Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp3601333pxm;
        Tue, 1 Mar 2022 01:26:03 -0800 (PST)
X-Google-Smtp-Source: ABdhPJy97f5oe0WlOCGYiRKiXZqNo78D8dmxS7bNkFynVb1i8jhxHMK9QFp7mqxFAKwXWRwtqiDm
X-Received: by 2002:a17:906:4ad6:b0:6b8:33e5:c3a1 with SMTP id u22-20020a1709064ad600b006b833e5c3a1mr17955380ejt.472.1646126763040;
        Tue, 01 Mar 2022 01:26:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1646126763; cv=none;
        d=google.com; s=arc-20160816;
        b=bRSTRx8/4YY6arJ5CyHuMLoIzdR14FNktWYRYA1O9BekVLMUO5j1YJR50d3g0ffbsE
         Sl3EcjfPyt+YnX8iUMzf9y9E7IpbMPj0uH2CmAY7pk5h7Aqf6xbTUV2RpL9elkXjn3+T
         E6yCVIJTYxP1RLO9xkrQkO3DOI4/lba30jcNBzT2X2XSBj/c+BQwFlmRcwqargkVJ1iU
         VGwgZdV13lzq/4oUJMydp4V0gVIzGNxYQO/A5Bv1yq104dko7LAk4UrpSHnXNlXePRej
         UZaoS/J6rLqIYw0j102lnfJJ9VpyKcWO/ZwkTk26Nbe7pknUvfcHD1KUYmt0aMlWHAFX
         E+7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=XQU+v0ncJKQsq8KVJD+e40cIco7m2GBd4rHARca/WR4=;
        b=g4FlA+SLWcX83LeSk3uCQVSIj3rebzyc2hUp9gv/uRoheUqEVpV8FgbHPJSQktMYXK
         XENlyx7mNFBC+R1OIZ0ba6tt/LBFCmlaQ8XHQRY0J3Pvg+sDtTMCns3IGbzjFNv95+Pe
         YOMitEi5YAbZ8PuXxtJrF/AzeFVgq1L4jCDUesfs9bYxBHtZSGKdh6eALtzGK7y8irTd
         pGPVw3SwjJ2HpYB8sc1FIgiTJgnjMUxFRpxdOAifBMnzsGgnFal7YfIoFvl2vFq4zJaz
         kn+8x+sqSWjA57SEUEymQRVWLx07Bl/uY8TG5+ZbScOVCm3k/B4CmQfg/1g8A8SJH0h9
         Ojog==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=0jmzKwCW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a13-20020aa7c80d000000b003ff096a8b7bsi8511775edt.376.2022.03.01.01.25.40;
        Tue, 01 Mar 2022 01:26:03 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=0jmzKwCW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230126AbiCABKK (ORCPT <rfc822;anothersharkwizard@gmail.com>
        + 99 others); Mon, 28 Feb 2022 20:10:10 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46864 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230119AbiCABKC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Feb 2022 20:10:02 -0500
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1481F2AF8
        for <linux-kernel@vger.kernel.org>; Mon, 28 Feb 2022 17:09:22 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id bq11so20006327edb.2
        for <linux-kernel@vger.kernel.org>; Mon, 28 Feb 2022 17:09:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=XQU+v0ncJKQsq8KVJD+e40cIco7m2GBd4rHARca/WR4=;
        b=0jmzKwCWF4tyUOMYPO79E8fZ5IPNMaa8ViRAkdhJVQ+rpvYnB807H9RFMUbcIp7BZU
         gZHQ1rDBx3PK62BLmbBlNNAT3jyzYaL4Q2y1jktn63TwPT5ab7vdpiN4MQeP1MOCyfW/
         1hrpDZVGloDoRW/S3YgB7ZGNi+EX7JpeqF+27/Xd6NI08vCg4fnWr5/UMmQ3YP+rWN2q
         yIGHsrbeKMCBBBgIhh1S5ZwIKqOb+wr4/4iLEbQ7SulNvHeNpE2lVCx7J+vfXvAVBYuU
         4/QobemQ3yboRwLVKSLl98uQ/+1XfxEHp6My70akJWohmiB80lkECn8ozqFNVuNZKksq
         Vmzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=XQU+v0ncJKQsq8KVJD+e40cIco7m2GBd4rHARca/WR4=;
        b=6RuADMGBir72F78G4SnKdURaBNCmLZzV/0dQU4eMivvtwJC10Ml87EO9i6gVPdGLjm
         dULrRGIplS7CV3lANjdLTjcMDgai0WMfn5g26odz+ycIGu4/MvvRMxWiWDrM9S2kpFT6
         1ocyILCsuL7qX35D/R9YJ66MMx6P/u/AqxHkqQy4YavZ7esGf9GfOPs2e47KN1U1R2KF
         WbSr2noRRBwvI/ZUNdt/JHVA5b+8sAMe5pgQHKLqP5VO8rGKKN8IVY0UgdcqOe9T4jkn
         TTqvb/c6PqQAHbLMgrFzwTs6k1X2+n0C6DCtqUCzxLLPu/KcqxXGt7/W4fdo2V9DEqIu
         eCbQ==
X-Gm-Message-State: AOAM533eVkrrwfGfgMZuiIt5BsI1nDHITY5Qmg2dXEPNyD63V4u1dPo4
        ZYhNOiTBr7Dmx86yYhVmM03JHwtOfnMws4v2HLQ0
X-Received: by 2002:a05:6402:1e8e:b0:412:cfd8:4d12 with SMTP id
 f14-20020a0564021e8e00b00412cfd84d12mr21942842edf.343.1646096960582; Mon, 28
 Feb 2022 17:09:20 -0800 (PST)
MIME-Version: 1.0
References: <20211117015806.2192263-1-dvander@google.com> <CAOQ4uxjjapFeOAFGLmsXObdgFVYLfNer-rnnee1RR+joxK3xYg@mail.gmail.com>
 <Yao51m9EXszPsxNN@redhat.com> <CAOQ4uxjk4piLyx67Ena-FfypDVWzRqVN0xmFUXXPYa+SC4Q-vQ@mail.gmail.com>
 <YapjNRrjpDu2a5qQ@redhat.com>
In-Reply-To: <YapjNRrjpDu2a5qQ@redhat.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 28 Feb 2022 20:09:09 -0500
Message-ID: <CAHC9VhQTUgBRBEz_wFX8daSA70nGJCJLXj8Yvcqr5+DHcfDmwA@mail.gmail.com>
Subject: Re: [PATCH v19 0/4] overlayfs override_creds=off & nested get xattr fix
To:     Vivek Goyal <vgoyal@redhat.com>,
        Amir Goldstein <amir73il@gmail.com>,
        David Anderson <dvander@google.com>
Cc:     Mark Salyzyn <salyzyn@android.com>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Jonathan Corbet <corbet@lwn.net>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        John Stultz <john.stultz@linaro.org>,
        linux-doc@vger.kernel.org,
        linux-kernel <linux-kernel@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        overlayfs <linux-unionfs@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        kernel-team <kernel-team@android.com>, selinux@vger.kernel.org,
        paulmoore@microsoft.com, Luca.Boccassi@microsoft.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I wanted to try and bring this thread back from the dead (?) as I
believe the use-case is still valid and worth supporting.  Some more
brief comments below ...

On Fri, Dec 3, 2021 at 1:34 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> I am not sure. In the early version of patches I think argument was
> that do not switch to mounter's creds and use caller's creds on
> underlying filesystem as well. And each caller will be privileged
> enough to be able to perform the operation.

The basic idea is that we can now build Linux systems with enough
access control granularity such that a given process can have the
necessary privileges to mount a filesystem, but not necessarily access
all of the data on the filesystem, while other processes, with
different access rights, are allowed to read and write data on the
mounted filesystem.  Granted, this is a bit different from how things
are usually done, but in my opinion it's a valid and interesting use
case in that it allows us to remove unneeded access rights from
historically very privileged system startup services/scripts: the
service that runs to mount my homedir shouldn't be allowed to access
my files just to mount the directory.

Unfortunately, this idea falls apart when we attempt to use overlayfs
due to the clever/usual way it caches the mounting processes
credentials and uses that in place of the current process' credentials
when accessing certain parts of the underlying filesystems.  The
current overlayfs implementation assumes that the mounter will always
be more privileged than the processes accessing the filesystem, it
would be nice if we could build a mechanism that didn't have this
assumption baked into the implementation.

This patchset may not have been The Answer, but surely there is
something we can do to support this use-case.

> Our take was that how is this model better because in current model
> only mounter needs to be privileged while in this new model each
> caller will have to be privileged. But Android guys seemed to be ok
> with that. So has this assumption changed since early days. If callers
> are privileged, then vfs_getxattr() on underlying filesystem for
> overaly internal xattrs should succeed and there is no need for this
> change.
>
> I suspect patches have evolved since then and callers are not as
> privileged as we expect them to and that's why we are bypassing this
> check on all overlayfs internal trusted xattrs? This definitely requires
> much close scrutiny. My initial reaction is that this sounds very scary.
>
> In general I would think overlayfs should not bypass the check on
> underlying fs. Either checks should be done in mounter's context or
> caller's context (depending on override_creds=on/off).
>
> Thanks
> Vivek

-- 
paul-moore.com