ovl: add config to disable unprivileged user namespace mounts

When disabled, unprivileged users will not be able to create
new overlayfs mounts. This cuts the attack surface if no
unprivileged user namespace mounts are required like for
running rootless containers.

Signed-off-by: Levente Polyak <levente@leventepolyak.net>

fs/overlayfs/Kconfig

@@ -124,3 +124,19 @@ config OVERLAY_FS_METACOPY
 	  that doesn't support this feature will have unexpected results.
 
 	  If unsure, say N.
+
+config OVERLAY_FS_UNPRIVILEGED
+	bool "Overlayfs: turn on unprivileged user namespace mounts"
+	default n
+	depends on OVERLAY_FS
+	help
+	  When disabled, unprivileged users will not be able to create
+	  new overlayfs mounts. This cuts the attack surface if no
+	  unprivileged user namespace mounts are required like for
+	  running rootless containers.
+
+	  Overlayfs has been part of several recent local privilege
+	  escalation exploits, so if you are security-conscious
+	  you want to disable this.
+
+	  If unsure, say N.

fs/overlayfs/super.c

@@ -2174,7 +2174,9 @@ static struct dentry *ovl_mount(struct file_system_type *fs_type, int flags,
 static struct file_system_type ovl_fs_type = {
 	.owner		= THIS_MODULE,
 	.name		= "overlay",
+#ifdef CONFIG_OVERLAY_FS_UNPRIVILEGED
 	.fs_flags	= FS_USERNS_MOUNT,
+#endif
 	.mount		= ovl_mount,
 	.kill_sb	= kill_anon_super,
 };