Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp4066286imm;
        Mon, 25 Jun 2018 09:09:02 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLzmWFxYEmoicTreYUPOWXqUw4kVfccTkDA0PsiX+QGryWg9kelgThKjD3OAPpI00MqGCWg
X-Received: by 2002:a62:3101:: with SMTP id x1-v6mr13504746pfx.246.1529942942793;
        Mon, 25 Jun 2018 09:09:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1529942942; cv=none;
        d=google.com; s=arc-20160816;
        b=Bk/rt2rdTMkHgIOg42LTPKgdmyvhikdvpnmjSkxmwUt6aLb04MVXxolhECOCDut/cK
         cnHyufQcrVknarLs7UcctX8sL9AddSeyvyfkyyZdP9LMCF0AxN/iaBvd0MT87bpaE6lj
         EHR35SM17IYJLzuBlCA99jBXNiEnqUnpUsn6qAOLTudCbaw3YYRabi3vPxcnF4mMDMIc
         GRh3C43lXQIIiD3szbesW0Z5ObkNSoivUKmKWyBTEz13Xc1cnk6fH+CPz0mQuZkKg/fq
         YwpWT9Be4bBggSeM7RuoUiXPl3KNmhfSJ2riaCp4XCK861HBgNrq85cu9PcRCVm4YDoS
         zc6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=r1RPv17L4++qu86la0K0F4j7zBMOUnwka3AIC53pU/0=;
        b=p2NHalF3MZY2uouP20VopOUik7PHYGbzCil1cFseL8n1F7x4xE1u//qBPzzsfOquTj
         URnC5g45czRbqzNakB45qSJUcNmVQT25i/OF4/H0CfdodKthlMQAzW6fOAewF67+Wlb6
         WjpWE/DdLRJITFT2hC8vU60x5po2vk7YObUtv71TSNMgJ1t04+Xoa000lpUdB2JJIkJh
         NvT9ZuxW7ABrSRAgGjsNoV1vAb3MJZoFXidi53VfHCV6iw8EIhQSHcK2PQp/XIUq8RKc
         j3joXCm1M3HYhzRbS3wK+QCfoLMWOznTgndFti9qCA/S8xm3IwOXWGid3VT3yP2mSCpi
         MRdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=J3piKh3M;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d18-v6si11869602pgp.214.2018.06.25.09.08.47;
        Mon, 25 Jun 2018 09:09:02 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@android.com header.s=20161025 header.b=J3piKh3M;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755321AbeFYQHG (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Mon, 25 Jun 2018 12:07:06 -0400
Received: from mail-pg0-f67.google.com ([74.125.83.67]:38464 "EHLO
        mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755078AbeFYQHE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Jun 2018 12:07:04 -0400
Received: by mail-pg0-f67.google.com with SMTP id c9-v6so6272274pgf.5
        for <linux-kernel@vger.kernel.org>; Mon, 25 Jun 2018 09:07:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=android.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding:content-language;
        bh=r1RPv17L4++qu86la0K0F4j7zBMOUnwka3AIC53pU/0=;
        b=J3piKh3MrlafDPR8KwlmUJH8oUZQL5pEQ0nbhgnVht8gSg3vMUSFhpfYaWIrVkV8qy
         CHx79E7s9s5BJtpu+dVx2nODIHOLyywFlPgTc/Hn9GLxH6f7t4fXt8h419CluQNwmWez
         Byt1ElmflrStQw7LeRVoe9cTYwKamZfXx6QH0dFaZMn9VTO+j/rCyyORhhzU41AqxjMQ
         Smn3lf1eRXZOZ+97VMpBa0CYklB56IIv16GojQQcw2fSmdTX53Mv77CkeakJqk4r6lbr
         x4V6q8IaRAlBi4WWGw6LVXUG3QbF+l7NPdynhN7YZvI+Q/oMxXrXc5aEOmkrJz8jiSMQ
         KI5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding
         :content-language;
        bh=r1RPv17L4++qu86la0K0F4j7zBMOUnwka3AIC53pU/0=;
        b=Wrd2Acrw1FXEzhEw82hvr9mc+JPWlV/pWWHR3Y11GCVeCo+2s98ul/rwnEIGzQvXVm
         1AytqHFmH+RlNaYS5Ij9NEu7yKrkihF4aXmP7p2NbLHCW/bkk0sZqTrx9AxB6+xqKt5Z
         Zw8BtiHoXccJJQNwhGeTnC4WXc/QXztuDC7I/DFVMv+rrLIYNNKC09JMO/2sIP3WlNhr
         vUULI5OkkYoncjpahv7kN+5azcJTGvaisPB1yGWQDVNI4Mj54Kr+S/dwjKNvYgul06EG
         iWzNuiY3082U9TcyfVBiSEVD5j9ThoVbYlqBhBgr37FyFTuDchGfyA0w90OplIZXAwb7
         jFxg==
X-Gm-Message-State: APt69E3ph60NBIkjO7R1SeevSEwR4K2Ost1H0827dsNSEOVjluBsHuR/
        7+H5/ms8AnmO/lGts7VTmo/DzA==
X-Received: by 2002:a62:ab0e:: with SMTP id p14-v6mr13575881pff.211.1529942823720;
        Mon, 25 Jun 2018 09:07:03 -0700 (PDT)
Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1611:6077:8eec:bc7e:d0f4])
        by smtp.googlemail.com with ESMTPSA id v13-v6sm35066280pfa.131.2018.06.25.09.07.02
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 25 Jun 2018 09:07:03 -0700 (PDT)
Subject: Re: [PATCH v4] overlayfs: override_creds=off option bypass
 creator_cred
To:     Amir Goldstein <amir73il@gmail.com>
Cc:     linux-kernel <linux-kernel@vger.kernel.org>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Jonathan Corbet <corbet@lwn.net>,
        Vivek Goyal <vgoyal@redhat.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-doc@vger.kernel.org
References: <20180622171605.52989-1-salyzyn@android.com>
 <CAOQ4uxiUaJHZ5coUNwH1ZYQjVB8dmAo0Y0bDKOmZM81tzCqC8g@mail.gmail.com>
From:   Mark Salyzyn <salyzyn@android.com>
Message-ID: <058082af-c3cd-9d0a-8d5c-1999703342d0@android.com>
Date:   Mon, 25 Jun 2018 09:07:02 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CAOQ4uxiUaJHZ5coUNwH1ZYQjVB8dmAo0Y0bDKOmZM81tzCqC8g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 06/22/2018 11:46 PM, Amir Goldstein wrote:
> Mark,
>
> Thanks for the properly documented patch, but this documentation it
> missing the caveats of this config option and there are severe caveats
> as was discussed on earlier version of the patch.
>
> You should mention the not so minor detail that this option can result
> in inability to delete files/directories from overlay and there me be other
> side effects. This is one of those features that should be warning
> unconditionally that user should really know what user is doing
Agreed, I would like to prevent it becoming a treatise ...

The upperdir tree should match the privileges of the lower tree, and in 
Android that is enforced by a hard-coded built-in map (fs_config for 
DAC, restorecon map for MAC) for the caller writers that never causes 
unexpected adjustments (famous last wurds). The active 
(writers/creators) callers have _more_ privileges than init 
(creator/mounter), and are only available on development (userdebug) 
builds. All else are passive (readers), and although less privileged 
than init, have demonstrable read MAC privs where init does not.
> You did not address my concern that the test for setting trusted xattr
> on mount (ovl_make_workdir) should emit a different kind of warning
> when override_creds=off. In fact, I think it should emit a warning
> when override_creds=off unconditionally to indicate that weird things
> can be expected and we "really hope you know what you are doing".
>
> A new security concern I just noticed - overlayfs calls some vfs
> functions directly to perform operations that are typically not
> allowed to unprivileged users without checking credentials.
> In those cases your patch introduces a security vulnerability.
>
> Examples:
> - overlayfs calls exportfs_decode_fh() on underlying
> fs without checking CAP_DAC_READ_SEARCH
> - overlayfs calls vfs_whiteout() which calls underlying fs mknod
> without checking CAP_MKNOD
>
> Those examples could be easily fixed and you may righfully
> claim that they are bugs, but the fact is that those "bugs" are
> harmless until someone creates an irregular security model
> without capabilities to mount, without capability to mknod.
>
> What's worse is that you have to audit the overlayfs code and
> find all these potential bugs and fix them before changing the
> assumptions that were made over the years about mounter
> credentials.
Thanks, _this_ is what a good review is all about. I will need a deeper 
dive (b/c I did not see these) into all the 'command paths' to determine 
any missed/assumed checks. In Android, all the 'caller' issues I have 
with the existing checks are passive (read), and I would _hate_ to be 
providing them (unchecked and assumed) DAC privileges. In Android, it is 
simpler, they would not pass the first barriers, to the internal assumed 
points in any case, but multilevel security _requires_ us to recheck. 
The active (create/write) callers are few and trusted, but _should_ be 
checked w/o assumption (eg: if 'adb push' is not granted CAP_MKNOD, it 
should be blocked).
> Thanks,
> Amir.

Sincerely -- Mark Salyzyn