Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11159682ybi; Thu, 25 Jul 2019 11:02:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqzBU3dHxrwu4U/c6bRJoNl4sS3hZ/N+AcJX9OHeHcGpD2AXiGc5hZOHgsauacOelWs9g82b X-Received: by 2002:a63:d315:: with SMTP id b21mr63813227pgg.326.1564077729534; Thu, 25 Jul 2019 11:02:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564077729; cv=none; d=google.com; s=arc-20160816; b=BvlSQLMYtbdcrNz1CGcS1zug6epq/Psw8kAfrkDWLleSoZbwLSXfI2OIIx6O36vg/i XucG3Md/IQv1oxzXjKRBSFHTyC/WLu7l6XepAWC2yo9zPyBhYqVyv9HNV7cgi0kAuI2C oB5tHrAvoo5PB+0yqw8g9kwdnX+5nB2Zxc02+BnlWaFAjym+AxgVxuKxe8c2oBevzUYW eUuL4XOKzX4Sao5y7rKg34UT8uiIerymJk+jh5LKY1QXp2+e6Jv6F5vjtiDo7ClSUJyD CkumPf2s6XzfhUodzOZcRqhoZoGfJBXgfdyT8ts6as/2/kIqL0+6cNOuEmCMBa8DdAQ/ t3pQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=eR9Hp6lNdSYA3Q9LS12AuwAXP6EgUTReBDkxImpX5hM=; b=DeRc4scoQhTNnwsafH02RA/y8qnTliW48Xes4ooa46gZFUpbRJgLWIwmnu3nhEs3uV yggzgCRA01mQS/pAGNVi9CWMc2c5B/WwtrW18Q8Um29pdKmnEPA+37HPwC+9+iPluau+ 01JfKJ7sZT88LkW0CFm6cbtTlw9sf5utV/O7yJP/mdMfrLiWbRFNLqHdr3EYNvyXhrm3 GJ5AHAcf84t1AblYgGXrqZMSXf5KndCacoS3FrLq4DdTgFV1UBYGBxhpKX0el3SWI0fJ qxii9tHQK3z9FCZxuG8u6vkHyfFYhAcFGDjjNrfBCcwR/oI7QDTJfEj8x49W3aJaRA/p iI3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=lk2NGtx5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a33si17887297pgl.436.2019.07.25.11.01.53; Thu, 25 Jul 2019 11:02:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=lk2NGtx5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729025AbfGYOhK (ORCPT + 99 others); Thu, 25 Jul 2019 10:37:10 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:42309 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727167AbfGYOhJ (ORCPT ); Thu, 25 Jul 2019 10:37:09 -0400 Received: by mail-pf1-f195.google.com with SMTP id q10so22854985pff.9 for ; Thu, 25 Jul 2019 07:37:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=eR9Hp6lNdSYA3Q9LS12AuwAXP6EgUTReBDkxImpX5hM=; b=lk2NGtx5FqgD81SxeWV7cc9gi6gUfxxPm8Vw1C2fRjdvKVT415jdlNqzYMMC+aB53l HwC2FGD/kd+ot31j2TND04GQNCilJniBlkulcKaqjUc/gkYJYPjxtUEahs9Tfiia9r/f ifHMuSLRXja1h4Ebug5DXIxxSVErvU4Qc7l2QtRmAakLP2bzsJA0fFxy0FgkLoyGOkZU uz/Tt9gAr/tWmFDWcmjY7BGQa3KSxFWBeRxU60dXJk7/1RTrjIdlZGF4Vgh4XYpHWBgJ 6WiE6PpzpvtvLlv6P7wF0jyo34sn9Ir3Le7yN/XJnJ3JO2yIUXc+8OSRzdcOObHAxN/I b94w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=eR9Hp6lNdSYA3Q9LS12AuwAXP6EgUTReBDkxImpX5hM=; b=WKoofYzaFlu4suP4a/tOCUjNFV7kklQ5nYbl3LCDM///gDCOHyrzNJwqDRXs4CDj/y QUpzrCj9+bIh8CGiaBUiAd8MVvXpzdGrpkmxyD6p9CEE3eNbdtdcGVr90eX0WMLotPv/ +ceGcZ2hgpAa5hCayZN+f2lXuWSexDSniaC1iQV/R8Akb7CXGQ/14F/XFlnofLlQju+v 9475h312r0XhjWqOu+a9kN/8KOwpeHEYtuDyf1z+Tm6d7hphc25vwAkRgSqbxoOyTiE3 3x6DJdNh2AwJObD89KhoW0LrlnjqKNTlieMDvvAIxJ6tGniM4nEFAxiGc4g9EdneX36C TsTg== X-Gm-Message-State: APjAAAX1dw+2U/P8abexAW0FqWe2vpPZb9D3rUMLZNacjf/CDmoDWtA4 VDinL2/eHz2Kxa8+wpyIE3Q= X-Received: by 2002:a62:e20b:: with SMTP id a11mr17216612pfi.0.1564065428842; Thu, 25 Jul 2019 07:37:08 -0700 (PDT) Received: from nebulus.mtv.corp.google.com ([2620:15c:211:200:5404:91ba:59dc:9400]) by smtp.googlemail.com with ESMTPSA id k3sm35749356pgq.92.2019.07.25.07.37.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Jul 2019 07:37:08 -0700 (PDT) Subject: Re: [PATCH v10 4/5] overlayfs: internal getxattr operations without sepolicy checking To: Amir Goldstein Cc: linux-kernel , kernel-team@android.com, Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W . Biederman" , Randy Dunlap , Stephen Smalley , overlayfs , linux-doc@vger.kernel.org References: <20190724195719.218307-1-salyzyn@android.com> <20190724195719.218307-5-salyzyn@android.com> From: Mark Salyzyn Message-ID: <20df8497-17ea-27db-43c8-fcd73633e7f3@android.com> Date: Thu, 25 Jul 2019 07:37:07 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks for the review. On 7/25/19 4:00 AM, Amir Goldstein wrote: > On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn wrote: >> Check impure, opaque, origin & meta xattr with no sepolicy audit >> (using __vfs_getxattr) since these operations are internal to >> overlayfs operations and do not disclose any data. This became >> an issue for credential override off since sys_admin would have >> been required by the caller; whereas would have been inherently >> present for the creator since it performed the mount. >> >> This is a change in operations since we do not check in the new >> ovl_vfs_getxattr function if the credential override is off or >> not. Reasoning is that the sepolicy check is unnecessary overhead, >> especially since the check can be expensive. > I don't know that this reasoning suffice to skip the sepolicy checks > for overlayfs private xattrs. > Can't sepolicy be defined to allow get access to trusted.overlay.*? Because for override credentials off, _everyone_ would need it (at least on Android, the sole user AFAIK, and only on userdebug builds, not user builds), and if everyone is special, and possibly including the random applications we add from the play store, then no one is ... For the override credentials on, the sepolicy would be required to add to init or other mounters so that callers can actually use overlayfs. Without the sepolicy for init, overlayfs will not function. the xattr are in the backing storage and the details are not exported outside of the driver. This would represent an imbalance since none of the callers would require the sepolicy adjustment for the ;normal' case, but for override credentials off as stated above, _everyone_ would require it. Not against adding the sepolicy in Android, it is how we roll with only opening up credentials on an as-need basis. We could deny it on user (customer) builds and that closes a door that gains security. However our people are starting to resist userdebug being different from user so it may be a door I can not shut. Again felt like an imbalance for a trusted driver read only operation. Sincerely -- Mark Salyzyn