <dyoung@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
|
||||
Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
|
||||
reboot
|
||||
|
||||
Kexec reboot in case secure boot being enabled does not keep the secure
|
||||
@ -34,5 +34,5 @@ index fb095ba0c02f..7d0fac5bcbbe 100644
|
||||
ei->efi_systab = current_ei->efi_systab;
|
||||
ei->efi_systab_hi = current_ei->efi_systab_hi;
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 4f56499f69dd3492dcd4ec80bf0d39882384fedb Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:49:19 +0000
|
||||
Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
|
||||
Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
|
||||
set
|
||||
|
||||
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
|
||||
@ -35,5 +35,5 @@ index 9f48f4412297..7da87007c202 100644
|
||||
if (flags != (flags & KEXEC_FILE_FLAGS))
|
||||
return -EINVAL;
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 73206c208c0fd2658938c75f8b2c223d64f926ac Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
|
||||
Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
@ -28,5 +28,5 @@ index e1914c7b85b1..7859ba79e181 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d575c18b93c029bd3042e5719af1e3536f13f90c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@srcf.ucam.org>
|
||||
Date: Wed, 23 Nov 2016 13:28:17 +0000
|
||||
Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
|
||||
Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
|
||||
|
||||
uswsusp allows a user process to dump and then restore kernel state, which
|
||||
makes it possible to modify the running kernel. Disable this if the kernel
|
||||
@ -28,5 +28,5 @@ index 22df9f7ff672..e4b926d329b7 100644
|
||||
|
||||
if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 16ad18e196811749d4d5f737e4ca0482326be131 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:15 +0000
|
||||
Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
|
||||
Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
|
||||
down
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down in
|
||||
@ -99,5 +99,5 @@ index 9bf993e1f71e..c09524738ceb 100644
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ad9d4a91032b313727714cbb57aa8ddfb8d80dfc Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
|
||||
Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
|
||||
down
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
@ -55,5 +55,5 @@ index ba68add9677f..5e2a260fb89f 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f1e625e306e90405acff33c68a6285a20877de59 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:17 +0000
|
||||
Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
|
||||
Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
|
||||
|
||||
Writing to MSRs should not be allowed if the kernel is locked down, since
|
||||
it could lead to execution of arbitrary code in kernel mode. Based on a
|
||||
@ -40,5 +40,5 @@ index ef688804f80d..fbcce028e502 100644
|
||||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b94b97961964b34fa834a5a49a381ba5c40d1136 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
|
||||
locked down
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a given
|
||||
@ -51,5 +51,5 @@ index 709e3a67391a..2d8db47698b2 100644
|
||||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 3c68d0f079679bbd37603e30a28fda1a51f2052d Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
|
||||
Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
|
||||
locked down
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
@ -29,5 +29,5 @@ index c68e72414a67..e4d721c330c0 100644
|
||||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b422de393e6d978f5067cee5170c449dc4277f20 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 08:46:16 +0000
|
||||
Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
|
||||
been locked down
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
@ -28,5 +28,5 @@ index db78d353bab1..d4d4ba348451 100644
|
||||
#endif
|
||||
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 26bcf43365c06c2ca9e3386b202c52988525d70d Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:32:27 +0000
|
||||
Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
|
||||
Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
|
||||
locked down
|
||||
|
||||
From the kernel documentation (initrd_table_override.txt):
|
||||
@ -37,5 +37,5 @@ index ff425390bfa8..c72bfa97888a 100644
|
||||
memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
|
||||
all_tables_size, PAGE_SIZE);
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0b2d6eaf44fe27ffc3f266d60acd785054c9251a Mon Sep 17 00:00:00 2001
|
||||
From: Linn Crosetto <linn@hpe.com>
|
||||
Date: Wed, 23 Nov 2016 13:39:41 +0000
|
||||
Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
|
||||
Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
|
||||
locked down
|
||||
|
||||
ACPI provides an error injection mechanism, EINJ, for debugging and testing
|
||||
@ -40,5 +40,5 @@ index ec50c32ea3da..e082718d01c2 100644
|
||||
if (flags && (flags &
|
||||
~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c03a14e840c12755863e0bb0fc3dc466cdcab734 Mon Sep 17 00:00:00 2001
|
||||
From: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
Date: Wed, 23 Nov 2016 13:52:16 +0000
|
||||
Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
|
||||
Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
|
||||
kernel is locked down
|
||||
|
||||
There are some bpf functions can be used to read kernel memory:
|
||||
@ -53,5 +53,5 @@ index dc498b605d5d..fb240222b89b 100644
|
||||
for (i = 0; i < fmt_size; i++) {
|
||||
if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 87d86828a5c23d79d182fe08fc311980a49bb314 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 22 Nov 2016 10:10:34 +0000
|
||||
Subject: [PATCH 20/24] scsi: Lock down the eata driver
|
||||
Subject: [PATCH 20/25] scsi: Lock down the eata driver
|
||||
|
||||
When the kernel is running in secure boot mode, we lock down the kernel to
|
||||
prevent userspace from modifying the running kernel image. Whilst this
|
||||
@ -43,5 +43,5 @@ index 227dd2c2ec2f..5c036d10c18b 100644
|
||||
#if defined(MODULE)
|
||||
/* io_port could have been modified when loading as a module */
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 5674808941b241db1a075ecf6392cd2f5f963c7b Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 25 Nov 2016 14:37:45 +0000
|
||||
Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
|
||||
down
|
||||
|
||||
Prohibit replacement of the PCMCIA Card Information Structure when the
|
||||
@ -29,5 +29,5 @@ index 55ef7d1fd8da..193e4f7b73b1 100644
|
||||
|
||||
if (off)
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c9f901215cc9798206af8934f3e3396e812bfd36 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Wed, 7 Dec 2016 10:28:39 +0000
|
||||
Subject: [PATCH 22/24] Lock down TIOCSSERIAL
|
||||
Subject: [PATCH 22/25] Lock down TIOCSSERIAL
|
||||
|
||||
Lock down TIOCSSERIAL as that can be used to change the ioport and irq
|
||||
settings on a serial port. This only appears to be an issue for the serial
|
||||
@ -32,5 +32,5 @@ index f534a40aebde..e32c0179f423 100644
|
||||
retval = -EPERM;
|
||||
if (change_irq || change_port ||
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 7a7e247d55502efe910eef98322fa706aa8b7ad8 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
@ -26,5 +26,5 @@ index 189f1a748e4c..c44e17ddc9e1 100644
|
||||
|
||||
# Leave processing to above invocation of make
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0038c7fad4882341972286f31a15f8013f97e964 Mon Sep 17 00:00:00 2001
|
||||
From: Geoff Levand <geoff@infradead.org>
|
||||
Date: Fri, 11 Nov 2016 17:28:52 -0800
|
||||
Subject: [PATCH 24/24] Add arm64 coreos verity hash
|
||||
Subject: [PATCH 24/25] Add arm64 coreos verity hash
|
||||
|
||||
Signed-off-by: Geoff Levand <geoff@infradead.org>
|
||||
---
|
||||
@ -25,5 +25,5 @@ index 613fc3000677..fdaf86c78332 100644
|
||||
/*
|
||||
* The debug table is referenced via its Relative Virtual Address (RVA),
|
||||
--
|
||||
2.14.1
|
||||
2.13.6
|
||||
|
||||
|
||||
@ -0,0 +1,148 @@
|
||||
From 3dd952f456fda073b3d492a94745f119effba17b Mon Sep 17 00:00:00 2001
|
||||
From: Amir Goldstein <amir73il@gmail.com>
|
||||
Date: Fri, 29 Sep 2017 10:21:21 +0300
|
||||
Subject: [PATCH 25/25] ovl: fix regression caused by exclusive upper/work dir
|
||||
protection
|
||||
|
||||
Enforcing exclusive ownership on upper/work dirs caused a docker
|
||||
regression: https://github.com/moby/moby/issues/34672.
|
||||
|
||||
Euan spotted the regression and pointed to the offending commit.
|
||||
Vivek has brought the regression to my attention and provided this
|
||||
reproducer:
|
||||
|
||||
Terminal 1:
|
||||
|
||||
mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none
|
||||
merged/
|
||||
|
||||
Terminal 2:
|
||||
|
||||
unshare -m
|
||||
|
||||
Terminal 1:
|
||||
|
||||
umount merged
|
||||
mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none
|
||||
merged/
|
||||
mount: /root/overlay-testing/merged: none already mounted or mount point
|
||||
busy
|
||||
|
||||
To fix the regression, I replaced the error with an alarming warning.
|
||||
With index feature enabled, mount does fail, but logs a suggestion to
|
||||
override exclusive dir protection by disabling index.
|
||||
Note that index=off mount does take the inuse locks, so a concurrent
|
||||
index=off will issue the warning and a concurrent index=on mount will fail.
|
||||
|
||||
Documentation was updated to reflect this change.
|
||||
|
||||
Fixes: 2cac0c00a6cd ("ovl: get exclusive ownership on upper/work dirs")
|
||||
Cc: <stable@vger.kernel.org> # v4.13
|
||||
Reported-by: Euan Kemp <euank@euank.com>
|
||||
Reported-by: Vivek Goyal <vgoyal@redhat.com>
|
||||
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
|
||||
---
|
||||
Documentation/filesystems/overlayfs.txt | 5 ++++-
|
||||
fs/overlayfs/ovl_entry.h | 3 +++
|
||||
fs/overlayfs/super.c | 27 +++++++++++++++++++--------
|
||||
3 files changed, 26 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt
|
||||
index 36f528a7fdd6..8caa60734647 100644
|
||||
--- a/Documentation/filesystems/overlayfs.txt
|
||||
+++ b/Documentation/filesystems/overlayfs.txt
|
||||
@@ -210,8 +210,11 @@ path as another overlay mount and it may use a lower layer path that is
|
||||
beneath or above the path of another overlay lower layer path.
|
||||
|
||||
Using an upper layer path and/or a workdir path that are already used by
|
||||
-another overlay mount is not allowed and will fail with EBUSY. Using
|
||||
+another overlay mount is not allowed and may fail with EBUSY. Using
|
||||
partially overlapping paths is not allowed but will not fail with EBUSY.
|
||||
+If files are accessed from two overlayfs mounts which share or overlap the
|
||||
+upper layer and/or workdir path the behavior of the overlay is undefined,
|
||||
+though it will not result in a crash or deadlock.
|
||||
|
||||
Mounting an overlay using an upper layer path, where the upper layer path
|
||||
was previously used by another mounted overlay in combination with a
|
||||
diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
|
||||
index 878a750986dd..25d9b5adcd42 100644
|
||||
--- a/fs/overlayfs/ovl_entry.h
|
||||
+++ b/fs/overlayfs/ovl_entry.h
|
||||
@@ -37,6 +37,9 @@ struct ovl_fs {
|
||||
bool noxattr;
|
||||
/* sb common to all layers */
|
||||
struct super_block *same_sb;
|
||||
+ /* Did we take the inuse lock? */
|
||||
+ bool upperdir_locked;
|
||||
+ bool workdir_locked;
|
||||
};
|
||||
|
||||
/* private information held for every overlayfs dentry */
|
||||
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
|
||||
index d86e89f97201..a1464905c1ea 100644
|
||||
--- a/fs/overlayfs/super.c
|
||||
+++ b/fs/overlayfs/super.c
|
||||
@@ -210,9 +210,10 @@ static void ovl_put_super(struct super_block *sb)
|
||||
|
||||
dput(ufs->indexdir);
|
||||
dput(ufs->workdir);
|
||||
- ovl_inuse_unlock(ufs->workbasedir);
|
||||
+ if (ufs->workdir_locked)
|
||||
+ ovl_inuse_unlock(ufs->workbasedir);
|
||||
dput(ufs->workbasedir);
|
||||
- if (ufs->upper_mnt)
|
||||
+ if (ufs->upper_mnt && ufs->upperdir_locked)
|
||||
ovl_inuse_unlock(ufs->upper_mnt->mnt_root);
|
||||
mntput(ufs->upper_mnt);
|
||||
for (i = 0; i < ufs->numlower; i++)
|
||||
@@ -880,9 +881,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
|
||||
goto out_put_upperpath;
|
||||
|
||||
err = -EBUSY;
|
||||
- if (!ovl_inuse_trylock(upperpath.dentry)) {
|
||||
- pr_err("overlayfs: upperdir is in-use by another mount\n");
|
||||
+ if (ovl_inuse_trylock(upperpath.dentry)) {
|
||||
+ ufs->upperdir_locked = true;
|
||||
+ } else if (ufs->config.index) {
|
||||
+ pr_err("overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.\n");
|
||||
goto out_put_upperpath;
|
||||
+ } else {
|
||||
+ pr_warn("overlayfs: upperdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
|
||||
}
|
||||
|
||||
err = ovl_mount_dir(ufs->config.workdir, &workpath);
|
||||
@@ -900,9 +905,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
|
||||
}
|
||||
|
||||
err = -EBUSY;
|
||||
- if (!ovl_inuse_trylock(workpath.dentry)) {
|
||||
- pr_err("overlayfs: workdir is in-use by another mount\n");
|
||||
+ if (ovl_inuse_trylock(workpath.dentry)) {
|
||||
+ ufs->workdir_locked = true;
|
||||
+ } else if (ufs->config.index) {
|
||||
+ pr_err("overlayfs: workdir is in-use by another mount, mount with '-o index=off' to override exclusive workdir protection.\n");
|
||||
goto out_put_workpath;
|
||||
+ } else {
|
||||
+ pr_warn("overlayfs: workdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
|
||||
}
|
||||
|
||||
ufs->workbasedir = workpath.dentry;
|
||||
@@ -1155,11 +1164,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
|
||||
out_free_lowertmp:
|
||||
kfree(lowertmp);
|
||||
out_unlock_workdentry:
|
||||
- ovl_inuse_unlock(workpath.dentry);
|
||||
+ if (ufs->workdir_locked)
|
||||
+ ovl_inuse_unlock(workpath.dentry);
|
||||
out_put_workpath:
|
||||
path_put(&workpath);
|
||||
out_unlock_upperdentry:
|
||||
- ovl_inuse_unlock(upperpath.dentry);
|
||||
+ if (ufs->upperdir_locked)
|
||||
+ ovl_inuse_unlock(upperpath.dentry);
|
||||
out_put_upperpath:
|
||||
path_put(&upperpath);
|
||||
out_free_config:
|
||||
--
|
||||
2.13.6
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user