[Devel,RH7] kmod/whitelist: allow overlay fs module autoloading

Submitted by Dmitry Safonov on Aug. 29, 2016, 12:50 p.m.

Details

Message ID 20160829125043.13817-1-dsafonov@virtuozzo.com
State New
Series "kmod/whitelist: allow overlay fs module autoloading"
Headers show

Commit Message

Dmitry Safonov Aug. 29, 2016, 12:50 p.m.
Note: overlayfs will not be allowed to mount in VE until admin hasn't
enabled experimental fs. To do it, write to the process knob:
  [tracing]# echo 1 > /proc/sys/fs/experimental_fs_enable

https://jira.sw.ru/browse/PSBM-51043

Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
---
 kernel/kmod.c | 1 +
 1 file changed, 1 insertion(+)

Patch hide | download patch | download mbox

diff --git a/kernel/kmod.c b/kernel/kmod.c
index 5e5c2c6c8948..151f9f2eca39 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -378,6 +378,7 @@  static inline int module_payload_iptable_allowed(const char *module)
 /* ve0 allowed modules */
 static const char * const ve0_allowed_mod[] = {
 	"fs-binfmt_misc",
+	"fs-overlay",
 
 	/* inet_diag, inet6_diag  */
 	"net-pf-16-proto-4-type-2",	/* PF_NETLINK, NETLINK_SOCK_DIAG, AF_INET */

Comments

Kirill Tkhai Aug. 29, 2016, 1 p.m.
On 29.08.2016 15:50, Dmitry Safonov wrote:
> Note: overlayfs will not be allowed to mount in VE until admin hasn't
> enabled experimental fs. To do it, write to the process knob:
>   [tracing]# echo 1 > /proc/sys/fs/experimental_fs_enable
> 
> https://jira.sw.ru/browse/PSBM-51043
> 
> Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
> Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
> ---
>  kernel/kmod.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kernel/kmod.c b/kernel/kmod.c
> index 5e5c2c6c8948..151f9f2eca39 100644
> --- a/kernel/kmod.c
> +++ b/kernel/kmod.c
> @@ -378,6 +378,7 @@ static inline int module_payload_iptable_allowed(const char *module)
>  /* ve0 allowed modules */
>  static const char * const ve0_allowed_mod[] = {
>  	"fs-binfmt_misc",
> +	"fs-overlay",

I see in modules.alias:

alias fs-overlay overlay

Should we add "overlay" to allowed list, or fs-overlay only is enough?
  
>  	/* inet_diag, inet6_diag  */
>  	"net-pf-16-proto-4-type-2",	/* PF_NETLINK, NETLINK_SOCK_DIAG, AF_INET */
>
Dmitry Safonov Aug. 29, 2016, 1:10 p.m.
On 08/29/2016 04:00 PM, Kirill Tkhai wrote:
> On 29.08.2016 15:50, Dmitry Safonov wrote:
>> Note: overlayfs will not be allowed to mount in VE until admin hasn't
>> enabled experimental fs. To do it, write to the process knob:
>>   [tracing]# echo 1 > /proc/sys/fs/experimental_fs_enable
>>
>> https://jira.sw.ru/browse/PSBM-51043
>>
>> Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
>> Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
>> ---
>>  kernel/kmod.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/kernel/kmod.c b/kernel/kmod.c
>> index 5e5c2c6c8948..151f9f2eca39 100644
>> --- a/kernel/kmod.c
>> +++ b/kernel/kmod.c
>> @@ -378,6 +378,7 @@ static inline int module_payload_iptable_allowed(const char *module)
>>  /* ve0 allowed modules */
>>  static const char * const ve0_allowed_mod[] = {
>>  	"fs-binfmt_misc",
>> +	"fs-overlay",
>
> I see in modules.alias:
>
> alias fs-overlay overlay
>
> Should we add "overlay" to allowed list, or fs-overlay only is enough?

Well, I tested inside CT, it has the following call-path:

  3)               |  /* sys_mount(dev_name: 7fb4786bb3f0, dir_name: 
7fb4786bb290, type: 7fb4786bb230, flags: c0ed0000, data: 7fb4786bb330) */
  3)               |  do_mount() {
[...]
  3)               |    get_fs_type() {
  3)               |      __get_fs_type() {
  3)   0.031 us    |        _raw_read_lock();
  3)   1.465 us    |        find_filesystem();
  3)   0.200 us    |        try_module_get();
  3)   3.333 us    |      }
  3)               |      /* get_fs_type: fs ffffffffa06a5000, 
request_module(fs-overlay) */
[...]

So, for sys_mount(), get_fs_type() will add 'fs-' prefix on mount,
regardless module alias, I guess.
And overlayfs successfuly mounted in CT after the patch.
Kirill Tkhai Aug. 29, 2016, 1:15 p.m.
On 29.08.2016 15:50, Dmitry Safonov wrote:
> Note: overlayfs will not be allowed to mount in VE until admin hasn't
> enabled experimental fs. To do it, write to the process knob:
>   [tracing]# echo 1 > /proc/sys/fs/experimental_fs_enable
> 
> https://jira.sw.ru/browse/PSBM-51043
> 
> Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
> Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>

Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>

> ---
>  kernel/kmod.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kernel/kmod.c b/kernel/kmod.c
> index 5e5c2c6c8948..151f9f2eca39 100644
> --- a/kernel/kmod.c
> +++ b/kernel/kmod.c
> @@ -378,6 +378,7 @@ static inline int module_payload_iptable_allowed(const char *module)
>  /* ve0 allowed modules */
>  static const char * const ve0_allowed_mod[] = {
>  	"fs-binfmt_misc",
> +	"fs-overlay",
>  
>  	/* inet_diag, inet6_diag  */
>  	"net-pf-16-proto-4-type-2",	/* PF_NETLINK, NETLINK_SOCK_DIAG, AF_INET */
>