Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp10886801ybi; Thu, 25 Jul 2019 06:34:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqwp56iAIC4y4Tv/9Tm7NIBgw3hwT9oiSqKHo9cRtQ+Tw0GXxcSh9JDe83dxktWP/j1sI3XB X-Received: by 2002:a17:902:306:: with SMTP id 6mr92328911pld.148.1564061672218; Thu, 25 Jul 2019 06:34:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564061672; cv=none; d=google.com; s=arc-20160816; b=XgBCoe5jrbJK3pR0uz0ox5IqpkACUiBJ6x4QTTNUrAG6+5Od2ZlFoYrjM58vPdxs/a OOl5GP8lF/24moiZs3x2UcZNmKV5E6uVziclP4gZIze8SanMBhXhrTQQyiW35xGb5Hnf yzv4zaRaUQ4g7UIP9DqbV/XhL5sj1G8rj7H5yxj14ivznr+E+fgIWckU8A+YB6nUGQGw B9Y+q2C7gr1wdSojcz2OIQ45PtneC5TD+m6YU+uKCSs6j+PR2rJlz7ZiUxsF1zmj3JMC XDOyP/Kq3cYMofyZlBOj38zAafkSJ7NJB5y4pki4lnGH6wOwpJqf5YmR7ZA63V37sIew J7cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=a/9tM/cnY197lNtKIbEGvdjoci5BadrTWQa+L94ekpI=; b=cS/J1HpqcxZ0X3W+BnpSZkmD/lrqTtXglbMcu6NpERrl75iF3Cjgojg5ixWN/AZoIX lnSlEidJpcU7T9Mnnb1m326lJQMk1hq1spCGZHX0ziPe6daj+ctnxqWJod2Wm52JmtFy 9zcPrqGWJubWohdKVwsWbgE7eeoLcldtiufX1135t4q8wVj88GonbhH1bM3mOLvosMO8 Xcd7OpCCpWMM0uAsNu85+GJy/8oSQdm0EZsVv2UXmzmnc48je5CLVyXPqxoQskGRrluL bCCrLuuufT81/dPFnSA5VpuTuE1c73fr6tKy9P9DHlIhjBg8+f++oALLmCMfzEOswiSw S90w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TlXZqAqR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 39si15436325pla.73.2019.07.25.06.34.17; Thu, 25 Jul 2019 06:34:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TlXZqAqR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391470AbfGYLA3 (ORCPT + 99 others); Thu, 25 Jul 2019 07:00:29 -0400 Received: from mail-yw1-f66.google.com ([209.85.161.66]:36403 "EHLO mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388173AbfGYLA3 (ORCPT ); Thu, 25 Jul 2019 07:00:29 -0400 Received: by mail-yw1-f66.google.com with SMTP id x67so17769218ywd.3; Thu, 25 Jul 2019 04:00:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=a/9tM/cnY197lNtKIbEGvdjoci5BadrTWQa+L94ekpI=; b=TlXZqAqRzPpf3gfD8V0EvgwNAWlvyzJuGQp0qP4ZcQNUngpwSwvdyCMRR/7R9AHZAW GuOMdzNyGDZMf0PNKbCk7y9QD3lXOCjkZr7ZBB7uDm0BgUiMCBBBr4MJNZ79HcfB7uRR L35CzL1tUcFV3AhEfiKdHSqMddOjEGDIjA6oYlJUoxFhaBszEVXcNnY1+6ul3za+2x57 Fw4/Z16Ne3tTR/xwVvioVo+dBJGbQUwLLnbbtQnDKJW3nE8e/fdWobY8TyMHl8mHwfZ/ 0iniDeqcvqEVhuMQ9FeziB6ZkiOj1k+jcPLpT3Xj5U/CRQtc0a+tjL6VOfSGfW7Slce9 17fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=a/9tM/cnY197lNtKIbEGvdjoci5BadrTWQa+L94ekpI=; b=nvXblKHCrMjppxmTQchwtsjy8LKtAywid0MU3HOcQaRcmUW6lhEGod4ArhyD3iXpmV Ew8BduBMrxZTb3a2b/p9iiZhjJKTII4mG0Viom0JediX4K+HmHb03bnHYn4lXFKhhGVf RAtIS5gMxeVhrwGIKw8lIcc1y83+0sbP5+drJaiuECxQvNPN/i4+qV7SssVrWoaYXD/+ roEhsx9i/udPdhdKCdEmyaG2EkAeo8huiSYd1QF4ehgob0+LghBJ8MU7/E3jDCg0fbjx Vr5pTIANLvYCcJs42dZe6r6ikX52h833sC8K1olwT84pmg4rr/KKXa1jvNcOo4mYq1Rq Pygg== X-Gm-Message-State: APjAAAXsspmd7cd185araiRC0hRaz2ROKpOW36whz6kEvElur/OAdyUx hEzlz5N7pBZ6qI6QHQ4kO9Hs8c9QRRUyGQh3PYQ= X-Received: by 2002:a81:13d4:: with SMTP id 203mr53284263ywt.181.1564052428064; Thu, 25 Jul 2019 04:00:28 -0700 (PDT) MIME-Version: 1.0 References: <20190724195719.218307-1-salyzyn@android.com> <20190724195719.218307-5-salyzyn@android.com> In-Reply-To: <20190724195719.218307-5-salyzyn@android.com> From: Amir Goldstein Date: Thu, 25 Jul 2019 14:00:16 +0300 Message-ID: Subject: Re: [PATCH v10 4/5] overlayfs: internal getxattr operations without sepolicy checking To: Mark Salyzyn Cc: linux-kernel , kernel-team@android.com, Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W . Biederman" , Randy Dunlap , Stephen Smalley , overlayfs , linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn wrote: > > Check impure, opaque, origin & meta xattr with no sepolicy audit > (using __vfs_getxattr) since these operations are internal to > overlayfs operations and do not disclose any data. This became > an issue for credential override off since sys_admin would have > been required by the caller; whereas would have been inherently > present for the creator since it performed the mount. > > This is a change in operations since we do not check in the new > ovl_vfs_getxattr function if the credential override is off or > not. Reasoning is that the sepolicy check is unnecessary overhead, > especially since the check can be expensive. I don't know that this reasoning suffice to skip the sepolicy checks for overlayfs private xattrs. Can't sepolicy be defined to allow get access to trusted.overlay.*? > > Signed-off-by: Mark Salyzyn > Cc: Miklos Szeredi > Cc: Jonathan Corbet > Cc: Vivek Goyal > Cc: Eric W. Biederman > Cc: Amir Goldstein > Cc: Randy Dunlap > Cc: Stephen Smalley > Cc: linux-unionfs@vger.kernel.org > Cc: linux-doc@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > --- > v10 - added to patch series > --- > fs/overlayfs/namei.c | 12 +++++++----- > fs/overlayfs/overlayfs.h | 2 ++ > fs/overlayfs/util.c | 24 +++++++++++++++--------- > 3 files changed, 24 insertions(+), 14 deletions(-) > > diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c > index 9702f0d5309d..fb6c0cd7b65f 100644 > --- a/fs/overlayfs/namei.c > +++ b/fs/overlayfs/namei.c > @@ -106,10 +106,11 @@ int ovl_check_fh_len(struct ovl_fh *fh, int fh_len) > > static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) > { > - int res, err; > + ssize_t res; > + int err; > struct ovl_fh *fh = NULL; > > - res = vfs_getxattr(dentry, name, NULL, 0); > + res = ovl_vfs_getxattr(dentry, name, NULL, 0); > if (res < 0) { > if (res == -ENODATA || res == -EOPNOTSUPP) > return NULL; > @@ -123,7 +124,7 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) > if (!fh) > return ERR_PTR(-ENOMEM); > > - res = vfs_getxattr(dentry, name, fh, res); > + res = ovl_vfs_getxattr(dentry, name, fh, res); > if (res < 0) > goto fail; > > @@ -141,10 +142,11 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name) > return NULL; > > fail: > - pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res); > + pr_warn_ratelimited("overlayfs: failed to get origin (%zi)\n", res); > goto out; > invalid: > - pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh); > + pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", > + (int)res, fh); > goto out; > } > > diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h > index 73a02a263fbc..82574684a9b6 100644 > --- a/fs/overlayfs/overlayfs.h > +++ b/fs/overlayfs/overlayfs.h > @@ -205,6 +205,8 @@ int ovl_want_write(struct dentry *dentry); > void ovl_drop_write(struct dentry *dentry); > struct dentry *ovl_workdir(struct dentry *dentry); > const struct cred *ovl_override_creds(struct super_block *sb); > +ssize_t ovl_vfs_getxattr(struct dentry *dentry, const char *name, void *buf, > + size_t size); > struct super_block *ovl_same_sb(struct super_block *sb); > int ovl_can_decode_fh(struct super_block *sb); > struct dentry *ovl_indexdir(struct super_block *sb); > diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c > index f5678a3f8350..672459c3cff7 100644 > --- a/fs/overlayfs/util.c > +++ b/fs/overlayfs/util.c > @@ -40,6 +40,12 @@ const struct cred *ovl_override_creds(struct super_block *sb) > return override_creds(ofs->creator_cred); > } > > +ssize_t ovl_vfs_getxattr(struct dentry *dentry, const char *name, void *buf, > + size_t size) > +{ > + return __vfs_getxattr(dentry, d_inode(dentry), name, buf, size); > +} > + When introducing a new ovl_ => vfs_ wrapper, please follow the ovl_do_XXX helpers convention in overlayfs.h. Note that those wrappers do not generally bypass security checks and you have not convinced me yet that skipping security checks on the overlayfs private xattr get is the right thing to do. Thanks, Amir.