I retested using lxc-1.1.4 from the lxc-stable ppa
(https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lxc-stable) which I
added to a fresh vm image from the daily-builds, https://cloud-
images.ubuntu.com/trusty/current.
"lxc-start -n trusty_overlay" fails as before, with the same error
message,
ERROR lxc_utils - utils.c:safe_mount:1641 - Permission denied - Failed to
mount /home/ubuntu/test.txt onto
/usr/lib/x86_64-linux-gnu/lxc/home/ubuntu/test.txt
ERROR lxc_conf - conf.c:mount_entry:1731 - Permission denied - failed to
mount '/home/ubuntu/test.txt' on
'/usr/lib/x86_64-linux-gnu/lxc/home/ubuntu/test.txt'
ERROR lxc_conf - conf.c:lxc_setup:3745 - failed to setup the mount entries
for 'trusty_overlay'
Chris, it would be of interest to see whether you can reproduce the
underlying kernel bug using this script,
#!/bin/bash
fatal() { echo "error: $@"; exit 1; }
echo -e "testing for overlayfs kernel bug in kernels <= 3.17.";
echo -e "(This script does not work for the newer version of overlayfs in
kernels 3.18+)";
mkdir test_dir || fatal "mkdir test_dir";
sudo mount -t tmpfs none test_dir || fatal "mount tmpfs";
cd test_dir;
mkdir lowerdir upperdir overlayfs;
sudo mount -t overlayfs -o lowerdir=lowerdir,upperdir=upperdir none overlayfs
|| fatal "mount overlayfs";
exec 6> file_tmpfs.txt;
exec 7> lowerdir/file_lowerdir.txt;
exec 8> upperdir/file_upperdir.txt;
exec 9> overlayfs/file_overlayfs.txt;
echo -e "\ncontents of /proc/$BASHPID/fd/ . A broken symbolic link to
file_overlayfs.txt indicates a kernel bug";
echo
"--------------------------------------------------------------------------------------------------------";
file /proc/$BASHPID/fd/[6-9];
# cleanup
exec 9>&-;
exec 8>&-;
exec 7>&-;
exec 6>&-;
sudo umount overlayfs;
cd ..;
sudo umount test_dir && rmdir test_dir;
#----------end of script
Running the script as root, sudo ./script, I get the following output,
testing for overlayfs kernel bug in kernels <= 3.17.
(This script does not work for the newer version of overlayfs in kernels
3.18+)
contents of /proc/1916/fd/ . A broken symbolic link to file_overlayfs.txt
indicates a kernel bug
--------------------------------------------------------------------------------------------------------
/proc/1916/fd/6: symbolic link to `/home/ubuntu/test_dir/file_tmpfs.txt'
/proc/1916/fd/7: symbolic link to
`/home/ubuntu/test_dir/lowerdir/file_lowerdir.txt'
/proc/1916/fd/8: symbolic link to
`/home/ubuntu/test_dir/upperdir/file_upperdir.txt'
/proc/1916/fd/9: broken symbolic link to `/file_overlayfs.txt'
It seems that the kernel bug is causing fd 9 to point to
/file_overlayfs.txt, when it should point to
/home/ubuntu/test_dir/overlayfs/file_overlayfs.txt .
The lxc commit which introduced safe_mount(), which passes fd's as
arguments to mount() is,
CVE-2015-1335: Protect container mounts against symlinks
https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d
Here is the relevant part of the commit, which creates a file descriptor
and passes it to mount().
+ destfd = open_without_symlink(dest, rootfs);
+ if (destfd < 0) {
+ if (srcfd != -1)
+ close(srcfd);
+ return destfd;
+ }
+
+ ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd);
+ if (ret < 0 || ret > 50) {
+ if (srcfd != -1)
+ close(srcfd);
+ close(destfd);
+ ERROR("Out of memory");
+ return -EINVAL;
+ }
+
+ ret = mount(mntsrc, destbuf, fstype, flags, data);
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1335
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1507463
Title:
OverlayFS: Wrong mnt_id and path reported in /proc in linux-3.13
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1507463/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
