Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp5040209pxu; Wed, 21 Oct 2020 11:36:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHIW3zzC70BLhyf2vrHAvbU+mueh5F9oWUManeyRG5CD8f78fLbzrBuHiaouBU/l/8nsC4 X-Received: by 2002:a05:6402:3070:: with SMTP id bs16mr4493476edb.371.1603305374498; Wed, 21 Oct 2020 11:36:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603305374; cv=none; d=google.com; s=arc-20160816; b=X+cVB8I9Qzcc7ZyPBCmAIKYOTH+gxE2sFyloujixetnqZVb0BFdCu3qBni9y43/jgD uOw7Uz8YJ8nIKMMp7cZ0ejAijvjmutLaFjFO62czT13uM1SAmIYLtI1pLyuegrGV+BF5 m48qczDAu3G4dyXK33CU7SpOsWTrDvMSe0ySZ1MUW9wYHDkymig3mlPuUbm7+UJAW88b PL+HY+ODjOsNS3/Rfa72mR9ubdJaGyS0yx0wvgmAGKfzMnCJ8qo5O3y5lPddU+53BREk jAoTOdXIVJugm4mcunqaO7vjRnmrS2Uerotuh5SYyJ5AEp6dvPOkdi8KqLEeUhIh2Qfn rkiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=oQrdvezJYSAFOQDr78k5AJCyrl0v3hhH//5WN2kgoBM=; b=DlPF8fDcYZy1PEeLgOpEKgeik7U0LaI+kesuFUCQnGgS4WMHsRMcs4qVL93yfMdqI9 qt31RLI/SLXSJg6ZEdQdXKbCmEGBvyR8QOxxVbYix63HDHeex48XDPMoFTJYFH4BpdlB fkuQNWsahcOSIc0mSJtx25Ui7Y3iUgy0g0m60UrTjr3Xnf5yatdmd++z9o8QbfwGHNee +dQSr5VEHDfF7ERKO/gR8Snvz3Bg6fnfkXouW7FNti2Af0Sb2bs7GtlufgNzNIahnKjX RgUBznGbTlRriMSTaBWyLy/z24UJ3J1Z+iDnktr16cZo6t8fm/kICEGIGW5cDvEmbf0t 3etA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="oo1/w0oe"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w10si2392875ejv.268.2020.10.21.11.35.52; Wed, 21 Oct 2020 11:36:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="oo1/w0oe"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2439248AbgJTXLG (ORCPT + 99 others); Tue, 20 Oct 2020 19:11:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36282 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2439242AbgJTXLG (ORCPT ); Tue, 20 Oct 2020 19:11:06 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B881C0613D3 for ; Tue, 20 Oct 2020 16:11:05 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id a3so52243ejy.11 for ; Tue, 20 Oct 2020 16:11:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oQrdvezJYSAFOQDr78k5AJCyrl0v3hhH//5WN2kgoBM=; b=oo1/w0oelVxsAAQwsQ0ykiIfWkyo4Z3tcp4CWz9F9skAExBjVegSHj5Bmv8g7XOBw6 0GSwtoEhsy+zMTYshG53kWbNXDNH7eb5AW2BzM2Dc0J1WcEVhwqsPWmZdapsh4sMR9Ma vZkhid0nH6RpBii5GRFd5iJFYT9oqT+cMR66xx5mcmi9G4tEmIZ57oRcHkY6saAV5u9U nqzUeDbPfbedjJYWfGtHgA34Ceo90TgVXDAoROFb5Sc1knr2TW5zVTJJGx5LyVf3bmAI DNpxd5ge5L0O1vrTMJtd76QXUU8aEf22TnnLbaPijcSqcRD4N9l9XL+oqmOf6DRbkG1I axdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oQrdvezJYSAFOQDr78k5AJCyrl0v3hhH//5WN2kgoBM=; b=p5N4GvMY6fJ/p6cMu8BdwJjRPx3gXw2Q+teoYoB/rex5nMBY35PTeMkdo+vMDOeDa8 mmo13HgfNwErA8vPLJnS2Ei8W7asjvvVZjOi5v8SZNMcXmh7ntzP+puQK2WmUnIsZVhm IHu65v31uXgea7H8JvLgFCqarlG4U/1ATd3Awm+r4mGI/gIroGMmqNYhzjaUdTRnBfom sfzhxxZ/3FzFyf9TxrdrPlZJZFgy0lbv5Jn1AWOoKMHiyztABy3RVZ7YJ7+BNvO2AH4+ g057O0x4p6JnkM/dVAdyByhZ7lEvFu98ZLFVDzOV83eD0W7DTDk4w+y4F7WdzgAbQr+C Ipsw== X-Gm-Message-State: AOAM531ATIo5iQlWjsm5L9x1UdpMCjOJ3Qgvz6HnrFHMf7MdrWz1xGdw 6bud8V+kv/EzstV9LJvccDafMtZVRfdntMaWa0qW X-Received: by 2002:a17:906:ce5a:: with SMTP id se26mr521166ejb.106.1603235464181; Tue, 20 Oct 2020 16:11:04 -0700 (PDT) MIME-Version: 1.0 References: <20201020191732.4049987-1-salyzyn@android.com> In-Reply-To: <20201020191732.4049987-1-salyzyn@android.com> From: Paul Moore Date: Tue, 20 Oct 2020 19:10:53 -0400 Message-ID: Subject: Re: [PATCH v17 0/4] overlayfs override_creds=off & nested get xattr fix To: Mark Salyzyn Cc: linux-kernel@vger.kernel.org, kernel-team@android.com, Miklos Szeredi , Jonathan Corbet , Vivek Goyal , "Eric W . Biederman" , Amir Goldstein , Randy Dunlap , Stephen Smalley , John Stultz , linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 20, 2020 at 3:17 PM Mark Salyzyn wrote: > > Mark Salyzyn (3): > Add flags option to get xattr method paired to __vfs_getxattr > overlayfs: handle XATTR_NOSECURITY flag for get xattr method > overlayfs: override_creds=off option bypass creator_cred > > Mark Salyzyn + John Stultz (1): > overlayfs: inode_owner_or_capable called during execv > > The first three patches address fundamental security issues that should > be solved regardless of the override_creds=off feature. > > The fourth adds the feature depends on these other fixes. > > By default, all access to the upper, lower and work directories is the > recorded mounter's MAC and DAC credentials. The incoming accesses are > checked against the caller's credentials. > > If the principles of least privilege are applied for sepolicy, the > mounter's credentials might not overlap the credentials of the caller's > when accessing the overlayfs filesystem. For example, a file that a > lower DAC privileged caller can execute, is MAC denied to the > generally higher DAC privileged mounter, to prevent an attack vector. > > We add the option to turn off override_creds in the mount options; all > subsequent operations after mount on the filesystem will be only the > caller's credentials. The module boolean parameter and mount option > override_creds is also added as a presence check for this "feature", > existence of /sys/module/overlay/parameters/overlay_creds > > Signed-off-by: Mark Salyzyn > Cc: Miklos Szeredi > Cc: Jonathan Corbet > Cc: Vivek Goyal > Cc: Eric W. Biederman > Cc: Amir Goldstein > Cc: Randy Dunlap > Cc: Stephen Smalley > Cc: John Stultz > Cc: linux-doc@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > To: linux-fsdevel@vger.kernel.org > To: linux-unionfs@vger.kernel.org > Cc: linux-security-module@vger.kernel.org > Cc: kernel-team@android.com The SELinux list should also be CC'd on these patches. For those who may just be seeing this, the lore link is below: https://lore.kernel.org/linux-security-module/20201020191732.4049987-1-salyzyn@android.com/T/#t -- paul moore www.paul-moore.com