[Feature] overlayfs mounts

[georgeto]

There is already pull request #167 from four years ago that implements exactly this feature, but it was abandoned due to security concerns regarding overlayfs. However, nowadays there is fuse-overlayfs, so i guess this blocker is history?

I rebased the abandoned pull request onto the current master branch, and was able to use the bubblewrap overlayfs feature as a non-root user with a non-setuid bubblewrap binary. I searched for overlayfs in my installed packages, and what I found was fuse-overlayfs, which I guess explains why I can use this feature as a non-root user with a non-setuid bubblewrap binary.

Is there a chance to get the overlayfs feature merged, if I fix the open issues (e.g. handling realpath errors) and make a new pull request?

[Maryse47]

I searched for overlayfs in my installed packages, and what I found was fuse-overlayfs, which I guess explains why I can use this feature as a non-root user with a non-setuid bubblewrap binary.

Another possibility is you have Linux 5.11+ which enabled rootless overlayfs.

[georgeto]

I searched for overlayfs in my installed packages, and what I found was fuse-overlayfs, which I guess explains why I can use this feature as a non-root user with a non-setuid bubblewrap binary.

Another possibility is you have Linux 5.11+ which enabled rootless overlayfs.

Indeed, I have Linux 5.11, so this could very well be.

[joanbm]

While this is not integrated, this is a workaround for rootless overlayfs mounts on Linux >=5.11.

1. Use bwrap to run a wrapper script bwrap_overlayfs_wrapper. Give it extra capabilities CAP_DAC_OVERRIDE and CAP_SYS_ADMIN (in order to do the overlay) and CAP_SETPCAP (to drop the extra capabilities):

bwrap --dev-bind / / --cap-add CAP_SETPCAP --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SYS_ADMIN -- ./bwrap_overlayfs_wrapper ls

2. Now in this wrapper script bwrap_overlayfs_wrapper you do the overlay you want (here I'm doing an overlayfs for $HOME) and then use capsh to drop the extra capabilities:

#!/usr/bin/env bash
set -euo pipefail

# Create a throwaway overlayfs
TEMPDIR="$(mktemp -d)"
trap 'rm -rf "$TEMPDIR"' EXIT

mkdir -p "$TEMPDIR"/{upper,work}
mount -t overlay -o lowerdir="$HOME",upperdir="$TEMPDIR"/upper,workdir="$TEMPDIR"/work none "$HOME"
trap 'umount "$HOME" && rm -rf "$TEMPDIR"' EXIT

touch "$HOME/this_is_an_overlay"

# Drop capabilities that should have been given to the wrapper then execute the original program
(cd "$(pwd)" && capsh --drop=CAP_SYS_ADMIN --drop=CAP_SETPCAP --drop=CAP_DAC_OVERRIDE --caps="" --shell=/usr/bin/env -- -- "$@")

Example:

[user@machine ~]$ ls
bwrap_overlayfs_wrapper  some_document
[user@machine ~]$ bwrap --dev-bind / / --cap-add CAP_SETPCAP --cap-add CAP_DAC_OVERRIDE --cap-add CAP_SYS_ADMIN -- ./bwrap_overlayfs_wrapper ls
bwrap_overlayfs_wrapper  some_document	this_is_an_overlay
[user@machine ~]$ ls
bwrap_overlayfs_wrapper  some_document
[user@machine ~]$ 

This is rootless and as far as I can tell by checking /proc/self/status, no extra capabilities remain.

[smcv]

Is there a chance to get the overlayfs feature merged, if I fix the open issues (e.g. https://github.com/containers/bubblewrap/pull/167#discussion_r97987887) and make a new pull request?

I'd consider a PR that enabled this on kernels where overlayfs is allowed for non-root users, and only when bubblewrap is not setuid (same restriction as --size, --userns-fd, --cap-add).

On kernels where overlayfs is not allowed for non-root users, bubblewrap should not allow it either.

Similarly, when bubblewrap is setuid root, we should not allow this: with a setuid bubblewrap (as used on Debian <= 10, etc.), there's too high a risk of bubblewrap allowing something that the kernel considers unsafe.

[smcv]

I'd consider a PR that enabled this on kernels where overlayfs is allowed for non-root users, and only when bubblewrap is not setuid (same restriction as --size, --userns-fd, --cap-add)

... for example #547.