fuse-overlayfs not working inside container

[mohan43u]

I'm using systemd-nspawn container, when I try fuse-overlayfs inside my container, it didn't work

steps to reproduce,

$ sudo systemd-nspawn --boot -M container0 -D /home/mohan/Virt/containers/container0/ --capability=all --resolv-conf=off --timezone=off --link-journal=no --network-bridge=bridge0 --console=passive --bind /dev/fuse

from inside container0, as normal user,

$ mkdir -p fo/{lower,upper,root}
$ fuse-overlayfs -o lowerdir=fo/lower,upperdir=fo/upper,workdir=fo fo/root
$ touch fo/root/test
touch: setting times of 'fo/root/test': No such file or directory
$

It seems if we disable openat2(), it works properly

diff --git a/utils.c b/utils.c
index 43073f1..32f7c01 100644
--- a/utils.c
+++ b/utils.c
@@ -75,7 +75,7 @@ syscall_openat2 (int dirfd, const char *path, uint64_t flags, uint64_t mode, uin
 int
 safe_openat (int dirfd, const char *pathname, int flags, mode_t mode)
 {
-  static bool openat2_supported = true;
+  static bool openat2_supported = false;
 
   if (openat2_supported)
     {

I'm not exactly sure, but I suspect RESOLVE_IN_ROOT. Errno from syscall_openat2 is EPERM.

[giuseppe]

It seems strange openat2 would return EPERM but openat no. Is there any seccomp profile in place?

[mohan43u]

The container is running with SECCOMP_MODE_FILTER

 grep -i seccomp /proc/self/status
Seccomp:        2

When I run the grep outside container I get 0,

$ grep -i seccomp /proc/self/status 
Seccomp:        0

I'm still searching for a way to see the filtered syscalls. Not sure how to get those filters. google isn't helping

[giuseppe]

what happens if you use --system-call-filter=openat2 to systemd-nspawn?

[mohan43u]

Still the same issue,

container commandline,

systemd-nspawn --boot -M container0 -D /home/mohan/Virt/containers/container0/ --capability=all --resolv-conf=off --timezone=off --link-journal=no --network-bridge=bridge0 --console=passive --system-call-filter=openat2 --bind /dev/fuse

fuse-overlayfs commandline inside container, I'm running fuse-overlayfs as normal user. Not as root.

$ fuse-overlayfs -o debug,lowerdir=fo/lower/,upperdir=fo/upper/,workdir=fo/ fo/root/
uid=unchanged
uid=unchanged
upperdir=/home/mohan/Downloads/fo/upper
workdir=fo/
lowerdir=fo/lower/
mountpoint=fo/root/
plugins=<none>
FUSE library version: 3.9.2
unique: 2, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.31
flags=0x03fffffb
max_readahead=0x00020000
   INIT: 7.31
   flags=0x0041f069
   max_readahead=0x00020000
   max_write=0x00100000
   max_background=0
   congestion_threshold=0
   time_gran=1
   unique: 2, success, outsize: 80
unique: 4, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 57
ovl_getattr(ino=1)
   unique: 4, success, outsize: 120
unique: 6, opcode: LOOKUP (1), nodeid: 1, insize: 45, pid: 59
ovl_lookup(parent=1, name=test)
   unique: 6, success, outsize: 144
unique: 8, opcode: CREATE (35), nodeid: 1, insize: 61, pid: 59
ovl_create(parent=1, name=test)
   unique: 8, error: -1 (Operation not permitted), outsize: 16

Version,

$ fuse-overlayfs --version
fuse-overlayfs: version 1.1.0
FUSE library version 3.9.2
using FUSE kernel interface version 7.31
fusermount3 version: 3.9.2

Host,

$ uname -a
Linux mohanlaptop1 5.7.4-arch1-1 #1 SMP PREEMPT Thu, 18 Jun 2020 16:01:07 +0000 x86_64 GNU/Linux

[giuseppe]

I am quite sure it depends on the seccomp blocking the syscall. openat2 should not return EPERM.

Is there a way to disable seccomp with systemd-nspawn ?

[mohan43u]

It seems to be an issue with libseccomp not recognizing openat2(). Also systemd-nspawn will implement way to disable seccomp

https://lists.freedesktop.org/archives/systemd-devel/2020-June/044755.html

I think this is not the issue with fuse-overlayfs. Closing this issue.