overlayfs: Use userxattrs on supporting kernels.
In previous kernels, overlayfs stored its xattrs with a "trusted."
prefix. This requires CAP_SYS_ADMIN. As a workaround, we carried
out-of-tree kernel patches to bypass the security checks on these attrs.
The 5.15 kernel however has a new mount option "userxattr". When this is
set, the "trusted." prefix is replaced with "user.", which eliminates
the CAP_SYS_ADMIN requirement.
On kernels >= 5.15 we can use this feature and drop some of our
out-of-tree patches.
Bug: 204981027
Test: adb remount on cuttlefish with >=5.15
Change-Id: I3f0ca637a62c949fe481eea84f2c682f1ff4517a
diff --git a/fs_mgr/fs_mgr_overlayfs.cpp b/fs_mgr/fs_mgr_overlayfs.cpp
index 0522ac5..2b31119 100644
--- a/fs_mgr/fs_mgr_overlayfs.cpp
+++ b/fs_mgr/fs_mgr_overlayfs.cpp
@@ -322,6 +322,17 @@
const auto kLowerdirOption = "lowerdir="s;
const auto kUpperdirOption = "upperdir="s;
+static inline bool KernelSupportsUserXattrs() {
+ struct utsname uts;
+ uname(&uts);
+
+ int major, minor;
+ if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) {
+ return false;
+ }
+ return major > 5 || (major == 5 && minor >= 15);
+}
+
// default options for mount_point, returns empty string for none available.
std::string fs_mgr_get_overlayfs_options(const std::string& mount_point) {
auto candidate = fs_mgr_get_overlayfs_candidate(mount_point);
@@ -331,6 +342,9 @@
if (fs_mgr_overlayfs_valid() == OverlayfsValidResult::kOverrideCredsRequired) {
ret += ",override_creds=off";
}
+ if (KernelSupportsUserXattrs()) {
+ ret += ",userxattr";
+ }
return ret;
}