From e1aae5aa6b424763f2c09c33b1920b63c78b4454 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Apr 2025 18:36:55 +0200 Subject: [PATCH 1/7] github: enable unprivileged user namespaces Signed-off-by: Giuseppe Scrivano --- .github/workflows/test.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 155279b..347d476 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -97,6 +97,9 @@ jobs: - name: run test run: | + sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 + sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0 + case "${{ matrix.test }}" in ovl-whiteouts) sudo sh -c "(cd /unionmount-testsuite; unshare -m ./run --ov --fuse=fuse-overlayfs --xdev)" From fc6a2b916ec7a6d0aa520552fb567e1d7c137047 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Apr 2025 15:15:19 +0200 Subject: [PATCH 2/7] github: update upload-artifact action Signed-off-by: Giuseppe Scrivano --- .github/workflows/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 347d476..d2ec4ee 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -42,7 +42,7 @@ jobs: make -j $(nproc) - name: Archive build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4.6.2 with: name: fuse-overlayfs-${{ matrix.arch }}-${{ matrix.distro }} path: | @@ -88,7 +88,7 @@ jobs: sudo cp fuse-overlayfs /sbin - name: Archive build artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4.6.2 with: name: fuse-overlayfs-x86_64-ubuntu-latest path: | From 4761dd067578322fe353d5534c2cac9655340304 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Apr 2025 14:58:20 +0200 Subject: [PATCH 3/7] github: update uraimo action Signed-off-by: Giuseppe Scrivano --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index d2ec4ee..58e9414 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -20,7 +20,7 @@ jobs: distro: ubuntu_latest steps: - uses: actions/checkout@v2.1.0 - - uses: uraimo/run-on-arch-action@v2.8.1 + - uses: uraimo/run-on-arch-action@v3.0.1 name: Build id: build with: From 5e7f7d756e14fb31398a553c551df0838736199d Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Apr 2025 15:10:43 +0200 Subject: [PATCH 4/7] github: update checkout action Signed-off-by: Giuseppe Scrivano --- .github/workflows/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 58e9414..aa490f4 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -19,7 +19,7 @@ jobs: - arch: ppc64le distro: ubuntu_latest steps: - - uses: actions/checkout@v2.1.0 + - uses: actions/checkout@v4 - uses: uraimo/run-on-arch-action@v3.0.1 name: Build id: build @@ -61,7 +61,7 @@ jobs: TAGS: exclude_graphdriver_devicemapper exclude_graphdriver_btrfs no_libsubid steps: - name: checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: install dependencies run: | From 02a3582501e221a692d8b355051525b35db4cffd Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Apr 2025 14:23:30 +0200 Subject: [PATCH 5/7] refactor: Remove unnecessary upperdir realpath The explicit resolution of the upper directory path using `realpath()` is not required before passing it to `read_dirs` since `direct_load_data_source()` already does it. Signed-off-by: Giuseppe Scrivano --- main.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/main.c b/main.c index f0f24a6..b8f950c 100644 --- a/main.c +++ b/main.c @@ -5755,18 +5755,6 @@ main (int argc, char *argv[]) if (lo.mountpoint == NULL) error (EXIT_FAILURE, 0, "no mountpoint specified"); - if (lo.upperdir != NULL) - { - cleanup_free char *full_path = NULL; - - full_path = realpath (lo.upperdir, NULL); - if (full_path == NULL) - error (EXIT_FAILURE, errno, "cannot retrieve path for %s", lo.upperdir); - - lo.upperdir = strdup (full_path); - if (lo.upperdir == NULL) - error (EXIT_FAILURE, errno, "cannot allocate memory"); - } set_limits (); check_can_mknod (&lo); From b31d82ff8e2bd9fa234200825f02cbb881672215 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Apr 2025 14:26:26 +0200 Subject: [PATCH 6/7] main: use parsed upper layer directory Use the directory in the loaded layer structure, and do not use the value passed on the CLI. Signed-off-by: Giuseppe Scrivano --- main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.c b/main.c index b8f950c..dc87457 100644 --- a/main.c +++ b/main.c @@ -5878,7 +5878,7 @@ main (int argc, char *argv[]) if (! found) { /* If the mode is missing, set a standard value. */ - ret = write_permission_xattr (&lo, get_upper_layer (&lo)->fd, lo.upperdir, 0, 0, 0555); + ret = write_permission_xattr (&lo, get_upper_layer (&lo)->fd, get_upper_layer (&lo)->path, 0, 0, 0555); if (ret < 0) error (EXIT_FAILURE, errno, "write xattr `%s` to upperdir", name); } From 27cabd561b038f16d8c4a1356ab36d118b593cae Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 28 Apr 2025 14:32:58 +0200 Subject: [PATCH 7/7] main: Allow escaped colons in directory paths Allow directory paths specified for lowerdir, upperdir and workdir to contain colon characters. Previously, colons were unconditionally treated as separators, making it impossible to use directories with colons in their names. Closes: https://github.com/containers/fuse-overlayfs/issues/440 Signed-off-by: Giuseppe Scrivano --- main.c | 55 +++++++++++++++++++++++++++++++++++++++- tests/fedora-installs.sh | 8 +++--- 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/main.c b/main.c index dc87457..9909e38 100644 --- a/main.c +++ b/main.c @@ -1924,6 +1924,58 @@ cleanup_layerp (struct ovl_layer **p) #define cleanup_layer __attribute__ ((cleanup (cleanup_layerp))) +static void +unescape (char *input) +{ + char *dest = input; + + if (input == NULL) + return; + + for (; *input; input++) + { + if (*input == '\\') + continue; + + *dest++ = *input; + } + *dest = '\0'; +} + +static char * +get_next_path (char *it, char **saveptr) +{ + char *ret; + + if (*saveptr == NULL) + *saveptr = it; + + ret = *saveptr; + + if (*ret == '\0') + return NULL; + + while (1) + { + if (**saveptr == '\0') + break; + + if (**saveptr == ':') + { + **saveptr = '\0'; + (*saveptr)++; + break; + } + else if (**saveptr == '\\') + { + memmove (*saveptr, *saveptr + 1, strlen (*saveptr) + 1); + } + + (*saveptr)++; + } + return ret; +} + static struct ovl_layer * read_dirs (struct ovl_data *lo, char *path, bool low, struct ovl_layer *layers) { @@ -1942,7 +1994,7 @@ read_dirs (struct ovl_data *lo, char *path, bool low, struct ovl_layer *layers) while (last && last->next) last = last->next; - for (it = strtok_r (buf, ":", &saveptr); it; it = strtok_r (NULL, ":", &saveptr)) + for (it = get_next_path (buf, &saveptr); it; it = get_next_path (NULL, &saveptr)) { char *name, *data; char *it_path = it; @@ -5755,6 +5807,7 @@ main (int argc, char *argv[]) if (lo.mountpoint == NULL) error (EXIT_FAILURE, 0, "no mountpoint specified"); + unescape (lo.workdir); set_limits (); check_can_mknod (&lo); diff --git a/tests/fedora-installs.sh b/tests/fedora-installs.sh index 6eaecfb..6b946ff 100755 --- a/tests/fedora-installs.sh +++ b/tests/fedora-installs.sh @@ -2,17 +2,17 @@ set -xeuo pipefail -mkdir lower upper workdir merged +mkdir lower:1 upper:2 workdir:3 merged -fuse-overlayfs -o sync=0,lowerdir=lower,upperdir=upper,workdir=workdir,suid,dev merged +fuse-overlayfs -o 'sync=0,lowerdir=lower\\:1,upperdir=upper\\:2,workdir=workdir\\:3,suid,dev' merged docker run --rm -v $(pwd)/merged:/merged fedora dnf --use-host-config --installroot /merged --releasever 41 install -y glibc-common gedit umount merged # Make sure workdir is empty, and move the upper layer down -rm -rf workdir lower -mv upper lower +rm -rf lower:1 workdir:3 +mv upper:2 lower mkdir upper workdir gcc -static -o suid-test $(dirname $0)/suid-test.c