Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1287782imu;
        Thu, 13 Dec 2018 12:27:44 -0800 (PST)
X-Google-Smtp-Source: AFSGD/U96+jisqGecebkKBc52h7rya4+0O/qKyndLVHjxo3pCZUBkcMHq2TiomIO/vWEsxQ80wcD
X-Received: by 2002:a62:ed0f:: with SMTP id u15mr236022pfh.188.1544732864018;
        Thu, 13 Dec 2018 12:27:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544732863; cv=none;
        d=google.com; s=arc-20160816;
        b=RLSxXmcU1ChboE/9okM7JcfoN0ubEbvyyP2n0vNufaHSxX7tdflBmrqARp+s7yjbmh
         +5yVUUt9Zs1Jri4hYmMIZeWyEGgAEpwP2ov9ySf+DxfZkFnEscwFxa2/DAqZd5px8628
         Sd/xiGmTn1F9y7isrCVXczSn+Fx/shZ2iBW8j0UcR++Bm2JiaPyqri2WCkRyWJi2uH5i
         vJKSw7EtMzznTcpXJWTY3eZrM+FdybLWNaDsgwkOURk4XMPmqadPr1sQJjrMrVyLscfj
         rg9Vj5cec40fBGkl8PUYbdnzOZ2g69KaR/AngDeamwE1kE0ZdRJWVxGOPMveV2wL89LI
         4Z1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=W70YOf0R5MSDybQpE6Al5t5HdlSDLxDWYfZuzMXkFX4=;
        b=Wt8lqjOPcfHTYlCQ/76btT6Ac69upk8NjAJXInwGEdhajvcGywZEKgoPLabKzs2pOG
         Q/qr0i8SiUP1IeKAH9fN0cVNVUXGgqAseJsTKDijB8U1FDolxx8L5MqoJIDqal81P8f1
         RmREL6ZhbnJJ/eOqbNmcB+E6BUejBv/Li2hX/yT3amqkrJTKlLMIoDz+fqY5Dj3Cg20a
         Vm+YDb/u5eHaK8bXWPjBaxBCbjS5xkWeKzZ8TzH1SQqSyhE723XkwN0Uwo+AuI1mxo2y
         LydEGKfaE0W8/LJujqYPgQKeREC+5YJ3LVfX9bL9bmLZW3Q3kGT9myO+OxhZAVOAhvjh
         +1Og==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n18si2446938pfj.30.2018.12.13.12.27.29;
        Thu, 13 Dec 2018 12:27:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729049AbeLMU0K (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Thu, 13 Dec 2018 15:26:10 -0500
Received: from mx1.redhat.com ([209.132.183.28]:42222 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726533AbeLMU0J (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Dec 2018 15:26:09 -0500
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 042183082211;
        Thu, 13 Dec 2018 20:26:09 +0000 (UTC)
Received: from horse.redhat.com (unknown [10.18.25.234])
        by smtp.corp.redhat.com (Postfix) with ESMTP id BD58B1057070;
        Thu, 13 Dec 2018 20:26:08 +0000 (UTC)
Received: by horse.redhat.com (Postfix, from userid 10451)
        id 553F22208FC; Thu, 13 Dec 2018 15:26:08 -0500 (EST)
Date:   Thu, 13 Dec 2018 15:26:08 -0500
From:   Vivek Goyal <vgoyal@redhat.com>
To:     Stephen Smalley <sds@tycho.nsa.gov>
Cc:     Miklos Szeredi <miklos@szeredi.hu>,
        Ondrej Mosnacek <omosnace@redhat.com>,
        "J. Bruce Fields" <bfields@fieldses.org>,
        Mark Salyzyn <salyzyn@android.com>,
        Paul Moore <paul@paul-moore.com>, linux-kernel@vger.kernel.org,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org,
        Daniel J Walsh <dwalsh@redhat.com>
Subject: Re: overlayfs access checks on underlying layers
Message-ID: <20181213202608.GD4384@redhat.com>
References: <20181204161747.GC16818@redhat.com>
 <e8841bf0-d6b8-0e7d-6a35-055a06441d30@tycho.nsa.gov>
 <20181205134317.GA11337@redhat.com>
 <8eb7f677-fd71-c31b-bfed-29fb7187d132@tycho.nsa.gov>
 <20181211214821.GD17242@redhat.com>
 <2e4d90ce-61e7-56b1-c161-4e5fb7236537@tycho.nsa.gov>
 <20181213145813.GB4384@redhat.com>
 <846eb23e-1188-9e45-ee0a-676d26cc715e@tycho.nsa.gov>
 <20181213185456.GC4384@redhat.com>
 <6de7d35e-9ee7-5324-86d0-e0e42c6a6d29@tycho.nsa.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6de7d35e-9ee7-5324-86d0-e0e42c6a6d29@tycho.nsa.gov>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Thu, 13 Dec 2018 20:26:09 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Dec 13, 2018 at 03:09:55PM -0500, Stephen Smalley wrote:
> On 12/13/18 1:54 PM, Vivek Goyal wrote:
> > On Thu, Dec 13, 2018 at 11:12:31AM -0500, Stephen Smalley wrote:
> > 
> > [..]
> > > > > > Can you elaborate a bit more on how this is leaking data through overlay
> > > > > > mount. If it is, then why accessing file on lower is not equivalent of
> > > > > > leaking of data.
> > > > > 
> > > > > In the container use case, retaining the lower label on copy-up for a
> > > > > context-mounted overlay permits a process in the container to leak the
> > > > > container data out to host files not labeled with the container label and
> > > > > thus potentially accessible to other containers or host processes.
> > > > 
> > > > > The
> > > > > container process appears to just be writing to files labeled with the
> > > > > container label via the overlay, but the written data and/or metadata is
> > > > > directly accessible through the lower label, which is likely readable to
> > > > > all/many containers and host processes.
> > > > > 
> > > > > In the multi-level security (MLS) use case, an analogy would a situation
> > > > > where you have an unclassified lower dir with some content to be shared
> > > > > read-only across all levels, and an overlay is context-mounted at each level
> > > > > with a corresponding upper dir and work dir private to that level.  If a
> > > > > client process at secret performs a write to a file via the secret overlay,
> > > > > and if the written data is stored in a file in the upper dir that inherits
> > > > > the label from the lower file (unclassified), then the secret process can
> > > > > leak data to unclassified processes at will, violating the MLS policy.
> > > > 
> > > > For the case of devices, its already happening. One might change metadata
> > > > of a device (hence trigger copy up). Now all writes to upper device file
> > > > from secret process still go to same underlying device and are still
> > > > readable from lower device file.
> > > 
> > > This is an argument for not copying up device files IMHO, not for preserving
> > > the lower label on them.
> > 
> > How do we handle metadata change to device node (like timestamp, ownership
> > change) without copy up.
> 
> Do we need to support such metadata changes to device nodes through an
> overlay mount?  Is that required for some legitimate purpose (and if so,
> what is the use case?)?  If not, just deny it up front.  Much simpler and no
> potential for a leak.

This will be overlay specific behavior and further from POSIX
like filesystem behavior. Don't know which workloads depend on changing
ownership of devices of changing metadata of devices.

Thanks
Vivek