Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2884662imu; Thu, 29 Nov 2018 11:48:37 -0800 (PST) X-Google-Smtp-Source: AFSGD/VDdzFURdOJryPrLZkhhnUGLq3RplzNfxExL8RMKAIrz+zYDtiz5lndOG4HmSTAoDYfGzuv X-Received: by 2002:a62:d504:: with SMTP id d4mr2703190pfg.38.1543520916987; Thu, 29 Nov 2018 11:48:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543520916; cv=none; d=google.com; s=arc-20160816; b=GyHaYkOit7kxVT/BWcGLTefF1C3DOG8+B7TSsy5iWsxljKiXlxeyCS1WfiyBdds560 5K13mo1NCQM2xFSSJu4pICctcBa8KR83fcLYG4746p1OUWKuByoYAhKu51t1czq4Ti3D VFJFwjpb0ASQTt0S0vS3ItsRr4D8hU3EKbAaeGiVgSVKF4zg3qrwOo5efhmWseeW/y7j jfFOhIJ0awmtc0LWGjCOXEgg1YAfcl9VCZF5pGtJlQY4It/LVAiiutzDVPoI5DVx7joM N2gJ2h4sE2jp4vQ21tVaKYDu3BDRG+vldh4ZCVkM0I+O/2h5c6RfGPMOQNme6jP0lWSM XwVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=TObri6b8riy4VhBHAFZkP4Ecjb5uepSkDJv8gstmZS4=; b=LlIi51jERMlfhYyNFyW/wWOJGZLxYeboxiV/0elVL6Itn9Un8uTgQb7yGHCcdsp+Kg 7R8F1ezUX00OCr3loT765SOL3qknTmS9o5pL362vlFOwG4o5MDDnMpJrkZ2TYTRn5NPo XOP8YL4AqwvcqzafB2sCJKnBEahPu5e17CjpblS8FPuqThm8ybNWYHTMDUz56/wFAhA6 uvawr47SYnXzze2U2zWXthSnRkntYhdz9lDlW5eSIUoU+mdSZXccGyLNc84v04Wkrx+w +If/I6i4uq9E4eh8gYFZykXTbXlBoUUb3OSgk43Ckl3YdNaGNiZgS62DV018wegXZEKc Splg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=Yu7kKGqd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h16si2784619pgj.203.2018.11.29.11.48.21; Thu, 29 Nov 2018 11:48:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=Yu7kKGqd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726635AbeK3GyJ (ORCPT + 99 others); Fri, 30 Nov 2018 01:54:09 -0500 Received: from mail-io1-f65.google.com ([209.85.166.65]:38569 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725871AbeK3GyI (ORCPT ); Fri, 30 Nov 2018 01:54:08 -0500 Received: by mail-io1-f65.google.com with SMTP id l14so2587928ioj.5 for ; Thu, 29 Nov 2018 11:47:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TObri6b8riy4VhBHAFZkP4Ecjb5uepSkDJv8gstmZS4=; b=Yu7kKGqdjPTq46vGx7yd1jlSLE2/yeSlnOJTUzp0wAV07t5THzJxQVdUwsWQHgzCd1 OCEkl+hRioT0tog9Dfm/TU9+rt9X7oylk7qTcZWpXvF67a0VazX/eBCvqZjYXMkwqxRv aD4jYheto+A5B1w2xDyTHp3sHE12ZvlRbI4kc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TObri6b8riy4VhBHAFZkP4Ecjb5uepSkDJv8gstmZS4=; b=lvwqv9hFEOTmQ19wAldBC9y5xyK2jClyP7ojtR+rR54x6gLaZoa7hNTiGWiSu5dPDl V1bq6klMqxErEb3ZYvIIK2FRTKtOdG8h49vJt8zUUdDDr0eVYBGoG4qEEJkOTapx2UzN Lmdq2Yo8+yacQQifYXMQTaRXrk5pOJxTpjs0z8GeK0SgS7WAffaFdwuO2hFLqX98PQKe siBLTgGWihlFPsHBdjyE7gzMw46Df4phaifTKwQ4/dMlap07vXDfBkuQNrPuhRqJ4Tk6 vYlWSk2agP+MyOi9llGcHq2gqNoci8LpM9LepUQy6+clM4k6aThcpC5CB+Q1NQTDsz4i pNaQ== X-Gm-Message-State: AA+aEWb3PCApWjAhYLLxxaFPWl6+YGyfiw6vB3P6AJl1a1e1nmM8u+qv B9J3vW1rQqzY6tAugewjk3jDr2NtlpzpoB6Q2qvu2g== X-Received: by 2002:a5d:9698:: with SMTP id m24mr2301116ion.246.1543520855197; Thu, 29 Nov 2018 11:47:35 -0800 (PST) MIME-Version: 1.0 References: <20181127210542.GA2599@redhat.com> <20181128170302.GA12405@redhat.com> <377b7d4f-eb1d-c281-5c67-8ab6de77c881@tycho.nsa.gov> <26bce3be-49c2-cdd8-af03-1a78d0f268ae@tycho.nsa.gov> <6b125e8e-413f-f8e6-c7ae-50f7235c8960@tycho.nsa.gov> In-Reply-To: <6b125e8e-413f-f8e6-c7ae-50f7235c8960@tycho.nsa.gov> From: Miklos Szeredi Date: Thu, 29 Nov 2018 20:47:22 +0100 Message-ID: Subject: Re: overlayfs access checks on underlying layers To: Stephen Smalley Cc: Vivek Goyal , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore , linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org, Daniel J Walsh Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 29, 2018 at 5:14 PM Stephen Smalley wrote: > Possibly I misunderstood you, but I don't think we want to copy-up on > permission denial, as that would still allow the mounter to read/write > special files or execute regular files to which it would normally be > denied access, because the copy would inherit the context specified by > the mounter in the context mount case. It still represents an > escalation of privilege for the mounter. In contrast, the copy-up on > write behavior does not allow the mounter to do anything it could not do > already (i.e. read from the lower, write to the upper). Let's get this straight: when file is copied up, it inherits label from context=, not from label of lower file? Next question: permission to change metadata is tied to permission to open? Is it possible that open is denied, but metadata can be changed? DAC model allows this: metadata change is tied to ownership, not mode bits. And different capability flag. If the same is true for MAC, then the pre-v4.20-rc1 is already susceptible to the privilege escalation you describe, right? Thanks, Miklos