Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8330714imu; Tue, 4 Dec 2018 06:47:12 -0800 (PST) X-Google-Smtp-Source: AFSGD/Vvx3PFW1jHZE/OBhnLItpwm9YlMm/NI49q1B27ANvWv+3NP6rVGz/7P/6PwRJkDx53JVBJ X-Received: by 2002:a62:8893:: with SMTP id l141mr20141461pfd.1.1543934832369; Tue, 04 Dec 2018 06:47:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543934832; cv=none; d=google.com; s=arc-20160816; b=SRQf00rtwRtKCorwwUBMBqHUyX6bDVdmCB0UCZJ7hDgGpwPHyVEUEm4tnfuAnE6gK6 0nm4BjW5eZWhFSzwrHsq/1BH75VGVNDEfKkTTZqet+v9KiCl4i7KlPvJu34rrdgr4G7R THY5VM890G1MV7Tzdyz2o2j+HXPYyf2wO/2ACljIfv0KKjOuy4+hkWeGdHSOMdoLKm0N fLgC4OAH0lwVfq9EQcS1BBamL8iGF5VJFEsJZ5jXhIDjAROnZdKT8c8f9j++nzH95ejR ZyMSdor22SxduqkldqjhS8hvCBINqSD5izWe8udFisG8Jz9cNTLzUMGE6CA/ZM1Bs7qN jV/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=g32YqTA80V6kUsfx+TbEyMJOZvuwJB1QJlsNROCRuVU=; b=zAwqHWdeBWgALf8uvwOMptmTCQsao4Z3GXJaCbiXeZkM6PQUs+5tIjR7H17vVPOqES cuJvJfSLJUdODx5wo70oCLS3+lU6UwmM9P7VFiam1nquJKY1Vkpfb1OOsoKhjodo7xGR V2HlLqRToRo6RWeHzCQUksATF+EMLJFa1i/qv4smRM+nBh853aoEKLmXSa3Z6+z5YUVR QcOFCKd/Svg2yKTNMFHq13RVnKyA92UPw+sxmKVb9ZZWpZILTLo398bz9XifLpoLWhah ZP6BNTCxH1FjJwr4HBk6uNryhisS7szxhUiS5pz1cJN18OVfeX6rqz/pRB0JNt8riZAb uwGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=fjfeRnG2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q189si18332464pfb.62.2018.12.04.06.46.57; Tue, 04 Dec 2018 06:47:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=fjfeRnG2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726671AbeLDOqB (ORCPT + 99 others); Tue, 4 Dec 2018 09:46:01 -0500 Received: from mail-it1-f195.google.com ([209.85.166.195]:35243 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726400AbeLDOqA (ORCPT ); Tue, 4 Dec 2018 09:46:00 -0500 Received: by mail-it1-f195.google.com with SMTP id p197so14779169itp.0 for ; Tue, 04 Dec 2018 06:45:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g32YqTA80V6kUsfx+TbEyMJOZvuwJB1QJlsNROCRuVU=; b=fjfeRnG2tSePA6vDhDxv9wsQGy4eOWo4RR/eL+AHMYNkP844nH7JeykS4onSFSxMjq gM7jAb4y+BSJ9222KtucEpAu3XkeJgf4CUOKT9A+3mQf4FeKZw0g2x6lRkiTP8JsOElA c0fN2p9DnRxY4Z+gjK0P8UUxRKO2PmoTu0qfc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g32YqTA80V6kUsfx+TbEyMJOZvuwJB1QJlsNROCRuVU=; b=lHB/OYZiOy9rP3iwyp4556mqudoR2iUR74Ot/fiDxEpfu+D6696k8EELZsnb39kGQp +A/VfnllrYwPyB3Mtdr4q7G7uBeeFkpDTETCZWJwmTNByH08H6oBcQHxQckfgW7ERslT 8ehFxTZ47ijIgBO6Os0fzhIXVnGIIDI84tG9pH1pTeCuqmtqxrTautDd9oO1HkvVFOd1 ZLvEVeFW54Cb0PlU62jyW8LE077/Sjdy9msdvfdZuZF0ALO4FKUyUcyRFml8IboHekSn 4i/l78/B6xOhVBBExqSI9MM9Rx3aQn4JG0jUkuAOY5mQnp9vkC7fnGiVtw5kLo4uwYba 2GQg== X-Gm-Message-State: AA+aEWYh1GYHXismSjja94CzUnW+3jcJQRJ8UkdkppI31TdlWnAepAhm TKe/Okjuv7vyBbMNUpmBZZ29N5k6aVSkL3bAGUjAPA== X-Received: by 2002:a02:3da:: with SMTP id e87mr17254771jae.78.1543934759464; Tue, 04 Dec 2018 06:45:59 -0800 (PST) MIME-Version: 1.0 References: <20181127210542.GA2599@redhat.com> <20181128170302.GA12405@redhat.com> <377b7d4f-eb1d-c281-5c67-8ab6de77c881@tycho.nsa.gov> <26bce3be-49c2-cdd8-af03-1a78d0f268ae@tycho.nsa.gov> <6b125e8e-413f-f8e6-c7ae-50f7235c8960@tycho.nsa.gov> <4c20a261-5ce1-f0a2-8d40-c6032a023216@tycho.nsa.gov> In-Reply-To: <4c20a261-5ce1-f0a2-8d40-c6032a023216@tycho.nsa.gov> From: Miklos Szeredi Date: Tue, 4 Dec 2018 15:45:47 +0100 Message-ID: Subject: Re: overlayfs access checks on underlying layers To: Stephen Smalley Cc: Vivek Goyal , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore , linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org, Daniel J Walsh Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 4, 2018 at 3:28 PM Stephen Smalley wrote: > > On 12/4/18 8:32 AM, Miklos Szeredi wrote: > > My proposed sequence would be > > > > a) check task's creds against overlay inode, fail -> return fail, otherwise: > > b) check mounter's creds against lower inode, success -> return > > success, otherwise: > > c) copy up inode, fail -> return fail, otherwise > > d) check mounter's creds against upper inode, return result. > > > > So, unlike write access to regular files, write access to special > > files don't necessarily result in copy-up. > > > > You say this is an escalation of privilege, but I don't get it how. > > As DWalsh points out downthread, if mounter cannot create device > > files, then the copy-up will simply fail. If mounter can create > > device files, then this is not an escalation of privilege for the > > mounter. > > Yes, in that case there isn't an escalation of privilege for the mounter > (I acknowledged that above). I'm still not sure copy-up of special > files is a good idea though: > > - In the case of device files, there is the potential for mischief by > the client task in misusing the mounter's privileges to gain access to > otherwise unusable device node (nodev lower vs upper?), The mount flag "nodev" on lower or upper has no effect on the overlay, and never had. > - In the case of sockets or fifos, what useful result do you get from a > copy-up? Accessing the copy isn't going to yield the same result as > accessing the original. This is a misconception. Overlayfs is a filesystem (that uses other filesystems as backing store), but it's more a filesystem and less a vfs hack (and trying to completely get out of the vfs hack business), and copy up has no effect on I/O being performed on a socket or FIFO: it's the same object before and after the copy up, and it's a different object from either the lower or upper nodes. Same as NFS: fifo on server is logically different object than fifo having the same name on any number of clients. > For executables, this copy-up behavior might trigger a lot of undesired > copies of non-executable files from the lower dir into the upper, even > if we ultimately end up denying the execute. That would only happen if - task is allowed exec on overlay - mounter is denied exec on lower - copy up is allowed - mounter is denied exec on upper In fact in the model where upper object inherits context from overlay this is pretty much impossible, AFAICT. Thanks, Miklos