overlayfs: Use userxattrs on supporting kernels.

In previous kernels, overlayfs stored its xattrs with a "trusted." prefix. This requires CAP_SYS_ADMIN. As a workaround, we carried out-of-tree kernel patches to bypass the security checks on these attrs. The 5.15 kernel however has a new mount option "userxattr". When this is set, the "trusted." prefix is replaced with "user.", which eliminates the CAP_SYS_ADMIN requirement. On kernels >= 5.15 we can use this feature and drop some of our out-of-tree patches. Bug: 204981027 Test: adb remount on cuttlefish with >=5.15 Change-Id: I3f0ca637a62c949fe481eea84f2c682f1ff4517a
2021-11-19 16:00:27 -08:00 · 2021-11-19 16:00:27 -08:00 · 70d057448d
commit 70d057448d
parent bad9f5fd89
1 changed files with 14 additions and 0 deletions
--- a/fs_mgr/fs_mgr_overlayfs.cpp
+++ b/fs_mgr/fs_mgr_overlayfs.cpp
@ -322,6 +322,17 @@ std::string fs_mgr_get_overlayfs_candidate(const std::string& mount_point) {
 const auto kLowerdirOption = "lowerdir="s;
 const auto kUpperdirOption = "upperdir="s;

+static inline bool KernelSupportsUserXattrs() {
+    struct utsname uts;
+    uname(&uts);
+
+    int major, minor;
+    if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) {
+        return false;
+    }
+    return major > 5 || (major == 5 && minor >= 15);
+}
+
 // default options for mount_point, returns empty string for none available.
 std::string fs_mgr_get_overlayfs_options(const std::string& mount_point) {
    auto candidate = fs_mgr_get_overlayfs_candidate(mount_point);
@ -331,6 +342,9 @@ std::string fs_mgr_get_overlayfs_options(const std::string& mount_point) {
    if (fs_mgr_overlayfs_valid() == OverlayfsValidResult::kOverrideCredsRequired) {
        ret += ",override_creds=off";
    }
+    if (KernelSupportsUserXattrs()) {
+        ret += ",userxattr";
+    }
    return ret;
 }