Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8466935imu; Tue, 4 Dec 2018 08:49:12 -0800 (PST) X-Google-Smtp-Source: AFSGD/UcXuC/0m4rh6/5RxkG8vvivwmwNQvtDJ26DNWAGufOFoClNy5vvGX3AlecTCuN9ocmTUqp X-Received: by 2002:a63:9e0a:: with SMTP id s10mr17505170pgd.239.1543942152845; Tue, 04 Dec 2018 08:49:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543942152; cv=none; d=google.com; s=arc-20160816; b=vH5m7gBeW/tpkjgBCTmQrcbkmjkbWNZXKTFbgyWyioXpHVK3S0UMiHV0OSKFI32JEN muceWo3xQsrLEWxGsVdpW4FydMM0nUdYWGMH7YmGeLQxrmIfpnneAebnOmdSV0pW42mJ 7YmzZHOIPCrIUvgSYTn0mLEqMrmHkn37yyIf149HDrPEiSBdPACTL/7Sir/FJHW0OnYx xKEGr8K69sl6wCvQPNXIEbV3cwUM0B9OYHmP5eeflD9g7lWji7wc5d4oURQ7pp05Cueh Dq1a0PGHbe+9sxX99wEoyDJDMe3kbpB5YhzU5iSlOKSdTJcteG9mE65LIOVHbfoUPanB Izaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:ironport-phdr; bh=x1c6Fe2sAzg1w47Y+dpCxYck/4FFLo10kdi8dJ+eLSg=; b=DnyoWDszpZ047vI+nKgPReTQ+Ko7RZ8fmxqpPPfC7ak0f+GR4pFoDo9ynQkb8tp73m rfRtl99XFz1Lp7JWsh8MzrOfFGiB0LzmmtKH+vhGUuwhiRamPlqwr8ukfw/AuInLqYfC M+ZxDUeBDPm1M6t40mtr712Gs59Md1r61FdjVJkucsM/5vBpFT0b50ilJfL6/NRin5+K d8CQ237wAIuHlmuE1cOn75iBxS7GPgXDZGiLF/t0DzS9G/DASzxAvq4n68p3Cl3KsBor Jfpl+ogJhiqN2XPeJdOLOvy6gbY/lp9u7qSDB9XyxVe1bfLoIdELROow4X+AKPENQL21 0dvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w187si15958833pgb.552.2018.12.04.08.48.57; Tue, 04 Dec 2018 08:49:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727222AbeLDQqk (ORCPT + 99 others); Tue, 4 Dec 2018 11:46:40 -0500 Received: from ucol19pa13.eemsg.mail.mil ([214.24.24.86]:41651 "EHLO ucol19pa13.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726420AbeLDQqj (ORCPT ); Tue, 4 Dec 2018 11:46:39 -0500 X-EEMSG-check-008: 655380697|UCOL19PA13_EEMSG_MP11.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.39,1,1493683200"; d="scan'208";a="655380697" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by ucol19pa13.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 04 Dec 2018 16:46:36 +0000 X-IronPort-AV: E=Sophos;i="5.56,314,1539648000"; d="scan'208";a="21316479" IronPort-PHdr: =?us-ascii?q?9a23=3Ar0k1fB27eqxW9T2KsmDT+DRfVm0co7zxezQtwd?= =?us-ascii?q?8ZsesVIvzxwZ3uMQTl6Ol3ixeRBMOHs6IC07KempujcFRI2YyGvnEGfc4EfD?= =?us-ascii?q?4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFA?= =?us-ascii?q?nhOgppPOT1HZPZg9iq2+yo9JDffwZFiCChbb9uMR67sRjfus4KjIV4N60/0A?= =?us-ascii?q?HJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L2?= =?us-ascii?q?81/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUj?= =?us-ascii?q?q+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfVwZKPdec4RS3?= =?us-ascii?q?RHUMhfSidNBpqwY5UTA+YEO+tTsovzqEYUrRamGAeiGu3vxD9LiHH406I13O?= =?us-ascii?q?YuHh3J0gE7A9IDsm7ZoMnpOKocU+24yrTDwzXZb/NR3Dfw8JXGcgw/rvGUXb?= =?us-ascii?q?J/b8zRwlQyGQPAlFqQrYjlMC2V1+8QtGWb9PdvVfm0hm47qwB+vjivxsA2ho?= =?us-ascii?q?nPnYIa0ErI9Sp+wIYrPNC1TlNwb928EJZIqi2XOIR7TtkiTm11oio21LILtY?= =?us-ascii?q?ChcCQXzpks2gTRZOadc4eS5xLuTOORITBli317YL+/nBOy8VS4yu37S8m0zE?= =?us-ascii?q?5GripbndnIsXAAzwDT5dKdSvt840ehwiyD1xzT6+5YIUA0krDXK5g9zb4rip?= =?us-ascii?q?Ufq0HDHi7ymEnuja+WcFsr+vSw5uj6bbjrqYWQOo9phg3kLKgjldKzDf4lPg?= =?us-ascii?q?QWWmiU4+W81Lnt/U3jR7VKi+U7krLEv5DBPskbuq64DBNV0oYk8Rq/CSym38?= =?us-ascii?q?4CkXkIK1JFZgqLj5L1NFHWPPD4EfC/jkyykDdkwPDHPqfuApHWI3jZjrjuYL?= =?us-ascii?q?Z95FRAyAYp0d9f4JdUAKkbIP3vQk/xqMDYDhghPgyxwubnC9F91oQFWW+UGa?= =?us-ascii?q?+YMb3dsUWW6e0yIumAfo8VuCvlIfg/+/HulWM5mUMafaSx2psXbXe4Hu9gI0?= =?us-ascii?q?qDfXXjnMwMEX0UsQUjTOzlkkGCXSRPaHa1WqI2/is7B56+DYffWoCth6SM0z?= =?us-ascii?q?y1Hp1XeG9GDk2DEWzzeoWKWvcDdiaSLdJ6kjMaTritUYgh1QuhtAXi0bpoMv?= =?us-ascii?q?LU+jEEtZLkzNV1/PfclRUy9D11D8Wd1XqAQHtynmwVXT8226F/rlFnxlif1q?= =?us-ascii?q?h4huRSFcZP6PNRTgc6KZncwvRiC9/oRwLBesyESE68TdW7BTE9V9cxw9gJY0?= =?us-ascii?q?ZnBdqulAzM3y2vA7UNjbyEGIQ08r7A33j2P8t9z3fG1K88j1gpW8dPNnOphr?= =?us-ascii?q?R59wfNA47EiFuZl6m0eqQGxiLN93mMzXCIvE5GVA58S6LFXWoQZkHOt9T2+l?= =?us-ascii?q?vCT6OyCbQgKgZBzc+CKq1XatzmlFlGWfHjONXZY2K3lWewHg2Fxq2DbIX0YW?= =?us-ascii?q?URxibdB1YekwAV43mGMRIyBiC7o2LRFDZuD07gY1vw8elir3O2Vks0zwCMb0?= =?us-ascii?q?182Lu54xAVheeBRPwNwLILpiMhpi5qHFaywd3WEcCMpwl/c6VGZ9My/lNH2X?= =?us-ascii?q?jetwxnMZyqN7piiUIGcwRro0Pu0A16Cp5ensgurXMqyhdyKK2D3VNfeDOXw4?= =?us-ascii?q?rwNqfUKmbs5hCvbbDZ2lXE3NaR4KcP5+wyq0//swGxCkoi73Jn3sFI3HqS/J?= =?us-ascii?q?rKCBESUZLqX0Yt6Rd1urHabTMh54/OyXJsNqy04Xf+3IcXBfUoyV6PeMZWNO?= =?us-ascii?q?vQCgD1AsQeL9KjJOwjhx6iaRdSb85I86thBN+rb/uL3uaQOe9kmD+3xTBc7J?= =?us-ascii?q?tVzlOH9y06TPXBmZkC3afLjUO8Sz7ggQL54YjMkodeaGRXRzDnxA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2A5AADQrgZc/wHyM5BkGwEBAQEDAQEBBwMBAQGBVAMBA?= =?us-ascii?q?QELAYFaKYFoJ4N5lHQBAQEBAQEGgQgtiR+QJDgBhEACgwoiNwYNAQMBAQEBA?= =?us-ascii?q?QECAWwogjYkAYJiAQUjFTQKAxALDgoCAiYCAlcGDQYCAQEXgkc/gXUNpRqBL?= =?us-ascii?q?4VAhHCBC4sTF3iBB4E4gmuIBYJXAokcggSEWDdQj0oJkTsGGIFbiDaHFZpTI?= =?us-ascii?q?oFVKwgCGAghD4MngicXjjshAzCBBQEBimIBAQ?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 04 Dec 2018 16:46:35 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id wB4GkZGd005098; Tue, 4 Dec 2018 11:46:35 -0500 Subject: Re: overlayfs access checks on underlying layers To: Vivek Goyal Cc: Miklos Szeredi , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore , linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org, Daniel J Walsh References: <4c20a261-5ce1-f0a2-8d40-c6032a023216@tycho.nsa.gov> <20181204151549.GA21509@redhat.com> <20181204152248.GB21509@redhat.com> <20181204154243.GA16818@redhat.com> <665ec6f3-f16d-681f-30d5-eface14c9808@tycho.nsa.gov> <20181204161747.GC16818@redhat.com> From: Stephen Smalley Message-ID: Date: Tue, 4 Dec 2018 11:49:16 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 MIME-Version: 1.0 In-Reply-To: <20181204161747.GC16818@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/4/18 11:17 AM, Vivek Goyal wrote: > On Tue, Dec 04, 2018 at 11:05:46AM -0500, Stephen Smalley wrote: >> On 12/4/18 10:42 AM, Vivek Goyal wrote: >>> On Tue, Dec 04, 2018 at 04:31:09PM +0100, Miklos Szeredi wrote: >>>> On Tue, Dec 4, 2018 at 4:22 PM Vivek Goyal wrote: >>>> >>>>> Having said that, this still create little anomaly when mknod to client >>>>> is not allowed on context label. So a device file, which is on lower >>>>> and client can not open it for read/write on host, it can now be opened >>>>> for read/write because mounter will allow access. So why it is different >>>>> that regular copy up. Well, in regular copy up, we created a copy of >>>>> the original object and allowed writing to that object (cp --preserve=all) >>>>> model. But in case of device file, writes will go to same original >>>>> object. (And not a separate copy). >>>> >>>> That's true. >>>> >>>> In that sense copy up of special file should result in upper having >>>> the same label as of lower, right? >>> >>> I guess that might be reasonable (if this behavior is a concern). So even >>> after copy up, client will not be able to read/write a device if it was >>> not allowed on lower. >>> >>> Stephen, what do you think about retaining label of lower for device >>> files during copy up. What about socket/fifo. >> >> We don't check client task access to the upper inode label, only to the >> overlay, right? So the client is still free to access the device through >> the overlay even if we preserve the lower inode label on the upper inode? >> What do we gain? > > That's only with latest code and Miklos said he will revert it for 4.20. > > IOW, I am assuming that we will continue to check access to a file > on upper in the context of mounter. Otherwise, client will be able to access > files on upper/ which even mounter can't access. I was assuming we're talking about the proposed solution, where we check client access to the overlay (unchanged), mounter access to lower (unchanged), copy-up if denied (new), mounter access to upper (new in the sense that previously we didn't copy-up on denials). In that situation, propagating the lower inode label to the upper inode only impacts the mounter checks, and in that case makes copy-up pointless - if it wasn't allowed to lower it won't be allowed to upper. If it is allowed, then client task is free to access the device regardless as long as it has permissions to the overlay inode. So I don't see what we gain by propagating the lower inode label to the upper inode in the context mount case, and it creates an inconsistency between special files and regular ones. Did I miss something?