From 70d057448d774907f96eb5ccc8dbe40cbcbef709 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 19 Nov 2021 16:00:27 -0800 Subject: [PATCH] overlayfs: Use userxattrs on supporting kernels. In previous kernels, overlayfs stored its xattrs with a "trusted." prefix. This requires CAP_SYS_ADMIN. As a workaround, we carried out-of-tree kernel patches to bypass the security checks on these attrs. The 5.15 kernel however has a new mount option "userxattr". When this is set, the "trusted." prefix is replaced with "user.", which eliminates the CAP_SYS_ADMIN requirement. On kernels >= 5.15 we can use this feature and drop some of our out-of-tree patches. Bug: 204981027 Test: adb remount on cuttlefish with >=5.15 Change-Id: I3f0ca637a62c949fe481eea84f2c682f1ff4517a --- fs_mgr/fs_mgr_overlayfs.cpp | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs_mgr/fs_mgr_overlayfs.cpp b/fs_mgr/fs_mgr_overlayfs.cpp index 0522ac5cf..2b311194d 100644 --- a/fs_mgr/fs_mgr_overlayfs.cpp +++ b/fs_mgr/fs_mgr_overlayfs.cpp @@ -322,6 +322,17 @@ std::string fs_mgr_get_overlayfs_candidate(const std::string& mount_point) { const auto kLowerdirOption = "lowerdir="s; const auto kUpperdirOption = "upperdir="s; +static inline bool KernelSupportsUserXattrs() { + struct utsname uts; + uname(&uts); + + int major, minor; + if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) { + return false; + } + return major > 5 || (major == 5 && minor >= 15); +} + // default options for mount_point, returns empty string for none available. std::string fs_mgr_get_overlayfs_options(const std::string& mount_point) { auto candidate = fs_mgr_get_overlayfs_candidate(mount_point); @@ -331,6 +342,9 @@ std::string fs_mgr_get_overlayfs_options(const std::string& mount_point) { if (fs_mgr_overlayfs_valid() == OverlayfsValidResult::kOverrideCredsRequired) { ret += ",override_creds=off"; } + if (KernelSupportsUserXattrs()) { + ret += ",userxattr"; + } return ret; }