Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp7394584imm;
        Tue, 28 Aug 2018 11:13:16 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vdacah6IpnMyaB8rBrZpm+lU5o3tfGuCmnpik81GPhy3iwF5W05k1yauVOkRBp6UGe68HIzf
X-Received: by 2002:a63:b812:: with SMTP id p18-v6mr2550331pge.156.1535479995986;
        Tue, 28 Aug 2018 11:13:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535479995; cv=none;
        d=google.com; s=arc-20160816;
        b=WXSQByEbtBxKjhKnBbypJs9IczeWTQLTY1vIjGy8MVJDgf/CI3MbBReKy8//qDVh9e
         K3heNA6bOMtFSszSLSJN1nCS8Yi4vAvKX4g7cUfXpKMWmpyAN54Pg6eNIWGfJNJmAJko
         EyKj5yH/VFEUVfIJN1HTJ+aupJlt4Id64FAuUzTP1CJ52KO+0JPReAMTF2NW0XBGe0Ci
         zHLG8J4rlpONM8FBjRZ5k3u1bhd1sDQrYKXYOrhT6XHN6SawzaEbhCMZfLKDsY9KiTVy
         uP3HDxA4BbF4hAyKtUSylgNSJEapCCTZTtc9p0JwQLgj0hXme55UcXG0wjxqf9wBpu5p
         dSxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=REEDdhcsjfFTLS48PMY65npoDqqE8e6fTQGykuUYbXo=;
        b=Rn22T3zIwKOjv/2B5VwzXs5ffgUvejkGc8fzuQZ9PmFdO9WG/wS+21GI8bsbbB5sf4
         nNN9Ggif61n9276BCl2j4VyFELc2eQb1cVjVFhOVxGma3RkTZAMLLZWVHYEzkYs1fHsk
         gWjIBy2MouziFPyj4qqHhsaj8ah9hPuL26kYbz7Ix9NR55PAc6Hr5ZVeHWCRevF2QAzq
         lGAOBFdYyXgLkz9JRPfLLA35YixCUymzX7NwdvRGEmb4c/KmuR8ouZwOSL9kDpNTEPC6
         U63aiXu0oKtjP6fswILcWSMgolWJ8ChL78CM66kNIycJL1tgE9r+ebKd5ObTg3MFqYTd
         lQzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b="p/uy/vUd";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d5-v6si887026pla.490.2018.08.28.11.12.36;
        Tue, 28 Aug 2018 11:13:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b="p/uy/vUd";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727370AbeH1WCm (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Tue, 28 Aug 2018 18:02:42 -0400
Received: from merlin.infradead.org ([205.233.59.134]:45364 "EHLO
        merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727130AbeH1WCm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Aug 2018 18:02:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type:
        In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender
        :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
        Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:
        List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
        bh=REEDdhcsjfFTLS48PMY65npoDqqE8e6fTQGykuUYbXo=; b=p/uy/vUdi0Oqsz66KHCHmvsHpp
        geT3MdCGVHs038pCh7a8uf7tsxlGVaGPkUVuBqjrU91+VBg6iICi4a9RsJUhfl51BMhXO7OhUPRlB
        sVcMCBY7TteVgrtObcKEecYIvwiAwHA+pE5wOYqz3yU4FCf7QA5HywgDnzAMxyVBvU0e3Q6HodA5P
        b1iBuv8Wwh9ohWmcFKoA1bWDsvriiUJfCUMhp/ygJB023J4HMB9I7Vu9PgxdaLCBuGxysbXILYj8A
        iSJCEFHZDrpIqnBL8M+xV/BMTZaesQWSQe7iGtCgBnAGGL1OwoH87BP4ZDBHOEsuNbzoaRWqWqM4e
        IQj7BFgg==;
Received: from static-50-53-52-16.bvtn.or.frontiernet.net ([50.53.52.16] helo=midway.dunlab)
        by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux))
        id 1fuiQv-0002Qh-Jn; Tue, 28 Aug 2018 18:09:44 +0000
Subject: Re: [PATCH v5 3/3] overlayfs: override_creds=off option bypass
 creator_cred
To:     Mark Salyzyn <salyzyn@android.com>, linux-kernel@vger.kernel.org
Cc:     Miklos Szeredi <miklos@szeredi.hu>,
        Jonathan Corbet <corbet@lwn.net>,
        Vivek Goyal <vgoyal@redhat.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Amir Goldstein <amir73il@gmail.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org
References: <20180828165336.211643-1-salyzyn@android.com>
From:   Randy Dunlap <rdunlap@infradead.org>
Message-ID: <a8dc66c4-4761-4876-abd3-6dc135692404@infradead.org>
Date:   Tue, 28 Aug 2018 11:09:39 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20180828165336.211643-1-salyzyn@android.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 08/28/2018 09:53 AM, Mark Salyzyn wrote:
> diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt
> index 72615a2c0752..953e52971eb0 100644
> --- a/Documentation/filesystems/overlayfs.txt
> +++ b/Documentation/filesystems/overlayfs.txt
> @@ -106,6 +106,35 @@ Only the lists of names from directories are merged.  Other content
>  such as metadata and extended attributes are reported for the upper
>  directory only.  These attributes of the lower directory are hidden.
>  
> +credentials
> +-----------
> +
> +By default, all access to the upper, lower and work directories is the
> +recorded mounter's MAC and DAC credentials.  The incoming accesses are
> +checked against the caller's credentials.
> +
> +If the principles of least privilege are applied, the mounter's
> +credentials might not overlap the credentials of the caller's when
> +accessing the overlayfs filesystem.  For example, a file that a lower
> +DAC privileged caller can execute, but is MAC denied to the
> +generally higher DAC privileged mounter, to prevent an attack vector
> +executing with the increased privileges of the mounter.  One option is
> +to turn off override_creds in the mount options; all subsequent
> +operations after mount on the filesystem will be only the caller's
> +credentials.  This option default is set in the CONFIG
> +OVERLAY_FS_OVERRIDE_CREDS or in the module option override_creds.
> +Fundamentally The mounter has privileges, its ability to execute,

                 the

but this entire sentence is jumbled and awkward and could use some work.
I tried to come up with something but I can't quite get what is intended here.


> +for example, files and grant them these higher privileges is to be
> +blocked except to lower privileged and appropriate callers.  This
> +option turned off permits this kind of security policy.
> +
> +With override_creds turned off, several unintended side effects will
> +occur.  The caller with a lower privilege will not be able to delete
> +files or directories, create nodes, or search some directories.  The
> +uneven security model where upperdir and workdir are opened at
> +privilege, but accessed without, should only be used with strict
> +understanding of the side effects and of the security policies.
> +
>  whiteouts and opaque directories
>  --------------------------------


-- 
~Randy