Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp698176pxp; Fri, 11 Mar 2022 12:41:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJyHzrgyn5v36Tsrl5jqtkOpc+3qTX/Dj+homx3iNz56J7DUZz11ihmsfFTiToYdj8GkL7o+ X-Received: by 2002:aa7:8585:0:b0:4f6:f528:2e02 with SMTP id w5-20020aa78585000000b004f6f5282e02mr11703414pfn.76.1647031297398; Fri, 11 Mar 2022 12:41:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647031297; cv=none; d=google.com; s=arc-20160816; b=KoGcqj5YCZhLkFsQgMz4tCwNIsYTBmKNTCkgU6l/6H2OCVgozXh/g1HX0U9MENqn2g YaOz8LaqUeV2wyHqPXWO7Meg6KXNLuVHTcvrvkv5z4nB7xD6IfUi1+47cu7m+iW/xTd4 xEEgiJ2N0n95NTX63HqPRb+/zd6wWgJmZ0yyq0FdmtHI0pl0rNNVtcTCutrh+bP5FDPr +kkk+O+Q27cXHGc7maQe24yEIVVTg7PfY3JopX/OjgVYA8RNhgQsC3+lbUg2meJLZRgf LrJJsLqSmSge8LqMA2DtogUQv14vyToqQYLn1ebB1VG5LaR5mfGAM4HUuJCLhJnrFhWo jB4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=9QeKB4cZIGNALzfAGtAHD8EFO6aEieNDe1cqjoQ6gsM=; b=Ya7OD6hYsAnor1XwdCkz7+J9lhKhibpk9htWRMri/SDG35zKLSSCaSMjlJXeZJ5gOf xNP+jAjSOqgRNjzPUZqvpB5XszNex8WaPWBQdHD/m7Ismrh+1SCdbk80xWV/HIygXHsc 7oZ75xaPQT5D+HFBezgmVL3qANPW+Q3fYkDKFlYMVk98jqZFW9mDTOKLKA2EjSFhqYIV NjmK6EUkCth4tWWqQcwrqXdZ5cOxVpa1zE0lVsNJ+oHgfw/dLvlpA724O1cGVsw9e2lM 1vrMGpEja/Xi5D/O9ep+2J4ZKf+RMC2SzqH9vwdvPnkUWqKFtxc8OxnGFkXi/sycqfzd YM0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=W9vUjPbo; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id s4-20020a17090aad8400b001bd14e01f3csi9052363pjq.42.2022.03.11.12.41.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 12:41:37 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=W9vUjPbo; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 10A411D6CB6; Fri, 11 Mar 2022 12:38:42 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346173AbiCKELM (ORCPT + 99 others); Thu, 10 Mar 2022 23:11:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231511AbiCKELK (ORCPT ); Thu, 10 Mar 2022 23:11:10 -0500 Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37C26986FF; Thu, 10 Mar 2022 20:10:08 -0800 (PST) Received: by mail-oi1-x234.google.com with SMTP id n7so8157799oif.5; Thu, 10 Mar 2022 20:10:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=9QeKB4cZIGNALzfAGtAHD8EFO6aEieNDe1cqjoQ6gsM=; b=W9vUjPbowBxn+x7F9t0T9ph91PQtdPdrKRG92teEt6N37XUEPsuq7+Semk0Sq7eBL6 dcYQ9Tv22KHCDJpJTZArvmF8RQJMWhrnNFrlH0Z9uAj420D8GZTtOsl5n/GtRwmZJ8IA 76XZx0gnVjqsOEJfE51RvM5322G6zPl57koGYA+BKcBlE7vuRS9sF5hcoMo88FJDRAK5 +kwRe4M+oG+gEgYFREXYAIe783yanNbzuJWyEOA9cbY052rFHSqbNMsxjUA23QLzXa3/ qwh29b/LmPrDFBeRC3n+EEkGfabc7nyxk2erQfzTI/vhMLMU2KsmYvLjrtBhha2kRRP/ ijHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=9QeKB4cZIGNALzfAGtAHD8EFO6aEieNDe1cqjoQ6gsM=; b=NZW/LNPYvMyDD0iILIXVPwu3OT8GGJdCO4UJtixsPhNlztP4E6LlKBS9jgeqz3M2AM tCweRqyvOVRbGq27iZiMFyj6xf9hBTs5S8ENRkCBDVeR/VMIqtbUWgyS4EBOl+dxKQyv oXJoU/QrLAbMqXsBh7gJf5UONGHNHOuGO/1Remqi/V4Zvxp7xxViNvgu3GjM8sVDaVUU PtWGGdBIa8dDl+hhhKskXt3wLUTunnprJFb2+bPoGJoEASC0r2yOWUklCuMwXl180Aa2 mAVzGzGSy3L9MNl1Qu+Xsy9+pIZUtR0RVos1mXFaURus2XzrenovKsHDXTNTGwlDlI5i xZbA== X-Gm-Message-State: AOAM533+F5d23lhlFDMU4ZheXcb+Qdzb8jLj9KFs0TNCPnm0zsEmPZP0 +npyH6o6yAYkawv1QWEMDsCi5w59RZb1LbvWl9z6yTm6sBQ= X-Received: by 2002:a05:6808:23c1:b0:2da:30fd:34d9 with SMTP id bq1-20020a05680823c100b002da30fd34d9mr8741863oib.203.1646971807529; Thu, 10 Mar 2022 20:10:07 -0800 (PST) MIME-Version: 1.0 References: <20211117015806.2192263-1-dvander@google.com> In-Reply-To: From: Amir Goldstein Date: Fri, 11 Mar 2022 06:09:56 +0200 Message-ID: Subject: Re: [PATCH v19 0/4] overlayfs override_creds=off & nested get xattr fix To: Paul Moore Cc: Vivek Goyal , Miklos Szeredi , David Anderson , Mark Salyzyn , Jonathan Corbet , "Eric W . Biederman" , Randy Dunlap , Stephen Smalley , John Stultz , linux-doc@vger.kernel.org, linux-kernel , linux-fsdevel , overlayfs , LSM List , kernel-team , selinux@vger.kernel.org, paulmoore@microsoft.com, luca.boccassi@microsoft.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 11, 2022 at 12:11 AM Paul Moore wrote: > > On Wed, Mar 9, 2022 at 4:13 PM Paul Moore wrote: > > On Tue, Mar 1, 2022 at 12:05 AM David Anderson wro= te: > > > On Mon, Feb 28, 2022 at 5:09 PM Paul Moore wrot= e: > > ... > > > >> This patchset may not have been The Answer, but surely there is > > >> something we can do to support this use-case. > > > > > > Yup exactly, and we still need patches 3 & 4 to deal with this. My cu= rrent plan is to try and rework our sepolicy (we have some ideas on how it = could be made compatible with how overlayfs works). If that doesn't pan out= we'll revisit these patches and think harder about how to deal with the co= herency issues. > > > > Can you elaborate a bit more on the coherency issues? Is this the dir > > cache issue that is alluded to in the patchset? Anything else that > > has come up on review? > > > > Before I start looking at the dir cache in any detail, did you have > > any thoughts on how to resolve the problems that have arisen? > > David, Vivek, Amir, Miklos, or anyone for that matter, can you please > go into more detail on the cache issues? I *think* I may have found a > potential solution for an issue that could arise when the credential > override is not in place, but I'm not certain it's the only issue :) > Hi Paul, In this thread I claimed that the authors of the patches did not present a security model for overlayfs, such as the one currently in overlayfs.rst. If we had a model we could have debated its correctness and review its implementation. As a proof that there is no solid model, I gave an *example* regarding the overlay readdir cache. When listing a merged dir, meaning, a directory containing entries from several overlay layers, ovl_permission() is called to check user's permissi= on, but ovl_permission() does not currently check permissions to read all layer= s, because that is not the current overlayfs model. Overlayfs has a readdir cache, so without override_cred, a user with high credentials can populate the readdir cache and then a user will fewer credentials, not enough to access the lower layers, but enough to access the upper most layer, will pass ovl_permission() check and be allowed to read from readdir cache. This specific problem can be solved in several ways - disable readdir cache with override_cred=3Doff, check all layers in ovl_permission(). That's not my point. My point is that I provided a proof that the current model of override_cred=3Doff is flawed and it is up to the authors of the patch to fix the model and provide the analysis of overlayfs code to prove the model's correctness. The core of the matter is there is no easy way to "merge" the permissions from all layers into a single permission blob that could be checked once. Maybe the example I gave is the only flaw in the model, maybe not I am not sure. I will be happy to help you in review of a model and the solution that you may have found. Thanks, Amir.