Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2084442imu; Tue, 6 Nov 2018 08:52:19 -0800 (PST) X-Google-Smtp-Source: AJdET5dqnk7F5wdcdbjIvHav/QGlj+0Gx7SuY7QGqt6n75Mi0K7NEa6nntZvs1vKNTpSexsK04aP X-Received: by 2002:a62:4896:: with SMTP id q22-v6mr27140622pfi.248.1541523139028; Tue, 06 Nov 2018 08:52:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541523139; cv=none; d=google.com; s=arc-20160816; b=Clj+RtEtph6XAfI3L+P0GLGf+EmpvswbgOSU3G2Yglx4hzZE1jruuHqNhGaU/ZnyPi vDGiCH6q+utlpwM/e6IUfqrn5UQFusK/ojhoIXBpxT+vkWM7SizO9KY6OHIwcnTnJXeY CuiVonGzpO8DJU1XFtAxfkobot807rUANxU2Ow7qZ4cZjIveWZ4YvRwqBSPUAhL+u62r 7m0Os6vaPIsdj6e3NXk4WJX1ITjF6MkIV4m1igsbgggpzpa0+0LOt/NukoOmPidYDfYk edNMvzOnf2YwD7eHsvPlI360MxbaXSIWkbjPM+vKvvThiYC23q65fBkMFB4Se58lqHmL oLww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=bQU53e3wvFihHKJi4h+ozpqI0TiL3gb/NhekbPw4mgo=; b=dTbprVemIgS9DADDVyK1BRjOzju+M18iLZO6AKPaXHA6DeW7T+MWtbukh4/DmsPuXp PiZeYzlyuIsUKPyz7KRRPpazhC64d/x6CGme/PxEw1XRlN0T99ni8GIyixu+0US8S5ad PKDsh2WgfbByTFz/841xmc9lTc8ykIpUNtYEG4ZSOVFV+zL66j63f/EkDCU+CUzKdXfv fz5J3dh3FfcsOgLLmvHdHGdwt4L5/tAE0GORipCPx9Dnv17P09DYOTFMXD/3IPUc8gA4 q2u72fpGQskfS8X6QxGILJoeGucQlosKyNsMRS0EOdpzyyvs98iWNkXY00mr/ahai/OL zscQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=dKcVCec4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g14-v6si51678208plm.142.2018.11.06.08.52.04; Tue, 06 Nov 2018 08:52:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=dKcVCec4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389431AbeKGCQZ (ORCPT + 99 others); Tue, 6 Nov 2018 21:16:25 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:32847 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389418AbeKGCQZ (ORCPT ); Tue, 6 Nov 2018 21:16:25 -0500 Received: by mail-pg1-f194.google.com with SMTP id q5-v6so6072247pgv.0 for ; Tue, 06 Nov 2018 08:50:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=bQU53e3wvFihHKJi4h+ozpqI0TiL3gb/NhekbPw4mgo=; b=dKcVCec4Z5UKXaZKCK3hTbPzEW8Aecb2qP1pP0zeQ7Dp5Py9gfLF9E3pZG9WVVebfE 9YvpHfnuCEhAJNOGUdi+yTXGkrSZgZ9KbM9DWFxTbgabn391GonKLosrFwLYo+07hdS5 J5jFBKH92977eTeniZcgTTcFTSYMeDwt3wlkgCp6vzBktZasyOPGG7221CDcggIL+uuF Ppk2e30SwyjhpIzzKPf+NMacBgEO6JcXxQwngx2huAPjEavfP0tUioeAQvibD0X/wJvV IOvN7wl/luQD0SHxBI7FS6zUohu5HmaBWCBSEpQJ9fgcwBcAWIk8ozHoTOEuBn/M5yHa b8kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=bQU53e3wvFihHKJi4h+ozpqI0TiL3gb/NhekbPw4mgo=; b=emSzg4KqiO18Qhmlpg4StZRNpYlnwHuU24taO9PGRKs3x7LUC8BCAC111hgoIbTEEp RXr233IJ7IvrPUTWiqquieMp1gnXtGZ9tHnbHZqoL2w8UWccP4Q6zCys8nHYNdDY5bDQ +cLEC+ZMH/Qfi7TSp1l3IiH/RGVQj3Csi1u4WlyUb58yZrQfPzjj8m09VaBXdajQbHAn wxjCRjadg/QdXvSoBsd0oVnReeFTuT5rwGvRHECieBRsgWv7uIt0Mga+CJRdHGyiVGyM 3beTxUAsPs/AyiOtboeoE2T3FN6byufmWM4bixFExi6XfrjY7nMnvO1ts81h0JEuwxj+ 8EqA== X-Gm-Message-State: AGRZ1gKs3y4bUCh5BMN3ACeZIC0auMCVNkWUT0BfGzPya0B9qvtSlQwb YhH9u9Q/CGSF5CvEKFXHU+bIJaGlzK4= X-Received: by 2002:a62:4e86:: with SMTP id c128-v6mr27182930pfb.101.1541523018951; Tue, 06 Nov 2018 08:50:18 -0800 (PST) Received: from nebulus.mtv.corp.google.com ([2620:0:1000:1612:b4fb:6752:f21f:3502]) by smtp.googlemail.com with ESMTPSA id v189-v6sm58690753pfb.54.2018.11.06.08.50.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Nov 2018 08:50:18 -0800 (PST) Subject: Re: [PATCH v6 2/2] overlayfs: override_creds=off option bypass creator_cred To: Miklos Szeredi , Amir Goldstein Cc: linux-kernel , Jonathan Corbet , Vivek Goyal , "Eric W. Biederman" , Randy Dunlap , Stephen Smalley , overlayfs , linux-doc@vger.kernel.org, kernel-team@android.com References: <20181105182146.233025-1-salyzyn@android.com> <20181105182146.233025-3-salyzyn@android.com> From: Mark Salyzyn Message-ID: <8beaf21a-2242-3c60-4de7-76190b71842b@android.com> Date: Tue, 6 Nov 2018 08:50:16 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/06/2018 12:39 AM, Miklos Szeredi wrote: > On Mon, Nov 5, 2018 at 7:47 PM, Amir Goldstein wrote: >> On Mon, Nov 5, 2018 at 8:22 PM Mark Salyzyn wrote: >>> @@ -1549,7 +1569,8 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) >>> ovl_dentry_lower(root_dentry), NULL); >>> >>> sb->s_root = root_dentry; >>> - >>> + if (!ofs->config.override_creds) >>> + pr_warn("overlayfs: override_creds=off, caller credentials may not be enough to delete file or directories, create nodes, or search directories.\n"); >> The audience is someone that has this feature on by mistake or someone >> that turn it >> on without understanding what it does. I am not sure that this is >> scary enough, but >> I don't have a better suggestion. >> Will let others state their opinion. > I don't think we need any warning message, writing down the rules in > the documentation should be enough. I would be pleased to remove them, but maybe more historical background is required in the documentation (see below [TL;DR])? I have been told to not talk rationalization, history, use cases; but only about side effects in the documentation. Yes, the documentation (in the v7 patch set) cites this problem, so can remove this pr_warn in a v8 respin. Does anyone disagree? will respin by EOD if nothing said. [TL;DR] In 4.4 the default behaviour was effectively !override_creds since the mounter or creator MAC and DAC credentials wrapping the existing caller credentials had not yet been added until later. Except at that time the capabilities were temporarily elevated inside the overlayfs driver during the cited operations to (blindly) permit these few. When the mounter's MAC and DAC credentials were added (later), security was greatly improved by not counting on the elevated DAC, but it broke the expected 4.4 user space API. So in 4.9 and higher Android will require this patch to restore the behaviour that supports non-overlapping MAC credentials. But we chose _not_ to re-add the (inadvisable) hard coded elevated credentials for these specific accesses thus requiring the caller to _have_ the DAC credentials to perform them. - For those using the 4.4 way of doing things, these noted operations work. - For those using the 4.9 way of doing things, the non-overlapping creator and caller MAC credentials broke. - For latest, this patch brought back the support for non-overlapping MAC credentials, without the security issues of the 4.4 implementation, but alas breaks the 4.4 way of doing things as noted in this warning message. -- Mark