Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp332185imu; Tue, 27 Nov 2018 13:08:15 -0800 (PST) X-Google-Smtp-Source: AFSGD/WECQEqAi3HqBmgCENSqdmqYJAc3CWzlm26Kkugz8Ua1UgJbRHXbDF4JmChhIFHo2BJ5LNG X-Received: by 2002:a17:902:4225:: with SMTP id g34mr34866288pld.152.1543352895856; Tue, 27 Nov 2018 13:08:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543352895; cv=none; d=google.com; s=arc-20160816; b=WVS3Envkf1N6okSvpIFzW0EL3B8fFsq6Y1SYI0xqiJ43HHyvXYpSfH+AUNPOuo4P1y 6WJvFSJ3ChYZpPtcspDo3gKCsdCF+KV+2/pJ9P+CB883tzt4BQ+TKN7EiU56cpjPkhJF pbCn3noGHptaLyi2CAMOSPxzxOvXUVTcMqq9Jr0Mx7GUiIQyj8GZ9UiXHxTbXKt2qROQ t3uOGXm2q5wi9rXdM27IS5ZZfDrAsL+e6DOf4U0UQc7X1F75zwtAXDgofoVy5tNnUcUC lGRJmWfU0WIkwrUMIUYpDNAUe92SopB36fWoP+GWksx8ix/x8JiIfENal2xzvHrW/AhD 99Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=f3dAJ3lFUZpDVkG6d8dvrxVfeoam1Xrbh7vsfBYzCFM=; b=wPZY+mcyhvB+x01T829ekkICPtI9Le3YlusIn5ojXtDC1dHRwRe792loKdRT/MBlBx lkvapXNV8Y7fXUhIcuLw2SYvb5ifdpjBnzSSaAXcCUa3cCxcpGQYbENSMgDA/8x6UknA e0KDBwu4cm0oMc7S/DTQh60qO6DbZp6seuX81IoPniYcLL6vbmJRNwJLqTyc4qSh5wsm q+okncsL0svYKHCHkQdU/oxjWOxn7Q685ujCKQY+fl8VLW5z4zRllwfETQPuUW/hUbET 6aAw1Ky0usIPjc/MRWHGbtred6zZ1n3hwVtSNX+znUdaKOV6NXl+PoL8qOHQJoLjK6gt EoSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v25si4629319pgk.341.2018.11.27.13.07.57; Tue, 27 Nov 2018 13:08:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726772AbeK1IEx (ORCPT + 99 others); Wed, 28 Nov 2018 03:04:53 -0500 Received: from mx1.redhat.com ([209.132.183.28]:42082 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726273AbeK1IEx (ORCPT ); Wed, 28 Nov 2018 03:04:53 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 566F4308A94F; Tue, 27 Nov 2018 21:05:43 +0000 (UTC) Received: from horse.redhat.com (unknown [10.18.25.234]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1A5AC5DD73; Tue, 27 Nov 2018 21:05:43 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id 948752208FC; Tue, 27 Nov 2018 16:05:42 -0500 (EST) Date: Tue, 27 Nov 2018 16:05:42 -0500 From: Vivek Goyal To: Miklos Szeredi Cc: Stephen Smalley , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore , linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org, Daniel J Walsh Subject: Re: overlayfs access checks on underlying layers Message-ID: <20181127210542.GA2599@redhat.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Tue, 27 Nov 2018 21:05:43 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 27, 2018 at 08:58:06PM +0100, Miklos Szeredi wrote: > [resending with fixed email address for Paul Moore] > > Moving discussion from github[1] to here. > > To summarize: commit 007ea44892e6 ("ovl: relax permission checking on > underlying layers") was added in 4.20-rc1 to make overlayfs access > checks on underlying "real" filesystems more consistent. The > discussion leading up to this commit can be found at [2]. The commit > broke some selinux-testsuite cases, possibly indicating a security > hole opened by this commit. > > The model this patch tries to follow is that if "cp --preserve=all" > was allowed to the mounter from underlying layer to the overlay layer, > then operation is allowed. That means even if mounter's creds doesn't > provide permission to for example execute underying file X, if > mounter's creds provide sufficient permission to perform "cp > --preserve=all X Y" and original creds allow execute on Y, then the > operation is allowed. This provides consistency in the face of > copy-ups. Consistency is only provided in sane setups, where mounter > has sufficient privileges to access both the lower and upper layers. [cc daniel walsh] I think current selinux testsuite tests are written keeping these rules in mind. 1. Check overlay inode creds in the context of task and underlying inode creds (lower/upper), in the context of mounter. 2. For a lower inode, if said file is being copied up, then only check MAY_READ on lower. This is equivalent to mounter creating a copy of file and providing caller access to it (context mount). For the case of special devices, we do not copy up these. So should we continue to do check on lower inode in the context of mounter (instead of not doing any check on lower at all). For being able to execute a file, should we atleast check MAY_READ on lower. I am not sure why did we have to drop current checks on special file and execute. I will read through the thread you pointed out. Thanks Vivek