Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp256778imu; Tue, 27 Nov 2018 11:57:25 -0800 (PST) X-Google-Smtp-Source: AJdET5dk+6HajUZ7/fx9RMiXAs/ec30pZ6xrgVCGIif4LfGomBGax8i7hlL0/ONIAKqYV26mO3dX X-Received: by 2002:a62:714a:: with SMTP id m71-v6mr35729893pfc.89.1543348645521; Tue, 27 Nov 2018 11:57:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543348645; cv=none; d=google.com; s=arc-20160816; b=emgw8qoEqHTtZh4SQ6uF1YkWyYaPxNO+e4Xvwq050Kr+7lYvykX+DsPsZX74Bv8SqE QTaHGm4mvQO98n6HkAtjZASodvuzh6n1sh55sk8bbzYdQIglT3RcoPql7zdGNBcqLVK3 4TDnGCY8K2BBAEM2xao9I7uzRGAC2ih1LBZw4IBZOclRjBy7yNfLlFM/IQZz1wRvSJs2 5k5l0g5AwWujnwMmEQJI3B59pIgarp906q4GikT/Ox4vPXVVlCXG9j6Ykcd2wgrSnnUQ +IDUp6InbRroU5Sf1LDAk6fnWOJZp5raDFG/v8nKvulaPml5ACxmTCw/h7/eKpfBJHuO /57g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature; bh=0oIAC8F8kBg9jIilXePaO8JdfRRo7IpVuEvD0Pwhc1A=; b=vk/IfOOXkHoVBIBeL6+Falklh4qOppzUhssfYMQtdOcCjcv5E/R9jk6Ce1aYU4ZkVt pIZzkzdggb4H1k5L7SwUPnQGYqklBXINejm/XuMsnF9mc4pI9jN6DjInNbI10SRt5ZkR bXrAsjB6G+T6YpPxFDRGc80Jgjdr6fsXTLlJ14+QZY1A1k+lDBTGw6X8eW8L8r317TnD qKKSPKTqi9zksoyNhZeAAPBWMGlm/pMIf0hMIABr+0hJThYu4W+y/o3zuVl3glUfCizv ssCxTv6celIy23Tlhm3FbC/lVIHmrzTn1OYfETfJxVtM8j+03Wm+vk3rt4AA8VrNDoCT M9OA== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=LRI2gEwB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n24si4110707pgv.119.2018.11.27.11.57.09; Tue, 27 Nov 2018 11:57:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=LRI2gEwB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726537AbeK1GyL (ORCPT + 99 others); Wed, 28 Nov 2018 01:54:11 -0500 Received: from mail-it1-f196.google.com ([209.85.166.196]:51108 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726277AbeK1GyL (ORCPT ); Wed, 28 Nov 2018 01:54:11 -0500 Received: by mail-it1-f196.google.com with SMTP id z7so536727iti.0 for ; Tue, 27 Nov 2018 11:55:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=0oIAC8F8kBg9jIilXePaO8JdfRRo7IpVuEvD0Pwhc1A=; b=LRI2gEwBC1D4XgKRNdOsvuLeoNSD1qVop5PF+b7CV/6uPJQlOeHHnqpukjiICp6t3F iNCWHRLqpDha4dQyL4lvfJiKRjsyX7p5P4PrZyJM6Q5hVbxfMbbr6nfARPBa4uiJeDzq 7qTGGmgEQjZ+KcczICT13gSw0TwDzGJzEK/GY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=0oIAC8F8kBg9jIilXePaO8JdfRRo7IpVuEvD0Pwhc1A=; b=FAEuVXvRyZW1CFWNod0ML9rOjCD2GAT5zrAKbdsPrO+ZSzZv1vcYLARJWFZCxEcgMH fB0QPmxwNBklMneb4+BzsyAK6aeYSzlHYJU4nEA0O7h9388ryDssiZi80JDJGwSFOGip aNyHePA+mm2W79+tnChI47c0lsqmwLE8nC6Tl64dmXN6knPZl92zho3mE2aFDBttWUQR Ar9jV9rsljRpYJWvE1Tks+5xtgB6rGOI/PtvzjVCvnZu7WmAWfAGtJbKQ19rQgevrnPe mIbWaYfdVNdA0dcMmVTNtXWCJzooP6hszd1sHc2Uhqe2VBf8kLq5gyY3h56T2n0oO5GB qKew== X-Gm-Message-State: AA+aEWYMT7uP8s7wl9bKuXSSX1a0kWm8upzzCG5eFRrk2/pZ1AnrrSqg 9EfmfwdaWWjcNSx234QKY+2o25DW7KaMtUFvzm4gwg== X-Received: by 2002:a24:e38f:: with SMTP id d137mr246508ith.69.1543348511547; Tue, 27 Nov 2018 11:55:11 -0800 (PST) MIME-Version: 1.0 From: Miklos Szeredi Date: Tue, 27 Nov 2018 20:55:00 +0100 Message-ID: Subject: overlayfs access checks on underlying layers To: Stephen Smalley , Vivek Goyal , Ondrej Mosnacek , Paul Moore , "J. Bruce Fields" , Mark Salyzyn Cc: linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Moving discussion from github[1] to here. To summarize: commit 007ea44892e6 ("ovl: relax permission checking on underlying layers") was added in 4.20-rc1 to make overlayfs access checks on underlying "real" filesystems more consistent. The discussion leading up to this commit can be found at [2]. The commit broke some selinux-testsuite cases, possibly indicating a security hole opened by this commit. The model this patch tries to follow is that if "cp --preserve=all" was allowed to the mounter from underlying layer to the overlay layer, then operation is allowed. That means even if mounter's creds doesn't provide permission to for example execute underying file X, if mounter's creds provide sufficient permission to perform "cp --preserve=all X Y" and original creds allow execute on Y, then the operation is allowed. This provides consistency in the face of copy-ups. Consistency is only provided in sane setups, where mounter has sufficient privileges to access both the lower and upper layers. The model may not have been perfectly followed, or possibly the model itself is flawed. I'd like to better understand the issues here. Thanks, Miklos [1] https://github.com/SELinuxProject/selinux-kernel/issues/43#issuecomment-442148920 [2] https://marc.info/?t=152762608800002&r=1