Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp765602pxp; Fri, 11 Mar 2022 14:32:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJwyS4cdx/Eo/AR9+1miKV6EzU8GQ3SouNhUyj+RwZbn1FXESfgJX5Fwf0PBa8FtHXndp5uv X-Received: by 2002:a63:874a:0:b0:37c:7fb0:9600 with SMTP id i71-20020a63874a000000b0037c7fb09600mr10360596pge.424.1647037957316; Fri, 11 Mar 2022 14:32:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647037957; cv=none; d=google.com; s=arc-20160816; b=y6ES4933KNujyPhRkIlbPHu24aVQJiCn35ncG6xgSI+/CBbyO9hUz7rNl8r2vOkmFZ r/3wa2VlMW+NhfkjQfMFa3uQvEBBFEsH+QPnoXPXo5XpNOHAxGv0bayFcAhTDGwEu6l8 e4z/C99aXV0NzUFzF1D/fknx7JSJM6k993fXiIv40c8F1PY1oiKjVrxFLihHSX+WRbTC tQ0iyahqprZcwTZfuClocOpXx3lJayHS3qLfqaI6bp+UFeN8ivb9MAIhki2GLVfd7zKe g53Z2gDDSXruzBfzIxLR9NBE0Qj1cya3qTKgrOj4HCQzzx05ZDn3k1+8arUKYgjZMq6W gGZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=I+nWv4ywDxtdW2kAMKWAd/9h8AiRGVEXkvqyetpKnWc=; b=R/l5cGdaRvMLJzl5nAHdH9OYdgMIFcHyDrE8gzsYhOYYrhnufVdsy+asx/pfN1k1ZP zQh0nvm70r/MLN6Wisy8NyRyhNuUwa0QgZNHISYHxNcYHykvi8NaUbfeYpbRhdDpUT/3 rWjv+Imhb885NC9EffE3Sik0psUOGjv++tfPJOay9XgXcRoR79nJTq8fbuRkfTrZPqbi TvqZHyY2gT5xAOlXanxxROFaFh3SlXnNiScSHaBYsWnLrjSewBx/aDvQctdtD7a6Ynqa vrNFwZjIRX8x3Jrix1d9gp+oRHFAtJqE3cCs2nDhgEGf0TCIKChOqDv5tve830sU9qOP RNlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Tq1z9Srz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id bj23-20020a056a02019700b003806fb452d8si9012501pgb.721.2022.03.11.14.32.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 14:32:37 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Tq1z9Srz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4DBA319454F; Fri, 11 Mar 2022 13:38:39 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349028AbiCKOCn (ORCPT + 99 others); Fri, 11 Mar 2022 09:02:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238102AbiCKOCl (ORCPT ); Fri, 11 Mar 2022 09:02:41 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 802321C57D0 for ; Fri, 11 Mar 2022 06:01:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647007297; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=I+nWv4ywDxtdW2kAMKWAd/9h8AiRGVEXkvqyetpKnWc=; b=Tq1z9Srzf6uzlrAUXqGZiT9bTfdi2YP+szhWq24H0sGNXeMb81xeATYDs5AZf32eS8ZoSu r9LUA50/oedaSunzte3Qb5BC8+q6kdB14H7FGbCRUL36C2DGGXlEGZh1uvNgZzOHQzU58o V/iZwrWtvgtPThsXF7C3qKePY9F8Ty4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-669-sly5me0lPe6uMFhCLHqmOA-1; Fri, 11 Mar 2022 09:01:36 -0500 X-MC-Unique: sly5me0lPe6uMFhCLHqmOA-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C64741854E21; Fri, 11 Mar 2022 14:01:31 +0000 (UTC) Received: from horse.redhat.com (unknown [10.22.16.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id 06A257AD1B; Fri, 11 Mar 2022 14:01:30 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id 58049223A46; Fri, 11 Mar 2022 09:01:30 -0500 (EST) Date: Fri, 11 Mar 2022 09:01:30 -0500 From: Vivek Goyal To: Amir Goldstein Cc: Paul Moore , Miklos Szeredi , David Anderson , Mark Salyzyn , Jonathan Corbet , "Eric W . Biederman" , Randy Dunlap , Stephen Smalley , John Stultz , linux-doc@vger.kernel.org, linux-kernel , linux-fsdevel , overlayfs , LSM List , kernel-team , selinux@vger.kernel.org, paulmoore@microsoft.com, luca.boccassi@microsoft.com Subject: Re: [PATCH v19 0/4] overlayfs override_creds=off & nested get xattr fix Message-ID: References: <20211117015806.2192263-1-dvander@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 11, 2022 at 06:09:56AM +0200, Amir Goldstein wrote: > On Fri, Mar 11, 2022 at 12:11 AM Paul Moore wrote: > > > > On Wed, Mar 9, 2022 at 4:13 PM Paul Moore wrote: > > > On Tue, Mar 1, 2022 at 12:05 AM David Anderson wrote: > > > > On Mon, Feb 28, 2022 at 5:09 PM Paul Moore wrote: > > > > ... > > > > > >> This patchset may not have been The Answer, but surely there is > > > >> something we can do to support this use-case. > > > > > > > > Yup exactly, and we still need patches 3 & 4 to deal with this. My current plan is to try and rework our sepolicy (we have some ideas on how it could be made compatible with how overlayfs works). If that doesn't pan out we'll revisit these patches and think harder about how to deal with the coherency issues. > > > > > > Can you elaborate a bit more on the coherency issues? Is this the dir > > > cache issue that is alluded to in the patchset? Anything else that > > > has come up on review? > > > > > > Before I start looking at the dir cache in any detail, did you have > > > any thoughts on how to resolve the problems that have arisen? > > > > David, Vivek, Amir, Miklos, or anyone for that matter, can you please > > go into more detail on the cache issues? I *think* I may have found a > > potential solution for an issue that could arise when the credential > > override is not in place, but I'm not certain it's the only issue :) > > > > Hi Paul, > > In this thread I claimed that the authors of the patches did not present > a security model for overlayfs, such as the one currently in overlayfs.rst. > If we had a model we could have debated its correctness and review its > implementation. Agreed. After going through the patch set, I was wondering what's the overall security model and how to visualize that. So probably there needs to be a documentation patch which explains what's the new security model and how does it work. Also think both in terms of DAC and MAC. (Instead of just focussing too hard on SELinux). My understanding is that in current model, some of the overlayfs operations require priviliges. So mounter is supposed to be priviliged and does the operation on underlying layers. Now in this new model, there will be two levels of check. Both overlay level and underlying layer checks will happen in the context of task which is doing the operation. So first of all, all tasks will need to have enough priviliges to be able to perform various operations on lower layer. If we do checks at both the levels in with the creds of calling task, I guess that probably is fine. (But will require a closer code inspection to make sure there is no privilege escalation both for mounter as well calling task). > > As a proof that there is no solid model, I gave an *example* regarding > the overlay readdir cache. > > When listing a merged dir, meaning, a directory containing entries from > several overlay layers, ovl_permission() is called to check user's permission, > but ovl_permission() does not currently check permissions to read all layers, > because that is not the current overlayfs model. > > Overlayfs has a readdir cache, so without override_cred, a user with high > credentials can populate the readdir cache and then a user will fewer > credentials, not enough to access the lower layers, but enough to access > the upper most layer, will pass ovl_permission() check and be allowed to > read from readdir cache. I am not very familiar with dir caching code. When I read through the overlayfs.rst, it gave the impression that caching is per "struct file". "This merged name list is cached in the 'struct file' and so remains as long as the file is kept open." And I was wondering if that's the case, then one user should not be able to access the cache built by another priviliged user (until and unless privileged user passed fd). But looks like we build this cache and store in ovl inode and that's why this issue of cache built by higher privileged process will be accessible to lower privileged process. With current model this is not an issue because "mounter" is providing those privileges to unprivileged process. So while unprivileged process can't do "readdir" on an underlying lower dir, it might still be able to do that through an overlay mount. But if we don't switch to mounter's creds, then we probably can't rely on this dir caching. Agreed that disabling dir caching seems simplest solution if we were to do override_creds=off. Thanks Vivek > > This specific problem can be solved in several ways - disable readdir > cache with override_cred=off, check all layers in ovl_permission(). > That's not my point. My point is that I provided a proof that the current > model of override_cred=off is flawed and it is up to the authors of the > patch to fix the model and provide the analysis of overlayfs code to > prove the model's correctness. > > The core of the matter is there is no easy way to "merge" the permissions > from all layers into a single permission blob that could be checked once. > > Maybe the example I gave is the only flaw in the model, maybe not > I am not sure. I will be happy to help you in review of a model and the > solution that you may have found. > > Thanks, > Amir. >