Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp7429468imm; Tue, 28 Aug 2018 11:55:26 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbdGXZRfk2yXCVFNH7YPDyZPGBAywg7j7VKmDPdZf38KvWNEQIXa+NrJDAuxM/tlvpAxjTa X-Received: by 2002:a17:902:7086:: with SMTP id z6-v6mr2726266plk.266.1535482526279; Tue, 28 Aug 2018 11:55:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535482526; cv=none; d=google.com; s=arc-20160816; b=tzkjVCgoGnBqKki5IFKO8lvgdDa1wSsjeTqIBgyWt8fc+JV249Eci8qo6rQCOuuxjS MzVUMNQ7E+vmgQbrKmWsTSbipoFWys0Ap5H2Pu6Id0I38DNGA/i33G8CkONTMBxKRdGs dsqS/jbA1fPPXIWopJOm+1Qnl04HRMNtf+/xazNGAWnTqwYc+hqF7u4OiWczJEZmWYtH RYqEf7UFw35e2Aw1VS7Y7qGEqA+kQeZ3LV4nRz1Axdbhqpyfe2thEKopfLgGRt5eHrc6 zg7Yk0YTCIx31EF9GSwp0vcuIdRYAviYA4OQ3hKFAQDbhKhVRu9ASA1HxPg8DMi3dYPf NoMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=8B2ATl4y/uUk1SoMfkts1pM4K+TG5KkfoizaC4L+/aw=; b=qsLzZZlg2C9Y3Sxk9aYZF7PdOS7Y4pWytNRfyG44If4FFm6P/dJQFaddMMOaffQpfX VgsPqhyjJWqOpRYHp5Ly2UqUh2SrlfzvAp8lAQcKZtT//oLGU35vaKIVMmnrEhdemIpB LSA5Oc8YyB2+9wGYBSalj5o3JDP9UF8e76yNWRL3sRTEKiQkH/Saf3/ojnYJBuLb8CTJ UHhIAwyO+JQut2znaqO02YEQ1oWllcv/mqUqR5Jj+TEb2SMsnW8kxYCcEKPvpWn7H0zz vABJD44rOCIi0gMFBhRxEeeUfSuQgq06T2Y9gkX+XRJ3BL+SlTWCJcFRWvf/OVLCyDfe B6XQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=CfNzdGZe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o23-v6si1355698pgv.518.2018.08.28.11.54.46; Tue, 28 Aug 2018 11:55:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=CfNzdGZe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727293AbeH1Woz (ORCPT + 99 others); Tue, 28 Aug 2018 18:44:55 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:39403 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727135AbeH1Woy (ORCPT ); Tue, 28 Aug 2018 18:44:54 -0400 Received: by mail-pf1-f195.google.com with SMTP id j8-v6so1114339pff.6 for ; Tue, 28 Aug 2018 11:51:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=8B2ATl4y/uUk1SoMfkts1pM4K+TG5KkfoizaC4L+/aw=; b=CfNzdGZe1ieXSXne+UO+o+xOAlX5aR5tyr0uKAT7e87+Qr90YzCIOSGM8XaWcEhsqB fnKK0ZTl/V/ndF/Vb938CpChwq+I2kboaciqfDgWqTw6vyPN0eEZojW4r8AtgVGVnhD4 IOQwyjMXgmXhLmzpmSbeE9LiSJPlpXZKlHMtW00CceosDwQZvX3daM+LYwiZ/zq03nAD OUOF3yb2Fvs/OujnjBrdnBX96bJqtrPVODqZjlJ/pF0v2Bc6S33c1+xxH4fp1DiG2aWk K52h1QWtIT7LpEb0Wb9nsGzPnf7as9j93v1Bctz1oV2R/1aWoLRychJmoznC+vGXvcsS hRXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=8B2ATl4y/uUk1SoMfkts1pM4K+TG5KkfoizaC4L+/aw=; b=ClG2HY7mKo5RMrj+u/jPSYY8l/mcBDkJqB78xGB6qJ0W9BBfJlYN+aIdjxHEEKpYbA eR9x95R2a0FI6OYmLBWlQ6+W+d2o3r3ayPm/vmCTfVduesQVFH/bkcsJSHvfZtXvu96u ZxTTVfylstVxhb0RnmZyos6NiVBdbChLwcrZqfbc4RY1GxiArBCkB5lovhrO2Vrf5Vru nZOnI4oHBtomb8T3Y8YOkWBP9VIUwb/EwUd/e1HOP0aP7TZBNdYJZZawujRISRb8PIWN XCM503NyJ8DXa4TYMCDoMzODvLY4qbiZv001YWv1PIn08Iz4UvOiM8TGKDubmu7VMUkf aFNA== X-Gm-Message-State: APzg51AVsNXqXr7eaR+8vq01jskwABySttwPgYyg7uoUOJwpHJmShnw+ FkicXEVfs3WiXL0dlv2GtTHZUg== X-Received: by 2002:a62:5290:: with SMTP id g138-v6mr2749909pfb.46.1535482316667; Tue, 28 Aug 2018 11:51:56 -0700 (PDT) Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1612:b4fb:6752:f21f:3502]) by smtp.googlemail.com with ESMTPSA id z17-v6sm3945943pfl.146.2018.08.28.11.51.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Aug 2018 11:51:56 -0700 (PDT) Subject: Re: [PATCH v5 2/3] overlayfs: check CAP_MKNOD before issuing vfs_whiteout To: Amir Goldstein Cc: linux-kernel , Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W. Biederman" , Randy Dunlap , Stephen Smalley , overlayfs , linux-doc@vger.kernel.org References: <20180828165319.211563-1-salyzyn@android.com> From: Mark Salyzyn Message-ID: <004057f1-f0cd-5410-e4e3-a17287613f89@android.com> Date: Tue, 28 Aug 2018 11:51:55 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/28/2018 11:42 AM, Amir Goldstein wrote: > On Tue, Aug 28, 2018 at 8:43 PM Amir Goldstein wrote: >> On Tue, Aug 28, 2018 at 7:53 PM Mark Salyzyn wrote: >>> Assumption never checked, should fail if the mounter creds are not >>> sufficient. >>> >>> Signed-off-by: Mark Salyzyn >>> Cc: Miklos Szeredi >>> Cc: Jonathan Corbet >>> Cc: Vivek Goyal >>> Cc: Eric W. Biederman >>> Cc: Amir Goldstein >>> Cc: Randy Dunlap >>> Cc: Stephen Smalley >>> Cc: linux-unionfs@vger.kernel.org >>> Cc: linux-doc@vger.kernel.org >>> Cc: linux-kernel@vger.kernel.org >>> >>> v5 >>> - dependency of "overlayfs: override_creds=off option bypass creator_cred" >>> --- >>> fs/overlayfs/overlayfs.h | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h >>> index 7538b9b56237..bf3a80157d42 100644 >>> --- a/fs/overlayfs/overlayfs.h >>> +++ b/fs/overlayfs/overlayfs.h >>> @@ -176,7 +176,7 @@ static inline int ovl_do_rename(struct inode *olddir, struct dentry *olddentry, >>> >>> static inline int ovl_do_whiteout(struct inode *dir, struct dentry *dentry) >>> { >>> - int err = vfs_whiteout(dir, dentry); >>> + int err = capable(CAP_MKNOD) ? vfs_whiteout(dir, dentry) : -EPERM; >> Should that be ns_capable()? Should the test go into vfs_whiteout()? >> I feel there is no convention at all. >> > Nevermind, I don't think creating a whiteout poses any risk, so don't think > we need to worry about CAP_MKNOD. > > Thanks, > Amir. Ok, will discard from the set, we can address this later if it creates concern (as in, not a dependency to my proposed feature flag). So we feel that whiteout node in the writeable playground of workdir/upperdir is not in itself a security concern. Other (more dangerous) mknod will be checked against the caller's credentials coming in. -- Mark