Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5259355imm; Tue, 19 Jun 2018 07:37:23 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ0KugowCmBcVbLhemKPDJWdJGBrLqK1dlB19bosasZd2R2/3/gAfCpy+2AbMX8VdlPF6On X-Received: by 2002:a17:902:6bc7:: with SMTP id m7-v6mr19568374plt.162.1529419043770; Tue, 19 Jun 2018 07:37:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529419043; cv=none; d=google.com; s=arc-20160816; b=qKaBttHG/vC2g70XQs/HGF7SPWtntp8lf7fUhUHnMH7jUKFtNRsW89DH8XOcjdyd1O gCO3UZsrwWJvJ7c+yKxDZeie7EW+2+9o4en3acwrXCdA5KaZPYtUgXch89NsZK6aP1as kBIZlDor0vrI8dHsjv7zy08sOHJ1o5JInu023aNUfyY9gwbXdEEB15U5QJtq3LBrZ4Jo WHbpXu9UZCMzIxqMpW6xm+OgnbOpzlAECUPF7kigYLpqtBaJ7OuknPlfzrGvLU9J7qNi T7d9UIF2DtWNzuKLjR3yvRQdUZ9JP6s1MjB3lTMIWRHBPRUpCHlIVT9O6vemhrv8mQOi dbKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=a50cED0pCHh98V7UgQbcfhdVI5PqZzFCZLO/Wz8yPNs=; b=nPiSwLcl8B8A3rOmVKrzf+ix6A3YvDiY0l/npOZtVXARxBf79HedmOMBBqQiuFDemZ s6TQpf+S760V0q6XuxpoTEHHFiW58XuNq/z7Ekn+GgAtIUmmDmsukWK2vJSw8aEsBAMB 828wuL+iopKOSjtBkpBObRKjSh8Le0iKfMBPoeyqfof8p3vmPUizDULBm362m99vhYDa PJW5fEbiyBi8Jmi406V2AL5beNcoH4IUVbL2m2Rj2/6ZrCqzZc+Pb4jbAqaoffbKddNv As9x0EPCh+1BJQavHcZIokZmagAeUkjKmuCiWgXtnjhz4K9bPV8R3epNyaCby15jye0o UG3A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o33-v6si16745505plb.432.2018.06.19.07.36.59; Tue, 19 Jun 2018 07:37:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966481AbeFSOgT (ORCPT + 99 others); Tue, 19 Jun 2018 10:36:19 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:46760 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750816AbeFSOgS (ORCPT ); Tue, 19 Jun 2018 10:36:18 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9BB027DAC5; Tue, 19 Jun 2018 14:36:17 +0000 (UTC) Received: from horse.redhat.com (unknown [10.18.25.234]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7A63A11166E5; Tue, 19 Jun 2018 14:36:17 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id 4AED02209E8; Tue, 19 Jun 2018 10:36:17 -0400 (EDT) Date: Tue, 19 Jun 2018 10:36:17 -0400 From: Vivek Goyal To: Mark Salyzyn Cc: linux-kernel@vger.kernel.org, Miklos Szeredi , Jonathan Corbet , linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org, Daniel Walsh , Stephen Smalley Subject: Re: overlayfs: caller_credentials option bypass creator_cred Message-ID: <20180619143617.GC22657@redhat.com> References: <20180618154222.19279-1-salyzyn@android.com> <20180618185448.GA8749@redhat.com> <20180618194345.GA15973@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 19 Jun 2018 14:36:17 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 19 Jun 2018 14:36:17 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'vgoyal@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 18, 2018 at 02:59:50PM -0700, Mark Salyzyn wrote: > On 06/18/2018 12:43 PM, Vivek Goyal wrote: > > Will it be acceptable to write security policies in such a way so that > > mounter has access as well. > Unfortunately No. Policy of minimizing attack surface for a contained root > service (init in this case). Just because it can mount, does not mean it can > modify critical content; an attacker could use this to open a hole. > > > Current model does assume that mounter has privileges on underlying files. > > Only ones it appears to need is the workdir AFAIK, had to add ability to > create in the xattr in order to enable r/w mounts later. Although > not all corners were tested, I did not see any copy_up issues b/c the caller > had the privs in the Android security model when mounted with this new flag. So in this system all callers are priviliged and have the capability to mknod and set trusted xattrs. (Amir mentioned the reason why we switch creds). If not, then file unlink (Should do mknod), lower non-empty directory rename (should set trusted REDIRECT) and bunch of other operations should fail. Thanks Vivek