Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1090856imm; Tue, 15 May 2018 13:42:48 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpHN/8dJPTDc95i6HufeCXOewQY1gTsmIOr9AYsvOkOCVdK+16ilclHZzADgO4nEj6lQl1p X-Received: by 2002:a17:902:5a46:: with SMTP id f6-v6mr15959459plm.85.1526416968523; Tue, 15 May 2018 13:42:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526416968; cv=none; d=google.com; s=arc-20160816; b=naPOYjLpSqYYaZL36FYl3gE4/ZtccCXLnkbbPxkMo2hGkle0rRRhjf4hnG8lLC9E+A T/1vIwCb+l2w+pww2kGIS8LbTurHn6nHyiBDnoEXugbqOemVA9cywXLR9UwDC0OndYzR 7PngQYOdFCWL38N3SGczeY+7T0KYVuawcyLUuk7jzpv3qmReWQNeTCRyxZr8UiGbZDOe tWbHkbs3kAFuypWcmFdeNQmIAE4iYeC9+9xe3jLsAb0681oKcWZx2xvhpxrfhXbiBl4i jAG7cHii5DGAA2vx633+yXfoIYPPxsroIuXb7AnN8y+yYqvTuF8/58psEs7/DeHV7OXU Z6UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=9wbjOS+lUxBVhDsJ5GIb9HYE3zgoZGd6YMmwY5Os0iY=; b=kmPc1GyHje/HUVTDCYRxNYZ7NkcpMENPFq1m3WZUliemJeOjfJDh0jwYD8Hp0wf5nD 8eqhKgGg9mqc8haSuDHt3U77l09bcb92GUWbprtXfbVyq7h+Hew4PEd9mg2pjPXj72K1 JmsQVoV3CoysICzgy0Jwo7tw9DiTJ1CBbTviIwTe9TJ0nRc3B2r94h66XYThgMbTorfT EmV9GiThunafwHkrxazaVvCApCUE3zNFByJdKC/0o9I4+3jA9hfJLU0Q9Wdwbbt0DYEP EzWhXZ07Sv1KgT+O9/ll9bLe9lT1Zg0Cp0RtC8bOLokH8JHlVDFG3XFjAezjuiPIDXLD w7KA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b14-v6si695379pgv.279.2018.05.15.13.42.33; Tue, 15 May 2018 13:42:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752619AbeEOUmN (ORCPT + 99 others); Tue, 15 May 2018 16:42:13 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:56674 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752510AbeEOUmL (ORCPT ); Tue, 15 May 2018 16:42:11 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BFF99400E9BA; Tue, 15 May 2018 20:42:10 +0000 (UTC) Received: from horse.redhat.com (unknown [10.18.25.159]) by smtp.corp.redhat.com (Postfix) with ESMTP id 843202026DFD; Tue, 15 May 2018 20:42:10 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id 369EB22030E; Tue, 15 May 2018 16:42:10 -0400 (EDT) Date: Tue, 15 May 2018 16:42:10 -0400 From: Vivek Goyal To: Miklos Szeredi , Daniel J Walsh Cc: linux-unionfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Al Viro , linux-security-module@vger.kernel.org, Paul Moore , Stephen Smalley Subject: Re: [PATCH v2 22/35] vfs: don't open real Message-ID: <20180515204210.GA26411@redhat.com> References: <20180507083807.28792-1-mszeredi@redhat.com> <20180507083807.28792-23-mszeredi@redhat.com> <20180511185430.GE6044@redhat.com> <20180511194248.GF6044@redhat.com> <20180514135803.GA2777@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180514135803.GA2777@redhat.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 15 May 2018 20:42:10 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 15 May 2018 20:42:10 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'vgoyal@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 14, 2018 at 09:58:03AM -0400, Vivek Goyal wrote: [..] > Talked to Dan and he mentioned that he was trying to test entrypoint > failure (and not exec failure) and that's whey he might have allowed exec > to mounter. > > I think that current entrypoint test's expectations are wrong. > User process sees overlay inode lablel which is rwx_t and that means > overlay layer will allow entrypoint into that executable. This will be the > behavior on a normal file system where underlying file's label will be > completely overridden by context=. > > So in my opinion, we should modify testsuite and not run this test with > context= mounts. Miklos, now a fix has been merged to the tests so that test passes both with current kernels and proposed changes. https://github.com/SELinuxProject/selinux-testsuite/pull/36 Thanks Dan Walsh, Stephen Smalley and Paul More. Vivek