Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11163507ybi; Thu, 25 Jul 2019 11:05:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqx3lVPO8nYtqIhdxi5MLX2pPck4qelMOIoONUWUztYmiSwdF8uSrjGJc1TBDmaRDiqgjBGk X-Received: by 2002:a17:90a:17ab:: with SMTP id q40mr95545600pja.106.1564077930418; Thu, 25 Jul 2019 11:05:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564077930; cv=none; d=google.com; s=arc-20160816; b=NqB+htw/zN9bSqOdr5+zqY0hQrVW21J6QJSeFXpGnIQF1v9v5P5goF/Qo6uTtRvwif qIZ1oG+0gxr46OBuG5bkpxNwBWDTzQN8BK9yw77nhDsp7L4ffb/Ijj2kMdgN9h0jBt4A BvIYm95HpirI1cLptuth8dRuCzB9ZooNBR+8/dRgF5L84Fp2iC6N/5dtvwvvjEAdY91z 8boPgPyL0gVjduj44dVvMHR11nP35wU7m6y/ncz3So1zoFuytkwFVB8DzKa/onM4062N P/KX+hi0BdDK2I3fiU7sM4ZTwLJpTIRMqClEoWGArpeuzs77dkasMsCenEEjM+rZPbuk 1zFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Y8u5tRtb2phALqFhx/N87c7RhwGYwIkCOlt6V+GWL8A=; b=V1bOuAcFEOl5ZLugqOt16A/kyjFxu16Rr3W4dmgYYMItpcmWPCk9irxkZRySpxPPry RZdBsdFsdgtBhC7Gbbk8+thDzcYkOC/mNA7pn6D50FegoF64dxl9oTEvRcwdRTkW5zzt BwES30OQJZQsURnU0MDKU8vbakRODlbUWygfbJgQdGPwFgFUsjigcRf/WYxuGpmainJV R469uiN72cddVWKGsJwk0sb+FyWkg5q4XnCZL+TuBP+yBjL7ThA8GGjELq5Z2qCB6VDr UqA9gRNjwhpuHgqAw5diYtgWMRPDAOY1D36M1r1lBch7gOVNXyl5cmc0t59+8dZoVAhP Rz3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Yy8pfw/e"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n2si11904725pgq.586.2019.07.25.11.05.12; Thu, 25 Jul 2019 11:05:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Yy8pfw/e"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389446AbfGYPnv (ORCPT + 99 others); Thu, 25 Jul 2019 11:43:51 -0400 Received: from mail-yw1-f67.google.com ([209.85.161.67]:38811 "EHLO mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387941AbfGYPnv (ORCPT ); Thu, 25 Jul 2019 11:43:51 -0400 Received: by mail-yw1-f67.google.com with SMTP id f187so19386872ywa.5; Thu, 25 Jul 2019 08:43:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y8u5tRtb2phALqFhx/N87c7RhwGYwIkCOlt6V+GWL8A=; b=Yy8pfw/e7Rs8ai1udRsDDUjLgCb54tXT6y666uRoXningJ6b16Hfe4gPkFc5YCAq9m ZhuJwie5gNx1vuOcfoAQlOxcCKmpVDoRNfeuHBAGyMjTHBGbz3NdXrcUgwS3Ow+XwiEn q/ZTxO0NxWsrxibT7wxe8d6X3zuBiPWgJx5ezArl5AD3X3pnKKY4oVUvP8Vw4HrOSMqG d/nAtPI0qr8qniTlqo9JTp4KBgn6Pl4UGlYFII3i83nBs/SPNRQ1ibfDlSsisW8hRKjz P7m7VistXF1q7JPo00Q4xy8xKLwgzL6u/4lxgBtgHR0nV4a4HtOqHcb1x6oJv14rue6I momA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y8u5tRtb2phALqFhx/N87c7RhwGYwIkCOlt6V+GWL8A=; b=r4OIm54TcVvkNZsWHFMmr13aeruEEUvb1H0zKF+9JBpFjA++AfUqRfENV3RU42pTzk FVe+Xwkf/Y4mYEE90gkB0yMN2pmzidt/gm/46wbygGEtgckxLTMsRnHtyVO4RgwtDVmR gsgoRagm5w4gv05aouHOhNffZnbmaAGValD5cgz3lgSWjPJcAZr8oTXGw30aO1292Fv8 Nc/Nj4ZVIWduS0lGKgNjTjRnoXdkyaEHaJO6YumACt4bB9tuwcbHP+vMGEh55FQddppr b+6k+jGcqmtAsGdiphLrbvy/ZreMBVlzGYJ5FDxjkvHvIxxejRnemDHmXw+0oxV8Yk4o MxGQ== X-Gm-Message-State: APjAAAXs0Otu8ODVedZZb4oWKZq0AR5i1PErPkVptRLnBlrdEOUwbL3Z +lY5J+2pfPTVtvqLsNf0jr47C5WZ2UQwv6D1Xlg= X-Received: by 2002:a81:49c3:: with SMTP id w186mr53593821ywa.31.1564069430642; Thu, 25 Jul 2019 08:43:50 -0700 (PDT) MIME-Version: 1.0 References: <20190724195719.218307-1-salyzyn@android.com> <20190724195719.218307-4-salyzyn@android.com> In-Reply-To: From: Amir Goldstein Date: Thu, 25 Jul 2019 18:43:39 +0300 Message-ID: Subject: Re: [PATCH v10 3/5] overlayfs: add __get xattr method To: Mark Salyzyn Cc: linux-kernel , kernel-team@android.com, Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W . Biederman" , Randy Dunlap , Stephen Smalley , overlayfs , linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 25, 2019 at 6:03 PM Mark Salyzyn wrote: > > On 7/24/19 10:48 PM, Amir Goldstein wrote: > > On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn wrote: > >> Because of the overlayfs getxattr recursion, the incoming inode fails > >> to update the selinux sid resulting in avc denials being reported > >> against a target context of u:object_r:unlabeled:s0. > > This description is too brief for me to understand the root problem. > > What's wring with the overlayfs getxattr recursion w.r.t the selinux > > security model? > > __vfs_getxattr (the way the security layer acquires the target sid > without recursing back to security to check the access permissions) > calls get xattr method, which in overlayfs calls vfs_getxattr on the > lower layer (which then recurses back to security to check permissions) > and reports back -EACCES if there was a denial (which is OK) and _no_ > sid copied to caller's inode security data, bubbles back to the security > layer caller, which reports an invalid avc: message for > u:object_r:unlabeled:s0 (the uninitialized sid instead of the sid for > the lower filesystem target). The blocked access is 100% valid, it is > supposed to be blocked. This does however result in a cosmetic issue > that makes it impossible to use audit2allow to construct a rule that > would be usable to fix the access problem. > Ahhh you are talking about getting the security.selinux.* xattrs? I was under the impression (Vivek please correct me if I wrong) that overlayfs objects cannot have individual security labels and the only way to label overlayfs objects is by mount options on the entire mount? Or is this just for lower layer objects? Anyway, the API I would go for is adding a @flags argument to get() which can take XATTR_NOSECURITY akin to FMODE_NONOTIFY, GFP_NOFS, meant to avoid recursions. Thanks, Amir.