Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp9490747imu; Wed, 5 Dec 2018 05:45:27 -0800 (PST) X-Google-Smtp-Source: AFSGD/VY4s+uoooltHcVqsPxZ1VDKGuEXHtkBhisXN6ZY8mYxXdu9GHN3LP5f8pcqkzpzEO4mncv X-Received: by 2002:a17:902:4827:: with SMTP id s36mr23472138pld.168.1544017527035; Wed, 05 Dec 2018 05:45:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544017527; cv=none; d=google.com; s=arc-20160816; b=L0DG7fu5cV5xqSp1spa5lIr37io/dQYjcfnFldcs1ifljcvDFOkNOG7XQzadUCfLde iVpA3X8CSp6KQCRoSmaM5VEV9zR+eFIOgUjepIi4Aw885D4cvTEiEAIH33zhyRpcf8ow yxWrPeB9cJUjKT+beyR2Ld2OtJcOXJRVAjDjbMcnxSGv5PPTj/WcKT2ygZR9m4jSCbPn leqyj5cn9n4sCQsPVe7jeC6WhmpvFT6gEoogQTyfS8PQB2Gr05pi1dm6NL4VqQZD3VWg Kse5ihGigeQSi7ZFpxSsNVuiJQ/0v08Eq2KIfoQaK4so2uaPwoQkAJtn9ol5Np+L48Cy zFdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=fPA7vS4zNJ6p6IxztIKCa3wdwRj9uZsm2APYcCG7IdY=; b=r3Jc2LPTScnsSpTkpWH1xvSB5pQ/mNQhBjJ11BYfFwFXk+HYrbozzvK84dVSOPQxfu HjgOZ5vrwjD8tF25wRmNDvR8Q5ga5q9ybbmg8/KlfCAipgfI4umFjZmAsXdcZIzZxzXP UhMrS3eOkA3H5oygKuOdcfyX0uPgCIVNQ/W6gjVaKRwupcS39cOih3g/xNAZsljo43jP NNbLpepskhxQEi0hmYDJNAiLl+ETf6UT5zU41SVCop0Eg/H8V2g86j/N+D+FIFFISTBo yWK/3XqrM55uzXUPD5puBvRQ8YF5hgqjgBSxWwolfJKbEnXzw6O/rmo1ZS2uEVnzr6yB xJ7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w14si20136226plq.145.2018.12.05.05.45.11; Wed, 05 Dec 2018 05:45:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727505AbeLENnU (ORCPT + 99 others); Wed, 5 Dec 2018 08:43:20 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44754 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727025AbeLENnT (ORCPT ); Wed, 5 Dec 2018 08:43:19 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9CDBC307DAA2; Wed, 5 Dec 2018 13:43:18 +0000 (UTC) Received: from horse.redhat.com (unknown [10.18.25.234]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1F24919741; Wed, 5 Dec 2018 13:43:18 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id A24FB2208FC; Wed, 5 Dec 2018 08:43:17 -0500 (EST) Date: Wed, 5 Dec 2018 08:43:17 -0500 From: Vivek Goyal To: Stephen Smalley Cc: Miklos Szeredi , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore , linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org, Daniel J Walsh Subject: Re: overlayfs access checks on underlying layers Message-ID: <20181205134317.GA11337@redhat.com> References: <4c20a261-5ce1-f0a2-8d40-c6032a023216@tycho.nsa.gov> <20181204151549.GA21509@redhat.com> <20181204152248.GB21509@redhat.com> <20181204154243.GA16818@redhat.com> <665ec6f3-f16d-681f-30d5-eface14c9808@tycho.nsa.gov> <20181204161747.GC16818@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Wed, 05 Dec 2018 13:43:19 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 04, 2018 at 11:49:16AM -0500, Stephen Smalley wrote: > On 12/4/18 11:17 AM, Vivek Goyal wrote: > > On Tue, Dec 04, 2018 at 11:05:46AM -0500, Stephen Smalley wrote: > > > On 12/4/18 10:42 AM, Vivek Goyal wrote: > > > > On Tue, Dec 04, 2018 at 04:31:09PM +0100, Miklos Szeredi wrote: > > > > > On Tue, Dec 4, 2018 at 4:22 PM Vivek Goyal wrote: > > > > > > > > > > > Having said that, this still create little anomaly when mknod to client > > > > > > is not allowed on context label. So a device file, which is on lower > > > > > > and client can not open it for read/write on host, it can now be opened > > > > > > for read/write because mounter will allow access. So why it is different > > > > > > that regular copy up. Well, in regular copy up, we created a copy of > > > > > > the original object and allowed writing to that object (cp --preserve=all) > > > > > > model. But in case of device file, writes will go to same original > > > > > > object. (And not a separate copy). > > > > > > > > > > That's true. > > > > > > > > > > In that sense copy up of special file should result in upper having > > > > > the same label as of lower, right? > > > > > > > > I guess that might be reasonable (if this behavior is a concern). So even > > > > after copy up, client will not be able to read/write a device if it was > > > > not allowed on lower. > > > > > > > > Stephen, what do you think about retaining label of lower for device > > > > files during copy up. What about socket/fifo. > > > > > > We don't check client task access to the upper inode label, only to the > > > overlay, right? So the client is still free to access the device through > > > the overlay even if we preserve the lower inode label on the upper inode? > > > What do we gain? > > > > That's only with latest code and Miklos said he will revert it for 4.20. > > > > IOW, I am assuming that we will continue to check access to a file > > on upper in the context of mounter. Otherwise, client will be able to access > > files on upper/ which even mounter can't access. > > I was assuming we're talking about the proposed solution, where we check > client access to the overlay (unchanged), mounter access to lower > (unchanged), copy-up if denied (new), mounter access to upper (new in the > sense that previously we didn't copy-up on denials). > > In that situation, propagating the lower inode label to the upper inode only > impacts the mounter checks, and in that case makes copy-up pointless - if it > wasn't allowed to lower it won't be allowed to upper. If it is allowed, > then client task is free to access the device regardless as long as it has > permissions to the overlay inode. So I don't see what we gain by > propagating the lower inode label to the upper inode in the context mount > case, and it creates an inconsistency between special files and regular > ones. If we agree on retaining lower label of lower device file on copy up, then I am assuming we will change rule c) to copy up only non device files. (because if you don't have access on lower, you will not have access even after copy up). There are other paths where copy up happnes. Like link or when file metadata (ownership, permissions, timestmap) changes. In those cases, if we retain the lower label over copy up, it probably will help. IOW, just by creating a link to a device, one will not get access to a device on upper which could not be accessed on lower. Device files are special anyway. In regular files we are creating a copy and user writes to copy. But that's not the case with device files. So I guess these will have to be treated differently. Thanks Vivek