CHROMIUM: security: Add a cmdline opt for overlayfs

Add a kernel command line option fo allowing overlayfs
mounts. By default, this will never be set but it allows
users with verified boot disabled to mount overlayfs.

BUG=b:322176103, b:328652444
TEST=CQ

Change-Id: I68ec0c6b11e8bed132d2c3a33d65f9140897db4d
Signed-off-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5353260
Reviewed-by: Allen Webb <allenwebb@google.com>
Tested-by: Sarthak Kukreti <sarthakkukreti@google.com>
Commit-Queue: Sarthak Kukreti <sarthakkukreti@google.com>
diff --git a/security/chromiumos/lsm.c b/security/chromiumos/lsm.c
index d38c303..9ade38b 100644
--- a/security/chromiumos/lsm.c
+++ b/security/chromiumos/lsm.c
@@ -41,6 +41,15 @@
 #include "inode_mark.h"
 #include "utils.h"
 
+static int allow_overlayfs;
+
+static int __init allow_overlayfs_set(char *__unused)
+{
+	allow_overlayfs = 1;
+	return 1;
+}
+__setup("chromiumos.allow_overlayfs", allow_overlayfs_set);
+
 #if defined(CONFIG_SECURITY_CHROMIUMOS_NO_UNPRIVILEGED_UNSAFE_MOUNTS) || \
 	defined(CONFIG_SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT)
 static void report(const char *origin, const struct path *path, char *operation)
@@ -82,6 +91,13 @@
 					const char *type, unsigned long flags,
 					void *data)
 {
+	if (!allow_overlayfs && type && !strcmp(type, "overlay")) {
+		report("sb_mount", path, "Overlayfs mounts prohibited");
+		pr_notice("sb_mount dev=%s type=%s flags=%#lx\n",
+			  dev_name, type, flags);
+		return -EPERM;
+	}
+
 #ifdef CONFIG_SECURITY_CHROMIUMOS_NO_SYMLINK_MOUNT
 	if (nameidata_get_total_link_count()) {
 		report("sb_mount", path, "Mount path with symlinks prohibited");