Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1355242pxx; Fri, 30 Oct 2020 08:11:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxSA1KjY5oqnoEYUZKpcK327/JpsdMiN5PONU1LfkH6Q2PbzammKXREKd6QL82lQEClGD5q X-Received: by 2002:a50:950e:: with SMTP id u14mr2857100eda.260.1604070685690; Fri, 30 Oct 2020 08:11:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604070685; cv=none; d=google.com; s=arc-20160816; b=tiXkjSpUVMea5aa/yQe+yDI8Of5mv5y/Ag1fimatDBcxiukBWaRVzvFz9ODK3Hawj0 6NdmWzZThOYi5BX0xFqjpKtQOSuIw1FnkpdeSuwePeqxUVbEl6O3gjBDLQHsQt6U30FR fcgP6llVUbhWEOe2ZiXjPlS8OxpiZKcl6NhIhRyaaeLX0nRYuHDIQ8daXsoE/+QLPeUJ 4wrxHGegh9XCzmirbr4rQSpM7GLGW6G8XdhsTIycEc7VKdo80i1G29WaSJnAw2WeL0ZQ bbikBlA4ALNnb6c5hrS5kOA9h8ExEmOy8xHZtrSy45dyEBRV7bMwW8nB3eplJWTekj1f JbAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=qezUIHlvY9fFOmo2+xA2K+Ux6IJAtG5C7ju4HZIADck=; b=C1GAHoHp08HS9kC3Ede7d//GO+M3QGN4/1L2YtDWyynaybwyAsJXzp0ZZBBf8N8fJq z7Xq3ytMHCC+7Tb43stP36XuhjQIcWnvGP6T8f9BGH4ztBF8P6tt3sTy7PV1oF/y3ecN yOEl/Te9v73O4VCROV6Ijt73OVTMAgI1j4hsKoz7B2YKn+n1a/QQNMTomt0ybMBfVilO 7cNSNxCwBeNl+rignn58fGBbJsHSu1ohBoxmwG45yaq2iQCVcUvuv6fgj3BbEE0G/A17 V3nuzduZG6a05m0JxqW4b7Id8YPUv9QGFgPFQATRxEuHzdOioy9/d5NhcDs/oElrpIvM 1buA== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=FDk8YZ+1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w8si4591319edu.395.2020.10.30.08.11.02; Fri, 30 Oct 2020 08:11:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=FDk8YZ+1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726846AbgJ3PHO (ORCPT + 99 others); Fri, 30 Oct 2020 11:07:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726319AbgJ3PHN (ORCPT ); Fri, 30 Oct 2020 11:07:13 -0400 Received: from mail-vk1-xa42.google.com (mail-vk1-xa42.google.com [IPv6:2607:f8b0:4864:20::a42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 17B9DC0613D2 for ; Fri, 30 Oct 2020 08:07:12 -0700 (PDT) Received: by mail-vk1-xa42.google.com with SMTP id p16so1513807vkf.13 for ; Fri, 30 Oct 2020 08:07:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qezUIHlvY9fFOmo2+xA2K+Ux6IJAtG5C7ju4HZIADck=; b=FDk8YZ+1U0Xp/Ygw40EpV0XeoQqT33eCNWvzOPeOzuhtVGoPz8+inv5IWSqFU5QEQb fbZH8kjd/7GZgBHweJS80LprkSJvRuThB5A2PYwcRJ19ifGSQ+mXOsFOxCp0TrHprMN8 Ow0nVKYl2sgjqAIi19jAw5kAX//XFX1+xWk6o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qezUIHlvY9fFOmo2+xA2K+Ux6IJAtG5C7ju4HZIADck=; b=t1bGV0q9F1dA3Qy9xws6e2iZ+RxsmsaYR7d16HO760sdWEfxubL96zxYrllJ0Jtt8L qIYwE56bVgU801HtU/bCK8dj+8NyUiSmFjzntX+LfOISf8z+em+KoOJlgR5j8DcKeHEl vE6uaej98pq1koyqkjG992QKZ01Jp1h4K+tVU/NVhIZx74lKtuConY/RO05BCqHFA8zy eVSJOl/moqjtU56FON+U7Yr5LwrRZCtGXnlW1CdPVcBa6JiSfhgQoswQmTl43ci+1Al/ xY9iTXuFJmqozRT60uscsP/aE5vAekimSO+zF2R4o2cwQoIUjfQPRocbjlJAKh8SXtzc 5mWg== X-Gm-Message-State: AOAM531gCrDexVmuMjwGkl4WWfLTKAodXSzxVDZVzkV6aWSW8QoVsZ+o LOuEy291l0mXwWEkk4n5ecAz4f/wnmJSpBdkQsHeNA== X-Received: by 2002:ac5:c80e:: with SMTP id y14mr7299032vkl.3.1604070430985; Fri, 30 Oct 2020 08:07:10 -0700 (PDT) MIME-Version: 1.0 References: <20201021151903.652827-1-salyzyn@android.com> <20201021151903.652827-3-salyzyn@android.com> In-Reply-To: <20201021151903.652827-3-salyzyn@android.com> From: Miklos Szeredi Date: Fri, 30 Oct 2020 16:07:00 +0100 Message-ID: Subject: Re: [RESEND PATCH v18 2/4] overlayfs: handle XATTR_NOSECURITY flag for get xattr method To: Mark Salyzyn Cc: linux-kernel@vger.kernel.org, kernel-team , linux-fsdevel@vger.kernel.org, overlayfs , Stephen Smalley , LSM , Jonathan Corbet , Vivek Goyal , "Eric W . Biederman" , Amir Goldstein , linux-doc@vger.kernel.org, SElinux list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 21, 2020 at 5:19 PM Mark Salyzyn wrote: > > Because of the overlayfs getxattr recursion, the incoming inode fails > to update the selinux sid resulting in avc denials being reported > against a target context of u:object_r:unlabeled:s0. > > Solution is to respond to the XATTR_NOSECURITY flag in get xattr > method that calls the __vfs_getxattr handler instead so that the > context can be read in, rather than being denied with an -EACCES > when vfs_getxattr handler is called. > > For the use case where access is to be blocked by the security layer. > > The path then would be security(dentry) -> > __vfs_getxattr({dentry...XATTR_NOSECURITY}) -> > handler->get({dentry...XATTR_NOSECURITY}) -> > __vfs_getxattr({realdentry...XATTR_NOSECURITY}) -> > lower_handler->get({realdentry...XATTR_NOSECURITY}) which > would report back through the chain data and success as expected, > the logging security layer at the top would have the data to > determine the access permissions and report back to the logs and > the caller that the target context was blocked. > > For selinux this would solve the cosmetic issue of the selinux log > and allow audit2allow to correctly report the rule needed to address > the access problem. > > Check impure, opaque, origin & meta xattr with no sepolicy audit > (using __vfs_getxattr) since these operations are internal to > overlayfs operations and do not disclose any data. This became > an issue for credential override off since sys_admin would have > been required by the caller; whereas would have been inherently > present for the creator since it performed the mount. > > This is a change in operations since we do not check in the new > ovl_do_getxattr function if the credential override is off or not. > Reasoning is that the sepolicy check is unnecessary overhead, > especially since the check can be expensive. > > Because for override credentials off, this affects _everyone_ that > underneath performs private xattr calls without the appropriate > sepolicy permissions and sys_admin capability. Providing blanket > support for sys_admin would be bad for all possible callers. > > For the override credentials on, this will affect only the mounter, > should it lack sepolicy permissions. Not considered a security > problem since mounting by definition has sys_admin capabilities, > but sepolicy contexts would still need to be crafted. This would be a problem when unprivileged mounting of overlay is introduced. I'd really like to avoid weakening the current security model. The big API churn in the 1/4 patch also seems excessive considering that this seems to be mostly a cosmetic issue for android. Am I missing something? Thanks, Miklos