Kernel 5.4.1 with lockdown and overlayfs

I compiled the 5.4.1 kernel with lockdown enabled:

Security options
    [*] Basic module for enforcing kernel lockdown (CONFIG_SECURITY_LOCKDOWN_LSM)

I did not enable 'CONFIG_SECURITY_LOCKDOWN_LSM_EARLY'.

As there is not yet a patch for aufs, I thought to try overlayfs. EasyOS started life being able to use either, but I found overlayfs to be flakey. can't recall the exact issues, but dropped it and have used aufs ever since.

Trying overlayfs again:

File systems
 <*> Overlay filesystem support

Did not enable any of the overlayfs options.

At bootup of Easy Buster with this kernel, there was a message in the initrd that could not run 'capsh' utility due to "cross-device link". But it booted OK.

After bootup, I tried to delete /root/my-documents/clipart/README-clipart.txt from ROX-Filer, right-click on file then choose "Delete". But it would not delete, got the error message "ERROR: invalid cross-device link".

After a bit of reading, I recompiled the kernel with these enabled:

File systems
    [*]  overlayfs: Turn on redirect directory feature by default (CONFIG_OVERLAY_FS_REDIRECT_DIR)
File systems -> Pdeudo filesystems
    [*] tmpfs posix access control lists
    [*] tmpfs extended attributes

No difference, get the same errors.

One thing I should also mention. If change from aufs to overlayfs, the aufs whiteout files will no longer work. A utility would be required to convert the whiteout files to overlayfs format.

I will contact Dr Okajima, encourage him to acquire the new PC and fix aufs for 5.4.1!  Previous post about aufs:

https://bkhome.org/news/201911/aufs-development-hiatus.html 

EDIT 2019-12-01:
Success, 5.4.1 now compiled with aufs, see next blog post:

https://bkhome.org/news/201912/kernel-541-with-lockdown-and-aufs.html 

Tags: easy