Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp944414imu; Wed, 28 Nov 2018 02:01:20 -0800 (PST) X-Google-Smtp-Source: AFSGD/UHl+YjTk0yUn+u+uOZ3Ly8Mwoc6tnnucdCwwAM45Nl74fRmlH05eni9/tHshXwdq2Yt0Ah X-Received: by 2002:a17:902:b40d:: with SMTP id x13mr25985094plr.237.1543399280661; Wed, 28 Nov 2018 02:01:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543399280; cv=none; d=google.com; s=arc-20160816; b=PpcyeZh5xtOqptqxtK1XnHgk1wfLaKTARdzD4DoRsA0PICZam/JiXPxcR/YMq4aJY/ GxtqVztAwleatMWDiNcppXPxdde2GvmxwXPBbfmHI8oHBGF90NXVeLLhJ8Tu9cU/wE7k +KW84likAgQ/vdzIgbVMixOxPwGEuPr49lsfWMrhpxUaV7OredJMmbDtvetOJ490Ca1V NJ8R+0tQE7IVm5umSEqMk5riqSf/ETwlJOqQ/eskTw1vlhF8iaJdbVMqFlTj46JYy0YS dVSL9qkPcJxfd0YUa+kDuCIOQbnO5JRs3x5/YelmdLABS5cZLR9s92J9hdZF1T14sSG9 PrAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Nn31Rtr1vCmaeg2yOoBYMs142T7jvS7kmETnau6u9co=; b=MM+nKu0dpRh282Gasxz0TlHkw0plx0NGARxNnQBsoyHwYQS54eXyfboB2DxJkcwXoh 1eEgTLRxTA7oBxZXFKtlcjg1vcBLwHWvNxy9jDcpODp+zbRaCqIZgwDSjttYG5MqiqXY 1eLOBsriFKUjeEt+MSPrYL5+TK9ySl2mTZ6y4ZUcoaLLuiOleQBkv4xRsDVd6ASXZZ3+ q1AY43JxN/4o/1FEymGVU2Srn2oQztDQyM7CesfEPKKHo01m2Tr8ew/6H8rlsf4z+U59 HLsdkkhPQgZhJobtgSU9+7owPf1uVzKr+vkQwVuvROgAL4/RP92BJCxplPrHTPe3SopT CdPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=K9A1m8BG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bh5si6503950plb.42.2018.11.28.02.01.05; Wed, 28 Nov 2018 02:01:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=K9A1m8BG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728063AbeK1VB2 (ORCPT + 99 others); Wed, 28 Nov 2018 16:01:28 -0500 Received: from mail-it1-f195.google.com ([209.85.166.195]:51876 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727413AbeK1VB1 (ORCPT ); Wed, 28 Nov 2018 16:01:27 -0500 Received: by mail-it1-f195.google.com with SMTP id x19so3428095itl.1 for ; Wed, 28 Nov 2018 02:00:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Nn31Rtr1vCmaeg2yOoBYMs142T7jvS7kmETnau6u9co=; b=K9A1m8BGbpFwgZc+TRxVMrmacwwJWpOv6euT6GlmlxqOQRaM80Wn597qagLxYeH/1h pWlso5H3YSqAuYG1lZ5sgoGXwb/Ztg6bw5+PLoY/n7zFYn1cjnRu+yxVPGDvobNhXIbZ 87LOZShDNXYerDtPiEnOMfJaa2lrlUxR4yWJs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Nn31Rtr1vCmaeg2yOoBYMs142T7jvS7kmETnau6u9co=; b=R3JGtsHEHWCX2XNa3xSuzv1FYkUXqL+m6AhAtdJTh7iGGTgcmRcEB7yOy2cYEM4Cub SEF0srcL4nO0GASnDuvx/phHrH8gWlSPQX909BlqOa3as9AHB5rzuUx9R51NI5atkGFg ayeKONCK53obdF+R9ATLKdtyzW6A5se3Wmp/intcpeR8FTNRoG9mQU/S4W+k0JDdhyFk VnX3LcvTJMN6FOyKAaZKVV/DajdVu8OJZ1tjvxdXhTl3AZlX31lYyLEjWJ6MEy8lM1lK VCLwYQHvmTfN+5ozfUfVvX0TS7G4AdKtugqEtUHKvdOvnn/e/m3MLoZShi1HK0hrLSLp BkLg== X-Gm-Message-State: AA+aEWYuvoq3eEoQJc2tLIhpGo424FBupF5CpfLnguHKpjIlJ4PJRWV0 3lDSrKD2v4l3vRNd9YUOaYuCKx3j5aorrGUromO9JA== X-Received: by 2002:a24:710:: with SMTP id f16mr2019643itf.121.1543399221572; Wed, 28 Nov 2018 02:00:21 -0800 (PST) MIME-Version: 1.0 References: <20181127210542.GA2599@redhat.com> In-Reply-To: <20181127210542.GA2599@redhat.com> From: Miklos Szeredi Date: Wed, 28 Nov 2018 11:00:09 +0100 Message-ID: Subject: Re: overlayfs access checks on underlying layers To: Vivek Goyal Cc: Stephen Smalley , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore , linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org, Daniel J Walsh Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 27, 2018 at 10:05 PM Vivek Goyal wrote: > > On Tue, Nov 27, 2018 at 08:58:06PM +0100, Miklos Szeredi wrote: > > [resending with fixed email address for Paul Moore] > > > > Moving discussion from github[1] to here. > > > > To summarize: commit 007ea44892e6 ("ovl: relax permission checking on > > underlying layers") was added in 4.20-rc1 to make overlayfs access > > checks on underlying "real" filesystems more consistent. The > > discussion leading up to this commit can be found at [2]. The commit > > broke some selinux-testsuite cases, possibly indicating a security > > hole opened by this commit. > > > > The model this patch tries to follow is that if "cp --preserve=all" > > was allowed to the mounter from underlying layer to the overlay layer, > > then operation is allowed. That means even if mounter's creds doesn't > > provide permission to for example execute underying file X, if > > mounter's creds provide sufficient permission to perform "cp > > --preserve=all X Y" and original creds allow execute on Y, then the > > operation is allowed. This provides consistency in the face of > > copy-ups. Consistency is only provided in sane setups, where mounter > > has sufficient privileges to access both the lower and upper layers. > > [cc daniel walsh] > > I think current selinux testsuite tests are written keeping these > rules in mind. > > 1. Check overlay inode creds in the context of task and underlying > inode creds (lower/upper), in the context of mounter. > > 2. For a lower inode, if said file is being copied up, then only > check MAY_READ on lower. This is equivalent to mounter creating > a copy of file and providing caller access to it (context mount). > > For the case of special devices, we do not copy up these. So should > we continue to do check on lower inode in the context of mounter > (instead of not doing any check on lower at all). Hmm, I'm trying to understand the logic... If we follow the "cp --preserve=all" thing, than mounter needs to have CREATE permission for the special file, not READ or WRITE. Does that make sense? Would that help with the context= mount use case? > > For being able to execute a file, should we atleast check MAY_READ > on lower. Yep, that looks like a bug present from day one: MAY_EXEC doesn't always imply MAY_READ, but to be able to execute a file, the kernel must read it first, and if mounter doesn't have privilege to read the file, then user should not be allowed to execute it. > I am not sure why did we have to drop current checks on special file > and execute. I will read through the thread you pointed out. TL;DR: NFS access model is that creds are checked by server (and cached in client), and server could be denying write access to a device file to mounter (root) independently of DAC. In that case write access by user to device file would be inconsistent (denied before copy-up, allowed after copy-up). Same goes for execute. And same goes for MAC: if it's denying READ/WRITE on device or denying EXECUTE on readable file to mounter, and mounter can just copy that device/file to a temporry location not controlled by that MAC, than it can work around that restriction. IOW, this is just a generalization of the rule that we ignore WRITE access on lower layer, because a write will never reach the lower layer. Thanks, Miklos