Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp1015087imm; Fri, 22 Jun 2018 08:57:25 -0700 (PDT) X-Google-Smtp-Source: ADUXVKISqaMnsrhq0DpKb0SwMmnHJZpL+st4zGJ/fEpoSku4JLvcYHZtpj0QDOCfyAEgIPuOBmWt X-Received: by 2002:a17:902:e10f:: with SMTP id cc15-v6mr2345877plb.100.1529683045588; Fri, 22 Jun 2018 08:57:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529683045; cv=none; d=google.com; s=arc-20160816; b=I9FszMnsuuuIY8xVP1yujwJM2WNkvgeubBCUMK6RpH3HbKSA98uDyWCS8xC9PT/snE p9wwJQWJsbOLF4zdUXHpChjFQQkRp7ZZ8x/so/JrckxkteUxun4jED9JzmAb6usl4CRy 3EPP7IHpAve54Ba7UXpsbzuSFwlwLaGHwnuiYlK4b3/qo/WnphjjnLHcljB/J3yu+Kn5 LaD7MVkbB+lboS2Zs8rGgFTv2i9MdSSXawBst+X04UwSxl6q58B2PXGA+wHGD5Ojio1g B1VTG4PZYBILes0Y1Q8aeF+jQvRLiIrP6Ao3W/SSRErf6Z0DL5XRfdWd2pWun0ERCEfW 42Ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=J8i8/s4nS+cmoo5zTKg/97iBERlkBMIh1M2i7pwHrQY=; b=f9agH2gQM3DC8SJMyc8Fr9cmr9UN15iZb9OPwfvScB2DhIgGE9bBdc2LsfXE1goIhW FQJmvqHTwitTD6D5Fyg5o0F07wImUV9eveCS60j2DeEj1av/zU6jhWwWu5Ki7/O/S7Bq CAb7acQT+oax1CUbmzSHZPWLmQfYcUX8lxzyu1DjKLZ+xjlY3vHLwxzYMjlvjW0QR5R4 5dmHxHcDFh3mn4ljjUDqhTCCr72h5kDK1f6zjNw937zX4EaqZmsHZt/osO7hNiKGWKGq WFhyoZJLSATUCiEgz8pmPl80cLfgC1/1bp5h+jPNb2MU5l0nJJZdcVGbYC3MXgyn+OX9 5NXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=UyP4J33Y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bd3-v6si7457306plb.171.2018.06.22.08.57.10; Fri, 22 Jun 2018 08:57:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=UyP4J33Y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933969AbeFVP4e (ORCPT + 99 others); Fri, 22 Jun 2018 11:56:34 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:56906 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933853AbeFVP4c (ORCPT ); Fri, 22 Jun 2018 11:56:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To: Subject:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=J8i8/s4nS+cmoo5zTKg/97iBERlkBMIh1M2i7pwHrQY=; b=UyP4J33YFd484L2HzhuWH6DTS pCGc3+4tNU+J8OACjQm8VvE7/BYsYBhMuES/TMM3Ot/HMrZpgpdMNroIp1+1iNl2eeS5vTEpazAsX mPWZ8S46IoUhdZKVWERPNSoeaqGblmDwzA98YMmh5g3GeUF2fmijPFKThWQgTC6m5f3P3IsB1OdJl x/6w2cXn4vY3tUkw3gpo2uWV/g1KCfEFpSwqsNKNe9zXrvmroXitouPiLNR4YtaEs7iNt8ZsZPKSS HuAsNwIFtY75bkbAs8lvDU8wwUmiQwiOJrDob6LwL/BjKCyLHm07+IOvbaG5QFBC+4ouHBAIix3tI dQ2oamsyg==; Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=midway.dunlab) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fWOQJ-0001Da-9l; Fri, 22 Jun 2018 15:56:31 +0000 Subject: Re: [PATCH v3] overlayfs: override_creds=off option bypass creator_cred To: Mark Salyzyn , linux-kernel@vger.kernel.org Cc: Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W . Biederman" , Amir Goldstein , linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org, kernel-team@android.com References: <20180622152056.16877-1-salyzyn@android.com> From: Randy Dunlap Message-ID: <56cd58e0-c61f-6580-d388-b0146108fed7@infradead.org> Date: Fri, 22 Jun 2018 08:56:29 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <20180622152056.16877-1-salyzyn@android.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mark, On 06/22/2018 08:20 AM, Mark Salyzyn wrote: > By default, all access to the upper, lower and work directories is the > recorded mounter's MAC and DAC credentials. The incoming accesses are > checked against the caller's credentials. > > If the principals of least privilege are applied, the mounter's principles > credentials might not overlap the credential of the caller's when > accessing the overlayfs filesystem. For example, a file that a lower > DAC privileged caller can execute, is MAC denied to the generally > higher DAC privileged mounter, to prevent an attack vector. > > We add the option to turn off override_creds in the mount options, all > subsequent operations after mount on the filesystem will be only the > caller's credentials. This option default is set in the CONFIG > OVERLAY_FS_OVERRIDE_CREDS or in the module option override_creds. > > The module bool parameter and mount option override_creds is also boolean > added as a presence check for this "feature" by checking existence of > /sys/module/overlay/parameters/overlay_creds. This will allow user > space to determine if the option can be supplied successfully to the > mount(2) operation. > > Signed-off-by: Mark Salyzyn > Cc: Miklos Szeredi > Cc: Jonathan Corbet > Cc: Vivek Goyal > Cc: Eric W. Biederman > Cc: Amir Goldstein > Cc: linux-unionfs@vger.kernel.org > Cc: linux-doc@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > > --- > v2: > - Forward port changed attr to stat, resulting in a build error. > - altered commit message. > > v3: > - Change name from caller_credentials / creator_credentials to the > boolean override_creds. > - Changed from creator to mounter credentials. > - Updated and fortified the documentation. > - Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS > > Documentation/filesystems/overlayfs.txt | 17 +++++++++++++++++ > fs/overlayfs/Kconfig | 21 +++++++++++++++++++++ > fs/overlayfs/copy_up.c | 2 +- > fs/overlayfs/dir.c | 9 +++++---- > fs/overlayfs/inode.c | 16 ++++++++-------- > fs/overlayfs/namei.c | 6 +++--- > fs/overlayfs/overlayfs.h | 1 + > fs/overlayfs/ovl_entry.h | 1 + > fs/overlayfs/readdir.c | 4 ++-- > fs/overlayfs/super.c | 21 +++++++++++++++++++++ > fs/overlayfs/util.c | 12 ++++++++++-- > 11 files changed, 90 insertions(+), 20 deletions(-) > > diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt > index 72615a2c0752..5c646f993a4b 100644 > --- a/Documentation/filesystems/overlayfs.txt > +++ b/Documentation/filesystems/overlayfs.txt > @@ -106,6 +106,23 @@ Only the lists of names from directories are merged. Other content > such as metadata and extended attributes are reported for the upper > directory only. These attributes of the lower directory are hidden. > > +credentials > +----------- > + > +By default, all access to the upper, lower and work directories is the > +recorded mounter's MAC and DAC credentials. The incoming accesses are > +checked against the caller's credentials. > + > +If the principals of least privilege are applied, the mounter's principles > +credentials might not overlap the credential of the caller's when credentials (?) > +accessing the overlayfs filesystem. For example, a file that a lower > +DAC privileged caller can execute, is MAC denied to the generally > +higher DAC privileged mounter, to prevent an attack vector. One > +option is to turn off override_creds in the mount options, all options; all > +subsequent operations after mount on the filesystem will be only the > +caller's credentials. This option default is set in the CONFIG > +OVERLAY_FS_OVERRIDE_CREDS or in the module option override_creds. > + > whiteouts and opaque directories > -------------------------------- > > diff --git a/fs/overlayfs/Kconfig b/fs/overlayfs/Kconfig > index 9384164253ac..1ecb910f0300 100644 > --- a/fs/overlayfs/Kconfig > +++ b/fs/overlayfs/Kconfig > @@ -103,3 +103,24 @@ config OVERLAY_FS_XINO_AUTO > For more information, see Documentation/filesystems/overlayfs.txt > > If unsure, say N. > + > +config OVERLAY_FS_OVERRIDE_CREDS > + bool "Overlay filesystem override credentials" > + depends on OVERLAY_FS > + default y > + help > + If set, all access to the upper, lower and work directories is the > + recorded mounter's MAC and DAC credentials. The incoming accesses are > + checked against the caller's credentials. The check of both access > + credentials. last "sentence" is incomplete. > + > + If the principals of least privilege are applied, the mounter's principles > + credentials might not overlap the credential of the caller's when > + accessing the overlayfs filesystem. The mount option override_creds=n "override_creds=n" > + drops the mounter's credential check, so that all subsequent > + operations, after mount, on the filesystem will only be the > + caller's credentials. This option sets the default for the module > + option override_creds, and thus the default for all mounts that > + do not specify this option. > + > + For more information see Documentation/filesystems/overlayfs.txt -- ~Randy