Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp3601333pxm; Tue, 1 Mar 2022 01:26:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJy97f5oe0WlOCGYiRKiXZqNo78D8dmxS7bNkFynVb1i8jhxHMK9QFp7mqxFAKwXWRwtqiDm X-Received: by 2002:a17:906:4ad6:b0:6b8:33e5:c3a1 with SMTP id u22-20020a1709064ad600b006b833e5c3a1mr17955380ejt.472.1646126763040; Tue, 01 Mar 2022 01:26:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646126763; cv=none; d=google.com; s=arc-20160816; b=bRSTRx8/4YY6arJ5CyHuMLoIzdR14FNktWYRYA1O9BekVLMUO5j1YJR50d3g0ffbsE Sl3EcjfPyt+YnX8iUMzf9y9E7IpbMPj0uH2CmAY7pk5h7Aqf6xbTUV2RpL9elkXjn3+T E6yCVIJTYxP1RLO9xkrQkO3DOI4/lba30jcNBzT2X2XSBj/c+BQwFlmRcwqargkVJ1iU VGwgZdV13lzq/4oUJMydp4V0gVIzGNxYQO/A5Bv1yq104dko7LAk4UrpSHnXNlXePRej UZaoS/J6rLqIYw0j102lnfJJ9VpyKcWO/ZwkTk26Nbe7pknUvfcHD1KUYmt0aMlWHAFX E+7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=XQU+v0ncJKQsq8KVJD+e40cIco7m2GBd4rHARca/WR4=; b=g4FlA+SLWcX83LeSk3uCQVSIj3rebzyc2hUp9gv/uRoheUqEVpV8FgbHPJSQktMYXK XENlyx7mNFBC+R1OIZ0ba6tt/LBFCmlaQ8XHQRY0J3Pvg+sDtTMCns3IGbzjFNv95+Pe YOMitEi5YAbZ8PuXxtJrF/AzeFVgq1L4jCDUesfs9bYxBHtZSGKdh6eALtzGK7y8irTd pGPVw3SwjJ2HpYB8sc1FIgiTJgnjMUxFRpxdOAifBMnzsGgnFal7YfIoFvl2vFq4zJaz kn+8x+sqSWjA57SEUEymQRVWLx07Bl/uY8TG5+ZbScOVCm3k/B4CmQfg/1g8A8SJH0h9 Ojog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=0jmzKwCW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a13-20020aa7c80d000000b003ff096a8b7bsi8511775edt.376.2022.03.01.01.25.40; Tue, 01 Mar 2022 01:26:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=0jmzKwCW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230126AbiCABKK (ORCPT + 99 others); Mon, 28 Feb 2022 20:10:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230119AbiCABKC (ORCPT ); Mon, 28 Feb 2022 20:10:02 -0500 Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1481F2AF8 for ; Mon, 28 Feb 2022 17:09:22 -0800 (PST) Received: by mail-ed1-x535.google.com with SMTP id bq11so20006327edb.2 for ; Mon, 28 Feb 2022 17:09:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XQU+v0ncJKQsq8KVJD+e40cIco7m2GBd4rHARca/WR4=; b=0jmzKwCWF4tyUOMYPO79E8fZ5IPNMaa8ViRAkdhJVQ+rpvYnB807H9RFMUbcIp7BZU gZHQ1rDBx3PK62BLmbBlNNAT3jyzYaL4Q2y1jktn63TwPT5ab7vdpiN4MQeP1MOCyfW/ 1hrpDZVGloDoRW/S3YgB7ZGNi+EX7JpeqF+27/Xd6NI08vCg4fnWr5/UMmQ3YP+rWN2q yIGHsrbeKMCBBBgIhh1S5ZwIKqOb+wr4/4iLEbQ7SulNvHeNpE2lVCx7J+vfXvAVBYuU 4/QobemQ3yboRwLVKSLl98uQ/+1XfxEHp6My70akJWohmiB80lkECn8ozqFNVuNZKksq Vmzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XQU+v0ncJKQsq8KVJD+e40cIco7m2GBd4rHARca/WR4=; b=6RuADMGBir72F78G4SnKdURaBNCmLZzV/0dQU4eMivvtwJC10Ml87EO9i6gVPdGLjm dULrRGIplS7CV3lANjdLTjcMDgai0WMfn5g26odz+ycIGu4/MvvRMxWiWDrM9S2kpFT6 1ocyILCsuL7qX35D/R9YJ66MMx6P/u/AqxHkqQy4YavZ7esGf9GfOPs2e47KN1U1R2KF WbSr2noRRBwvI/ZUNdt/JHVA5b+8sAMe5pgQHKLqP5VO8rGKKN8IVY0UgdcqOe9T4jkn TTqvb/c6PqQAHbLMgrFzwTs6k1X2+n0C6DCtqUCzxLLPu/KcqxXGt7/W4fdo2V9DEqIu eCbQ== X-Gm-Message-State: AOAM533eVkrrwfGfgMZuiIt5BsI1nDHITY5Qmg2dXEPNyD63V4u1dPo4 ZYhNOiTBr7Dmx86yYhVmM03JHwtOfnMws4v2HLQ0 X-Received: by 2002:a05:6402:1e8e:b0:412:cfd8:4d12 with SMTP id f14-20020a0564021e8e00b00412cfd84d12mr21942842edf.343.1646096960582; Mon, 28 Feb 2022 17:09:20 -0800 (PST) MIME-Version: 1.0 References: <20211117015806.2192263-1-dvander@google.com> In-Reply-To: From: Paul Moore Date: Mon, 28 Feb 2022 20:09:09 -0500 Message-ID: Subject: Re: [PATCH v19 0/4] overlayfs override_creds=off & nested get xattr fix To: Vivek Goyal , Amir Goldstein , David Anderson Cc: Mark Salyzyn , Miklos Szeredi , Jonathan Corbet , "Eric W . Biederman" , Randy Dunlap , Stephen Smalley , John Stultz , linux-doc@vger.kernel.org, linux-kernel , linux-fsdevel , overlayfs , LSM List , kernel-team , selinux@vger.kernel.org, paulmoore@microsoft.com, Luca.Boccassi@microsoft.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I wanted to try and bring this thread back from the dead (?) as I believe the use-case is still valid and worth supporting. Some more brief comments below ... On Fri, Dec 3, 2021 at 1:34 PM Vivek Goyal wrote: > I am not sure. In the early version of patches I think argument was > that do not switch to mounter's creds and use caller's creds on > underlying filesystem as well. And each caller will be privileged > enough to be able to perform the operation. The basic idea is that we can now build Linux systems with enough access control granularity such that a given process can have the necessary privileges to mount a filesystem, but not necessarily access all of the data on the filesystem, while other processes, with different access rights, are allowed to read and write data on the mounted filesystem. Granted, this is a bit different from how things are usually done, but in my opinion it's a valid and interesting use case in that it allows us to remove unneeded access rights from historically very privileged system startup services/scripts: the service that runs to mount my homedir shouldn't be allowed to access my files just to mount the directory. Unfortunately, this idea falls apart when we attempt to use overlayfs due to the clever/usual way it caches the mounting processes credentials and uses that in place of the current process' credentials when accessing certain parts of the underlying filesystems. The current overlayfs implementation assumes that the mounter will always be more privileged than the processes accessing the filesystem, it would be nice if we could build a mechanism that didn't have this assumption baked into the implementation. This patchset may not have been The Answer, but surely there is something we can do to support this use-case. > Our take was that how is this model better because in current model > only mounter needs to be privileged while in this new model each > caller will have to be privileged. But Android guys seemed to be ok > with that. So has this assumption changed since early days. If callers > are privileged, then vfs_getxattr() on underlying filesystem for > overaly internal xattrs should succeed and there is no need for this > change. > > I suspect patches have evolved since then and callers are not as > privileged as we expect them to and that's why we are bypassing this > check on all overlayfs internal trusted xattrs? This definitely requires > much close scrutiny. My initial reaction is that this sounds very scary. > > In general I would think overlayfs should not bypass the check on > underlying fs. Either checks should be done in mounter's context or > caller's context (depending on override_creds=on/off). > > Thanks > Vivek -- paul-moore.com