Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp258801imu; Tue, 27 Nov 2018 11:59:12 -0800 (PST) X-Google-Smtp-Source: AFSGD/XaoKYtD0sz2JKcMpNQYqJ+0efhvMx9UL9XH28f/3mIUZ+AwczAbFt2LzKm1NdtYNujMzae X-Received: by 2002:a63:334a:: with SMTP id z71mr30668680pgz.400.1543348752837; Tue, 27 Nov 2018 11:59:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543348752; cv=none; d=google.com; s=arc-20160816; b=PTGP87quQgPX7yWjsq9pyCfZPgkb85o6v0gTtAtoFfAwKGRPTNbS/d8XTBju06dPlo jsZNNSYKqKPNuPAheWXEye2HT+WhMPzuwFwRp/RJSFtLgf/NLgElUkcUFBXbrdaQxERC v2b33sE4cx5TfPX1c6rTXTPHc38PCNQuFK3avy6OcQ2xyRceXcaYm1Gc19rFw5exUH5r l4yOzql449anCv9K1iJBhyYyggyUu7mGHr6O67qvwjh29BgAjPhszxz35mFoYqNfPFNC E+iuTo7Hsug6r0taBGvaTlCeY1d84jvYNfnto236PsX6GeDkFUoemKv4fIkv5zgJzJAE xO+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=FJpLmJ+NhtzfsWcoykkUmJgTZwUROJ/Eo8H3btKrpBI=; b=FAbU8wFbmYjOdjDU4wlFwDWC/wSR1oIahX9ahVgHZC+oiFNGG8LKva6qy98li7zHFH mrGNrzxzuVliXeBESKKdPamT2o+f1n8KnmXf6SyJ6SqbzROmPGTf4C5aAfFb2tzZdea0 2Jwaiq6Ls9pMyfK4FqssoW6hJq3kKmo0LA0Sc1txb+sM2EP4VGhbEjV0axK2j9FCoVOb XI8qlTgZ9bvF1dVuzjA/riE3H1JHbzf9U4IFKbZ+zfZTbgxsRCcLX6aUFp+ANAZIY653 eGVc3HCiVvu0UP1Mh1NcrWvqbNiQ+ewGDaXAqB6+qPDKqxtWZ750YOk+mb06+wf8DCzi EAQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=YBasQV6X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i96si2099125plb.188.2018.11.27.11.58.55; Tue, 27 Nov 2018 11:59:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=YBasQV6X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726511AbeK1G5T (ORCPT + 99 others); Wed, 28 Nov 2018 01:57:19 -0500 Received: from mail-io1-f66.google.com ([209.85.166.66]:37728 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726288AbeK1G5S (ORCPT ); Wed, 28 Nov 2018 01:57:18 -0500 Received: by mail-io1-f66.google.com with SMTP id a3so18004675ioc.4 for ; Tue, 27 Nov 2018 11:58:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FJpLmJ+NhtzfsWcoykkUmJgTZwUROJ/Eo8H3btKrpBI=; b=YBasQV6XrLeAZaFzrkcyLvrZWluXnOFXF+N9BEpIkU+Am5l5LcqQJTNZAGNUrT9krJ YO5TgJJ/bD8daXbtFmT4CoElQU+cqpLP1mMEFTTl2thQzDgKoWFlNJu98/nTPjf3m3hh k47FfXmyrDpfnzcDhGHKfdQje/tPwfCR6Fptw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FJpLmJ+NhtzfsWcoykkUmJgTZwUROJ/Eo8H3btKrpBI=; b=smYNRsI0HBCP0dkVHVBHa8esISB2wZc2wyiByI5hCi0ZyEV+ilU1J/1Ba6l1hGRnbV f7cj/1V8Itfen5Zia1olc+iFc9WIlbyuJEm9fAHgNbGk0Mfmuf8QQwHe1uPc2ZeyFcG1 p7UQO0tPYmNWMHOZG3O1FbUH9axDDVv5Qd3k9elxXbu/uDug1FF+z2NXi3cz1kxdiU8F w55KIcVYo48J7996j4T4AdXeV+p0byWVurLmpuy6Uleg9NXfne6Lo2t9tylrd5Ssf3CN yQ645ypQ/nwfCI++u9qxgjdP0LwuqUyRm0KHPSPOaXbieJyBg2Nzy2SnRDSJwVYcXN0b lK/A== X-Gm-Message-State: AA+aEWaBxSNrmhBZI6a7R0VRkq16gQgcf1VdAgYu3Wt7rFWwcd71ZphD +BRx7ZqwdV3q7+xXFAYaRbE8EtR35LSiYDAE/d9M+w== X-Received: by 2002:a6b:fe13:: with SMTP id x19mr24900548ioh.294.1543348698205; Tue, 27 Nov 2018 11:58:18 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Miklos Szeredi Date: Tue, 27 Nov 2018 20:58:06 +0100 Message-ID: Subject: Re: overlayfs access checks on underlying layers To: Stephen Smalley , Vivek Goyal , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore Cc: linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [resending with fixed email address for Paul Moore] Moving discussion from github[1] to here. To summarize: commit 007ea44892e6 ("ovl: relax permission checking on underlying layers") was added in 4.20-rc1 to make overlayfs access checks on underlying "real" filesystems more consistent. The discussion leading up to this commit can be found at [2]. The commit broke some selinux-testsuite cases, possibly indicating a security hole opened by this commit. The model this patch tries to follow is that if "cp --preserve=all" was allowed to the mounter from underlying layer to the overlay layer, then operation is allowed. That means even if mounter's creds doesn't provide permission to for example execute underying file X, if mounter's creds provide sufficient permission to perform "cp --preserve=all X Y" and original creds allow execute on Y, then the operation is allowed. This provides consistency in the face of copy-ups. Consistency is only provided in sane setups, where mounter has sufficient privileges to access both the lower and upper layers. The model may not have been perfectly followed, or possibly the model itself is flawed. I'd like to better understand the issues here. Thanks, Miklos [1] https://github.com/SELinuxProject/selinux-kernel/issues/43#issuecomment-442148920 [2] https://marc.info/?t=152762608800002&r=1