Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp908362imm;
        Wed, 20 Jun 2018 08:29:25 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKTmAqMcMrlSguTkwoURbr3sO5VS8em8K8ucStySmTN91Bz78YhRErSlPI/PlvYJ0imwfsB
X-Received: by 2002:a63:7205:: with SMTP id n5-v6mr19182850pgc.337.1529508564966;
        Wed, 20 Jun 2018 08:29:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529508564; cv=none;
        d=google.com; s=arc-20160816;
        b=m34k7B7JG8D38pAu6euHu0hRPbDNpODiwBGM6uPCnk5HXNywVpb1gEnsMmJCtIglYU
         BfqFUDVqDPm0iqMaXkpJfkQS2Vo/dGunO3AxQfmORoZ8jcmhgAiIpF9YK37iG/1Bd7OD
         DujXYFFSq7X1CgWV7IrLP5WTgVTe4Jc4Ypm8iiQgxueVpnQv+qO+yxZ6TxXLbu+1tLFD
         +MYaNjdsmkqH3barFT7/SNelCRlpkxMjLHpqwraFevu3sKik1CmQ+DSd176scHx31o3e
         7qOfpMp0i59fzFYohWDXd167dm59g3FpqSce6A8TDuwsaPjhUitbJfkEECAig5NIwK4e
         lBGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=n5Evgzf8t1wwiO5Hgy4rsEVNFCUVL4Ttd3lUd8BA1+8=;
        b=OfSePsa9jONnHR2L+uEz5jm7PBNBO3Xii39fbMk3LFuYXqwDT6YiJBcqmJfyReGdEC
         zDClWCUmy1T21xvIf1syQDd2D7MciB4ZFAG/SAHRTb7piL1QtFQg1okkKasvUbrmya14
         Nt4uC6j6JyhvWDXh8J9tafKsnH/x9WPaBdJzCMlTzby2p3Q6orM+GVyMEZXyFgBrlFKz
         NK05ycxkfVsQZ26akN2YkcR7FIvIhcwEBN8AxrssAmpAKENY4t8zsuhdAtsWUMLGGVmZ
         6Txlk342hO/kbdp9/ztEe09ezmmajIvM8mKpGoyLCVhWceOziIFOsx1Uhw1fCI/SX9kf
         GMOA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=Fko++q+I;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a6-v6si2467745plz.351.2018.06.20.08.29.11;
        Wed, 20 Jun 2018 08:29:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=Fko++q+I;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754236AbeFTP2e (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 20 Jun 2018 11:28:34 -0400
Received: from mail-pf0-f177.google.com ([209.85.192.177]:39031 "EHLO
        mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753938AbeFTP2c (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 Jun 2018 11:28:32 -0400
Received: by mail-pf0-f177.google.com with SMTP id r11-v6so1778177pfl.6
        for <linux-kernel@vger.kernel.org>; Wed, 20 Jun 2018 08:28:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding:content-language;
        bh=n5Evgzf8t1wwiO5Hgy4rsEVNFCUVL4Ttd3lUd8BA1+8=;
        b=Fko++q+ICkJXY2nFU8WR/+xwTiVrC0K7EbIHwEOIg5KGJvmynuLf2cSizfxGDlrG7w
         6RpPhSAmUzBGxzOImUmEV+PN/AdJn6cbpp9NpzH/SGNZUntKyYGPKCDfQr5a43kUuvLK
         9U7mYiiQ6FBaj2pwQzFi1G68rmbbVgiuW0tsFv4jkWTNCVtzMZCJ18lgF4aIzcJ8xKFY
         DfR5hlhWzEArzophT4a29sIWopD4UkQ0XeJNgMQlEIcAhCJQlSCmHbah/bkAkWvIYSnh
         Xjmb2lUn2xpAFJLrQD+Iubuv0P5OF5GfKjoERg1rXhuzp0zDdIg22q+Zj/uv8dIQhy4K
         O0ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=n5Evgzf8t1wwiO5Hgy4rsEVNFCUVL4Ttd3lUd8BA1+8=;
        b=V2wfbcSrSarkVdIA+j3G40NfDeOpWS4yF2Kqk+hN7WnxFABXoT9DtpIIi4ZMWDhqTw
         QzX3VGSAd2CMMd0mpzE6v9+qN0OisTIYUSbRKcJzCcfoxEsUYAOlc0ppfKdmEIRGb6wZ
         Ud+kFs0w+KRZFVUAmS3aXvwgllr5e5e3QuWcVsXFpyrd2SoajRAnk+FSj/N2wDa3Kuam
         +A0qsiGW18X6D8BrryKv5GOl1xps3nt/dJdTGezBBhGvEkZV0U0Q90gloBt/8jVs0SOQ
         btsAUO1fLM3GqLfom06UyJhDodbe98AgXuvJw9Grn/Q9lhKNyVWems3kV9dlrBERuva9
         vl0g==
X-Gm-Message-State: APt69E1gcnJqkkzk6AFKTC9Kp12Chzqbk+mMYWUxcFaJE0H7uawpErto
        ZRGOqEHPZI44p9AJ8mkJKM/zXA==
X-Received: by 2002:a62:a104:: with SMTP id b4-v6mr23534086pff.159.1529508511359;
        Wed, 20 Jun 2018 08:28:31 -0700 (PDT)
Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1611:6077:8eec:bc7e:d0f4])
        by smtp.googlemail.com with ESMTPSA id z12-v6sm3406439pgu.57.2018.06.20.08.28.30
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Jun 2018 08:28:30 -0700 (PDT)
Subject: Re: overlayfs: caller_credentials option bypass creator_cred
To:     Vivek Goyal <vgoyal@redhat.com>
Cc:     linux-kernel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
        Jonathan Corbet <corbet@lwn.net>,
        linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org,
        Daniel Walsh <dwalsh@redhat.com>,
        Stephen Smalley <sds@tycho.nsa.gov>
References: <20180618154222.19279-1-salyzyn@android.com>
 <20180618185448.GA8749@redhat.com>
 <f141f883-0dbd-10ea-83b9-a1b38119b0c5@android.com>
 <20180618194345.GA15973@redhat.com>
 <aecdeaca-74cf-54b1-3ea9-4751972074f5@android.com>
 <20180619143617.GC22657@redhat.com>
From:   Mark Salyzyn <salyzyn@android.com>
Message-ID: <d8e6c8ce-6305-67d8-6213-5460e5d0d88c@android.com>
Date:   Wed, 20 Jun 2018 08:28:30 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180619143617.GC22657@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 06/19/2018 07:36 AM, Vivek Goyal wrote:
> On Mon, Jun 18, 2018 at 02:59:50PM -0700, Mark Salyzyn wrote:
> So in this system all callers are priviliged and have the capability to
> mknod and set trusted xattrs.
This is true of the callers that make adjustments (in Android's Case 
this is an su context provided to the adb tool for sync and push). More 
importantly the large variety of callers have the passive/read MAC 
credentials for their domain set of files; where the mounter/creator 
does not.
>   (Amir mentioned the reason why we switch
> creds). If not, then file unlink (Should do mknod), lower non-empty directory
> rename (should set trusted REDIRECT) and bunch of other operations should fail.

Hmmm, neither was part of my test plan b/c these operations are more 
esoteric for development ... need to add them and address them.

Thanks all (You, Eric, Amir and private) for your comments, will 
regroup, test and address concerns!

-- Mark