Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4291487imm;
        Mon, 18 Jun 2018 12:20:28 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJz+ljM2dBcDM9j/f8kRjkxbj76boy+TtTa/X9PgRhBlGfidU2BurPZKDbXVxjHdjJM/nVg
X-Received: by 2002:a65:4642:: with SMTP id k2-v6mr12385753pgr.423.1529349628401;
        Mon, 18 Jun 2018 12:20:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529349628; cv=none;
        d=google.com; s=arc-20160816;
        b=DbiiN3ACqE85yOMsSkr42pbxZDk5ND7xHe9iaD0SvKiBOqGcC+4EdFeGifXTSkIccO
         5psbxOsD5sMAz7W+gEjVZZqZRkExMbcJGmqhE8EVNgX2gbKnHkMujWnAfuWC5OtJStWG
         LIYayXYVvMHdT3ylj1GPyeE63jovlwRWgzsYOYfKT5SpinX0IT4ezptdTKxzrQVBnqZm
         XMAR38tf7cTLgWtoPxsThHXeZEGvLCRH4qbGP7tpURUXLlSGVJyvR23SpzQTPSTHlbCB
         JbALc7hpxRlXvp+oIh32EWISPaUlAe/Ddks/73NtD0bYZRDE621NJ7hrSnANGEQK6JAX
         PeQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=MEGMrQazpc74n9IOCwqfsLFkAPFgwcCj8Cly9S0nyAg=;
        b=x6GvvOZW/mm5tugKWiuiubcyS2Ez8JjNt1TLT762/ABhxNdaQSP7C7TGZwAE+A4g/F
         m28jh30Krx4mkLe3LKCPqhyOS5byx+QF9D0VSxbbNxROElFy4UbF1AG6GVw21WDa8jyr
         xNDfTblZFf+sOnyFnKFr3AZXWDFr+y6jrjlC6DZCCqVm9Dc96pv3Pr370EP7/yhXCsO6
         KKyZuAZMoQhRYM3Uzlme5Mc85t7WYJbksz3o5vIiR+unDZUV2XcoMZTFqtN+btYcjTHG
         QCCOgMJ9XC8QMW6xjtxzuEraYDR5GivHhn4//ZZsYHB3koDoDPDADGdICVjUAlasl3DA
         YGRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=rbKxbSnK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b18-v6si11858167pgs.417.2018.06.18.12.20.14;
        Mon, 18 Jun 2018 12:20:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=rbKxbSnK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S936229AbeFRTS3 (ORCPT <rfc822;linux.htchiang@gmail.com>
        + 99 others); Mon, 18 Jun 2018 15:18:29 -0400
Received: from mail-pg0-f52.google.com ([74.125.83.52]:44771 "EHLO
        mail-pg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S936040AbeFRTS1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Jun 2018 15:18:27 -0400
Received: by mail-pg0-f52.google.com with SMTP id p21-v6so7963190pgd.11
        for <linux-kernel@vger.kernel.org>; Mon, 18 Jun 2018 12:18:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding:content-language;
        bh=MEGMrQazpc74n9IOCwqfsLFkAPFgwcCj8Cly9S0nyAg=;
        b=rbKxbSnK4IeHQv2k+AxOWGSXMqe6aBfM4rkVB5ekWOTvnKeX09NREr3g2cLTJOBmCt
         6L5bjoOmkv2ZfSfJvO46xLcG4gk/h5AhMfMGmdjZyrhda77AgTJtUkgvQnwgOYlhqGI6
         B1ArjTufq3nWWQGSfwAmUfDcKFLi20VFkvBksDdPRIOrSrkA/Fs2inc6mxPz/ffE9AmT
         xJJtCSo4t/F/UCOyYjRzN0p3Klw5VUyS5m/x+cR0iJSnGJ1kTMSp0m/pvWWkC+h2V0P3
         mGRWOMoz2szqnwiJexY7MWrKfPLJvirLTN5KUWQI5sprTssD7vpHXVyW+D4Pw7AmN4Lh
         nRaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=MEGMrQazpc74n9IOCwqfsLFkAPFgwcCj8Cly9S0nyAg=;
        b=Sv40FeLByKyU8+jkcsXfRAdlmRJS0fkVwrgPX4BocuA8eGimxjyg5M9MiZvU087A2K
         9bHOZFnVzPeTmwsLI8+4Qx2idAPb7Z3Dgg0PUBqdUaVJpklyNfqQaz9g25DpNv9YUrsz
         Vj1by0t3ruVNYLsr5Blr7K7gCLDMxFkQD3V/cql2SjGH1qRejErHctgklAkQzkRghCu2
         3Ar3Q7xaEjn7FW2RIUTG4EL9V0YcgmtSff4nANzlPrSoaTgmN7irnBdH1M1wdgUJR9zr
         f7I+9x9RiTy3k2k/GgRmNLTtZka7pUO9mb9Vlmw4n5IXtaclyu0kblXjSepjpdBUxRfo
         shFg==
X-Gm-Message-State: APt69E3o1w2UMU8u0RJ9lc470wXCchLEwLlzHZNBxxHEJLo3QLwZ8X34
        t3hXLMik97Ix8wUWXpwCCACOOA==
X-Received: by 2002:a62:3c15:: with SMTP id j21-v6mr14869275pfa.7.1529349506916;
        Mon, 18 Jun 2018 12:18:26 -0700 (PDT)
Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1611:6077:8eec:bc7e:d0f4])
        by smtp.googlemail.com with ESMTPSA id x8-v6sm32820302pfa.87.2018.06.18.12.18.26
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 18 Jun 2018 12:18:26 -0700 (PDT)
Subject: Re: overlayfs: caller_credentials option bypass creator_cred
To:     Vivek Goyal <vgoyal@redhat.com>
Cc:     linux-kernel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
        Jonathan Corbet <corbet@lwn.net>,
        linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org
References: <20180618154222.19279-1-salyzyn@android.com>
 <20180618185448.GA8749@redhat.com>
From:   Mark Salyzyn <salyzyn@android.com>
Message-ID: <f141f883-0dbd-10ea-83b9-a1b38119b0c5@android.com>
Date:   Mon, 18 Jun 2018 12:18:25 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180618185448.GA8749@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 06/18/2018 11:54 AM, Vivek Goyal wrote:
> On Mon, Jun 18, 2018 at 08:42:15AM -0700, Mark Salyzyn wrote:
>> All accesses to the lower filesystems reference the creator (mount)
>> and not the source context.  This is a security issue.
> Can you elaborate with an example that how this is a security issue.
> mounter's check is in addition to caller's check. So we have two
> checks in ovl_permission(). overlay inode gets the credentials from
> underlying inode and we first check if caller is allowed to the
> operation and if that's allowed, then we check if mounter is allowed
> to do the operation.
init which does the mount and represents the creator_cred which is 
granted a restricted MAC to do just what it needs to do, eg mount, but 
not be able to access the files. The caller comes in and is rejected 
because init domain is not allowed, even though the caller's domain is. 
MAC does not require overlap in privileges between the creator and the user.

-- Mark