Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8381311imu; Tue, 4 Dec 2018 07:32:35 -0800 (PST) X-Google-Smtp-Source: AFSGD/U/o0MSq2EPaLOtsSSgSGuRsbXVnLbaAiLCrvs+H0HgRJlyDDX61OKx6EV61KHH1XNyA/Pb X-Received: by 2002:a17:902:74c1:: with SMTP id f1mr20071348plt.273.1543937555212; Tue, 04 Dec 2018 07:32:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543937555; cv=none; d=google.com; s=arc-20160816; b=sKnyS5c4DoKOjIzl67J+/J0f2clt/Bt9xebPyj9MQSBJhc47R7AM1dIC2MyHdY0IA7 dSVrTyIqlo3Oi0DTuq1lgv7a4MfhTWE7adnV1RPOVVJA6+TO1TXzpRH36zc0J2rONanW C4XiVTWcf9ZB9LlkSP872e8vq9yIdHNn99Nc6Vf3qsYXvodJvZxokACOK+owOErs3TI0 JPPV/3AYBdj9mpbhWVdBwl8Lrdzrse3KfOi3890yGPU4cNpgQOKiOwpD61ALiSQVwIWT hOA8qr//YjkFKmdTRfUhRBWtwbw1gyruMGgAk9iZSIrnaYXIYzFTJKZxz0uVNYOoQp/O yweQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=sPEcasuvIkykLXkz3xtr9n7YEQ3OLRNs55vrLzEo3XU=; b=KsgxQLS6rlySAMfDjOu5JHdAdCS8PZehRl9mmO9Ds3EGZHPMfa04Ev7uwrSCC0EHHz KeXpRSOyAtAdmR8sHrzgjtpIo7imbJALitleVczyu3Rq8odZyMHaQSibl4VlCebdJ7E+ GYx331SSSXHRL02yoExNa9GCD6RzmYeVYuGD601CxACLZ1/I9MlnkDa+w/pWRYLRheQN y06sl+OTQR9fAhzVsDNIMrXHmG/zB9VTdKGcGnBEH5RsU2LNJGclTOh2hmsoa3fOCnmx kwVeM9juJHhNzkDTdq42rPSqEJsuidmh5tZelmuA8TzZX2xC8Dsk2BeB5fGUTrgLYjJT 2pYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=ZRz38ezI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y5si15072711pgs.588.2018.12.04.07.32.19; Tue, 04 Dec 2018 07:32:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=ZRz38ezI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726865AbeLDPbX (ORCPT + 99 others); Tue, 4 Dec 2018 10:31:23 -0500 Received: from mail-it1-f193.google.com ([209.85.166.193]:50563 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726461AbeLDPbX (ORCPT ); Tue, 4 Dec 2018 10:31:23 -0500 Received: by mail-it1-f193.google.com with SMTP id z7so15982457iti.0 for ; Tue, 04 Dec 2018 07:31:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sPEcasuvIkykLXkz3xtr9n7YEQ3OLRNs55vrLzEo3XU=; b=ZRz38ezIbmYM1Vy4OBC0HGw86a9yitfXv6l2IdwijOMZvBf9fQqRRERZQx8dOcNbTA 0HToTL7CVMABcbqKNZriKVIk89qei+/6Mmgot0pL80NJof8TYPaLyz2TvPIDbliLKeMu ZZyq9koLwwA6vv/zgyehhnGpDtxNmhRxWcTW4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sPEcasuvIkykLXkz3xtr9n7YEQ3OLRNs55vrLzEo3XU=; b=mek/a8wckw1BCZLB0xGlwE7RASLNivtZnzl/p3OWGzNMxn3OzRTuLR/kCCvMvugVaY lOEnS44rDBaRRB2gfW5oxqFv91/ucmc5c8GeI/7VY01kLerwfEQvAGTJr+vbU00twZps YXt8enhuUN1u7KOLS8bumb7mjOzvQRD871xBn3Oq34snQA0IB1gXdaySixm0Ddes5wcH oz2/H1A7B643TRo03fI4QcxMdrknvYB5WqhL+k8eSz4+57H9rQmxvNcVCP9A65hoqEZU jeFPNYhEpGe/EFOpLYidiSpSj5PNV+KwPEvNeNPgtYkT1ATelo7QVLL2NuvrJOxUhHuv FFKQ== X-Gm-Message-State: AA+aEWaofiAeKKMhtU5xiq8qIalkeIuYO7LrNljGKt414HCxO8CImjzV BaDoWDbv4TzvvVQW4jcZR0kexaWHGtIu5XRBhrF+Rg== X-Received: by 2002:a24:a08a:: with SMTP id o132mr12227037ite.1.1543937482440; Tue, 04 Dec 2018 07:31:22 -0800 (PST) MIME-Version: 1.0 References: <26bce3be-49c2-cdd8-af03-1a78d0f268ae@tycho.nsa.gov> <6b125e8e-413f-f8e6-c7ae-50f7235c8960@tycho.nsa.gov> <4c20a261-5ce1-f0a2-8d40-c6032a023216@tycho.nsa.gov> <20181204151549.GA21509@redhat.com> <20181204152248.GB21509@redhat.com> In-Reply-To: <20181204152248.GB21509@redhat.com> From: Miklos Szeredi Date: Tue, 4 Dec 2018 16:31:09 +0100 Message-ID: Subject: Re: overlayfs access checks on underlying layers To: Vivek Goyal Cc: Stephen Smalley , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore , linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org, Daniel J Walsh Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 4, 2018 at 4:22 PM Vivek Goyal wrote: > Having said that, this still create little anomaly when mknod to client > is not allowed on context label. So a device file, which is on lower > and client can not open it for read/write on host, it can now be opened > for read/write because mounter will allow access. So why it is different > that regular copy up. Well, in regular copy up, we created a copy of > the original object and allowed writing to that object (cp --preserve=all) > model. But in case of device file, writes will go to same original > object. (And not a separate copy). That's true. In that sense copy up of special file should result in upper having the same label as of lower, right? Thanks, Miklos