Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4009050pxu;
        Wed, 9 Dec 2020 06:17:37 -0800 (PST)
X-Google-Smtp-Source: ABdhPJykUxh3ub8kMWmsqq7AQIls6899gfI1EjbKEl3sdIEoWMk+rdgmowAMvjaVUfHTr2h6mWkc
X-Received: by 2002:a17:906:65c4:: with SMTP id z4mr2303989ejn.251.1607523457735;
        Wed, 09 Dec 2020 06:17:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607523457; cv=none;
        d=google.com; s=arc-20160816;
        b=dvKxkPjBatP/ab/wlzQD/dfKPvNtfi0PPehbnwQ0/kpD+4mIO7tmq0lFQ/py37r1Zi
         VOOOvFFUYtaV5BIUSCYSy2Gm+9nL5vgO6YddQT+dGWQzPCMiWdRJAG2c189Ss3jj3BRz
         i65SN1QkgAslfJdVj8CrT9h5U8tcnnJvgNhVBUDIG75tIQlU5nZ11DdGMsPt+3ob84UP
         moCoZi3/L63lVAEoEXbPzSbK9nIv2JOgRXXNaa7SNi6I2J0nSwGFZPJqPx25vAxTAWIn
         dlhXZQmpe4/Rpf0vfTJi6tHS+sT/HlgYUp58tN4S6Setyp1mtB3++v8Qx89T5UIGHkNI
         nXjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=GQQ1cftUs+z76vK6Lt731SlO6kCrFdJIO/2nHU2yT40=;
        b=sW9Y3uW9G37wFsRvrlDSTVPEY3sU5z4mWapi/F1nnhLa+VgSiIg4+ZE6HcROjWqI2h
         XiigBbNjf62Xqy5SsGUAmku6P6r0LraMpuwdApyTl6fXEvzaxH31/A7w5HTyg7JA0KgI
         jY8/WhYUn+D7Acq0EA6nYStjNunlWF5BRin1BfB1Q+OJk8cwhmYg73hNUdtdVwy6dMgU
         k/c+ACcCPqA7uOWqG6r5erHlXFgIFiop7iEY199MhchePcO55o2pXl3LmhTKDP0+ZsLw
         2lt+cRTPL0RsaimYvdxZVCKiytFKSVCb4tFQP6mTNb6Q0ZWu1XRMts5i7i7GSRnKsHSC
         /JGQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b="o/bXVedn";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id dg4si890385edb.104.2020.12.09.06.17.14;
        Wed, 09 Dec 2020 06:17:37 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b="o/bXVedn";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729706AbgLIKOK (ORCPT <rfc822;ketanpantkp@gmail.com>
        + 99 others); Wed, 9 Dec 2020 05:14:10 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53488 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729639AbgLIKOJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Dec 2020 05:14:09 -0500
Received: from mail-vs1-xe41.google.com (mail-vs1-xe41.google.com [IPv6:2607:f8b0:4864:20::e41])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56048C06179C
        for <linux-kernel@vger.kernel.org>; Wed,  9 Dec 2020 02:13:29 -0800 (PST)
Received: by mail-vs1-xe41.google.com with SMTP id x4so572919vsp.7
        for <linux-kernel@vger.kernel.org>; Wed, 09 Dec 2020 02:13:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=szeredi.hu; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=GQQ1cftUs+z76vK6Lt731SlO6kCrFdJIO/2nHU2yT40=;
        b=o/bXVedngN5pBxJH9KaF1htfa8gkhRjfiZvttaWZRToXJRtG+QqS8OSvQkhoND4ds6
         8gLvFQLHhyGLVUZNOAdOIMFep9yf6detoqQLZk944USazgAMRCEgAuMgdlpjrMWdeGNF
         ZdmnLWUhd+cDms8Du28ybWfG6vGi9quEFLNrc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=GQQ1cftUs+z76vK6Lt731SlO6kCrFdJIO/2nHU2yT40=;
        b=CshtrgIslh+Eaczsm+KR84Z0Hp1M3BgHRECKIt8Bk5ws4OSoBkpYnYxQ7Q8wT0rz8Z
         6UZzp6KDR9QHQ1+et7DRnakhfNmAoR+HQJ+L2c68oBXAgSDBQM1v4Ovg23EGm224mJfY
         1jXxbv3gmzxGgkUw+GmQymU6aNCI0k9qTvxXSjHKVdAzoWHSyx6A5UqHV55LyFeWyP5G
         D7OgZFq7/xguRF301atx5vqubG002EtqXjQQ/vuIoubD7cO6USDUR9/S7HC/hOsRlmMl
         rEP40uyVzNeA+84+6zMKtHYQHgMlyog3qHApOTInIHjgQBYefErfSo6vmpwAsbnAZMGn
         b1ng==
X-Gm-Message-State: AOAM533YnDt1/3FVc2KtTNhxhRiz0cl/GI5zITHy8vcl3GQjpGtVZC2n
        fNJQu+2mIa8WBHSXd1MEFP6kQJh9blzOjwRr/LcRdg==
X-Received: by 2002:a67:ed57:: with SMTP id m23mr926246vsp.7.1607508808505;
 Wed, 09 Dec 2020 02:13:28 -0800 (PST)
MIME-Version: 1.0
References: <20201207163255.564116-1-mszeredi@redhat.com> <20201207163255.564116-4-mszeredi@redhat.com>
 <CAOQ4uxhti+COYB3GhfMcPFwpfBRYQvr98oCO9wwS029W5e0A5g@mail.gmail.com>
In-Reply-To: <CAOQ4uxhti+COYB3GhfMcPFwpfBRYQvr98oCO9wwS029W5e0A5g@mail.gmail.com>
From:   Miklos Szeredi <miklos@szeredi.hu>
Date:   Wed, 9 Dec 2020 11:13:17 +0100
Message-ID: <CAJfpegsGpS=cym2NpnS6H-uMyLMKdbLpE1QxiDz4GQU1s-dYfg@mail.gmail.com>
Subject: Re: [PATCH v2 03/10] ovl: check privs before decoding file handle
To:     Amir Goldstein <amir73il@gmail.com>
Cc:     Miklos Szeredi <mszeredi@redhat.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        overlayfs <linux-unionfs@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 8, 2020 at 2:53 PM Amir Goldstein <amir73il@gmail.com> wrote:
>
> On Mon, Dec 7, 2020 at 6:36 PM Miklos Szeredi <mszeredi@redhat.com> wrote:
> >
> > CAP_DAC_READ_SEARCH is required by open_by_handle_at(2) so check it in
> > ovl_decode_real_fh() as well to prevent privilege escalation for
> > unprivileged overlay mounts.
> >
> > Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> > ---
> >  fs/overlayfs/namei.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
> > index a6162c4076db..82a55fdb1e7a 100644
> > --- a/fs/overlayfs/namei.c
> > +++ b/fs/overlayfs/namei.c
> > @@ -156,6 +156,9 @@ struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt,
> >         struct dentry *real;
> >         int bytes;
> >
> > +       if (!capable(CAP_DAC_READ_SEARCH))
> > +               return NULL;
> > +
>
> If the mounter is not capable in init ns, ovl_check_origin() and
> ovl_verify_index()
> will not function as expected and this will break index and nfs export features.

NFS export is clear-cut.

Hard link indexing should work without fh decoding, since it is only
encoding the file handle to search for the index entry, and encoding
is not privileged.

Not sure how ovl_verify_index will choke on that, will have to try...
but worse case we just need to disable verification.

And yeah, using .overlay.origin attribute for inode number consistency
won't work either, but it should fail silently (which is probably a
good thing).  Haven't tested this yet, though.

Thanks,
Miklos