Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp11163766ybi;
        Thu, 25 Jul 2019 11:05:42 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzFuISYa8wSWGNTS7KDaXLB6X400mKmo6ZRPjlf8wcsTxLCWVgaH8WKeMdDMyxqejqrMu5q
X-Received: by 2002:a17:90a:970a:: with SMTP id x10mr95135187pjo.12.1564077942709;
        Thu, 25 Jul 2019 11:05:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1564077942; cv=none;
        d=google.com; s=arc-20160816;
        b=UWX40+QcMH3qQ8h1jhuh7BSBswRONA7yCLqea0U09GurMEMJLmieFBhD7UnFa4ZPJ3
         OsUbLfnDXr+EHX6IvkltbePnabqT7EK67WeP2j6oSwJq7BWmFTvyLnVF/lVCnMkF/tYY
         +67uO5bVpZOQPuNtnMn4+3+H3tZfFdS8MUiaqnVeA63uhAOo7rE/OtffeOy8Nxhe6Zwj
         mnAhadFAMMuHSdHKYXMrOksqhcevaWuu4SUps4iaG3BGgt9TIq1FFnwEH4Miioh4lVdZ
         NgjVAV5Ev9DquRiObTEnezqXL2lru/HdJcIEdmAx4N/MFA0heoWnB0eT3vONgzG1ZlVy
         bOBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=XzjdGqC1KanFcesRBecTPozKcz3xVgLXZiKoPtdXfLQ=;
        b=tHmIkq+Ib+xqLrdCMH0ucAT/gckQCa7RJj6ynicV9h8JsPzvmJSIjTqpMD4b+QzJo6
         6IHEbxwKtfoiS15QxL25Tj3b2MSNi6SeUti8Id8yLqoaiK75dDc8lTBwjU9LHDSrqAsF
         psnVzFa6rW2nVF10ugKp2FvNOgZ3KJs+C8A1EvFD3MpUajQahQ848Fqv8KMRVceJQrN6
         D/cH3T9q6s20REHG2pCC4ddJybK/IVsvDyG1EGxPFI+bNX6oywBFy7CDzUzI0mtQowI5
         rMhtJZpNqZUPxmzPYaODca30glnIYIPDJ2FXFaGsMxKakNzEdoq8Ia2VUeAwz/luqaY7
         qonA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T9zktBfj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x32si15807215pld.252.2019.07.25.11.05.27;
        Thu, 25 Jul 2019 11:05:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T9zktBfj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389566AbfGYPvs (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Thu, 25 Jul 2019 11:51:48 -0400
Received: from mail-yb1-f196.google.com ([209.85.219.196]:44971 "EHLO
        mail-yb1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726692AbfGYPvs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Jul 2019 11:51:48 -0400
Received: by mail-yb1-f196.google.com with SMTP id a14so18636273ybm.11;
        Thu, 25 Jul 2019 08:51:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=XzjdGqC1KanFcesRBecTPozKcz3xVgLXZiKoPtdXfLQ=;
        b=T9zktBfj+oIxSDxV7DWaLUAtH2lZn9X3qyEgmZLH8oxDJbdLzxZs8KVT5g71EiS24V
         WUCGpIhvT1iOHx4m9D1eXKfWRkfoVDFIj+CvJggpIz4t3oMMCo0xEHDYkh069VVT5nrt
         u1dom5QKGlXYL4Mob17aMXYResfKZIqi4lzTEoq8Hi4EsvMveNO3tULKiiO/v0b4sktB
         8dOvUyeV00ZX9qOnMIku/9GFiUxW32mZCh5dzAPVkH7GK2Lc0f3Ywgq0SDHl99QLGvpz
         LWKzv3AerCcDpkAmvjWZAAuBi0JpxoJ9eJFra0rDD5bPVbmcXJ6p4TMVGTxPy0BgK3t1
         uYOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=XzjdGqC1KanFcesRBecTPozKcz3xVgLXZiKoPtdXfLQ=;
        b=tgs/iXapveGYic8saRb6GLeZ7jp1U0i8EBsoR05iMEPsRJsiwVmtq449QxaN+EZ+5l
         LLI5GNRCVZYVCVYqxInhvf24CIGxQJs4O1e9xhnFE86cJp1vZqmsuAVq4R6/nEneG+pi
         QD0N2ydsdElIgVuOUWBgSp6mI9EZD/vltzibDDGgCCEVLIum/Z+zvqF/soPHhG4gOpq2
         RvnaZqtsXgZGLB0SWSCEfPgXrjfB0QHOBYHGO8VLk7yM223tsVXDic+CPPk9nvIuACio
         uiCVES4+E0x17W3nR1yCxhFU3xZGkxMZpTKQof5ZU7T865eXFauWZnE35ft0knuUEkwA
         dGgw==
X-Gm-Message-State: APjAAAWznfKVJna9pw09lpmdnjcDQArhK/VCwBGJFOSSfVGM/Rbj78yL
        0P2CX1DD8ZAQ1i56PgmFPVbUxx/XV2u+uwVohCQ=
X-Received: by 2002:a25:9a08:: with SMTP id x8mr53552715ybn.439.1564069907073;
 Thu, 25 Jul 2019 08:51:47 -0700 (PDT)
MIME-Version: 1.0
References: <20190724195719.218307-1-salyzyn@android.com> <20190724195719.218307-5-salyzyn@android.com>
 <CAOQ4uxhtASSymEOdh4XByXbxWO2_ZivzqjBrgK7jB3fWXLqr_w@mail.gmail.com> <20df8497-17ea-27db-43c8-fcd73633e7f3@android.com>
In-Reply-To: <20df8497-17ea-27db-43c8-fcd73633e7f3@android.com>
From:   Amir Goldstein <amir73il@gmail.com>
Date:   Thu, 25 Jul 2019 18:51:36 +0300
Message-ID: <CAOQ4uxhE77ZvUBv_ZLhSf8fdsWcJJkewjZAQKbgw3BdvgjRUOA@mail.gmail.com>
Subject: Re: [PATCH v10 4/5] overlayfs: internal getxattr operations without
 sepolicy checking
To:     Mark Salyzyn <salyzyn@android.com>
Cc:     linux-kernel <linux-kernel@vger.kernel.org>,
        kernel-team@android.com, Miklos Szeredi <miklos@szeredi.hu>,
        Jonathan Corbet <corbet@lwn.net>,
        Vivek Goyal <vgoyal@redhat.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-doc@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jul 25, 2019 at 5:37 PM Mark Salyzyn <salyzyn@android.com> wrote:
>
> Thanks for the review.
>
> On 7/25/19 4:00 AM, Amir Goldstein wrote:
> > On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn <salyzyn@android.com> wrote:
> >> Check impure, opaque, origin & meta xattr with no sepolicy audit
> >> (using __vfs_getxattr) since these operations are internal to
> >> overlayfs operations and do not disclose any data.  This became
> >> an issue for credential override off since sys_admin would have
> >> been required by the caller; whereas would have been inherently
> >> present for the creator since it performed the mount.
> >>
> >> This is a change in operations since we do not check in the new
> >> ovl_vfs_getxattr function if the credential override is off or
> >> not.  Reasoning is that the sepolicy check is unnecessary overhead,
> >> especially since the check can be expensive.
> > I don't know that this reasoning suffice to skip the sepolicy checks
> > for overlayfs private xattrs.
> > Can't sepolicy be defined to allow get access to trusted.overlay.*?
>
> Because for override credentials off, _everyone_ would need it (at least
> on Android, the sole user AFAIK, and only on userdebug builds, not user
> builds), and if everyone is special, and possibly including the random
> applications we add from the play store, then no one is ...
>

OK. I am convinced.

One weak argument in favor of the patch:
ecryptfs also uses __vfs_getxattr for private xattrs.

Thanks,
Amir.