Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp801724pxp; Fri, 11 Mar 2022 15:31:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJzXXotObfCJrwxQZslbVWKFVdkoXVM5q7icmIP2Ow07dGhdG5BrQKnZf5tNNqhkfE7U+ZGJ X-Received: by 2002:a63:7158:0:b0:37d:f96f:3c78 with SMTP id b24-20020a637158000000b0037df96f3c78mr10166301pgn.378.1647041503167; Fri, 11 Mar 2022 15:31:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647041503; cv=none; d=google.com; s=arc-20160816; b=oNDX5PUcVQhLO+wBDcv8OQraLBvld8bpd3fyQHeOLAJvm7mzmZPRnJeitYjzIc19A5 4oWhLXOD9rrMN2BEg6JZZbgKu+rlgM0tD6cJbLrMvfEU3fnRKKo5AdyTMG+cOj8qI3Wi QvebBazAhO+ZoORXeJc45cNkcNStNBmRsbTrKM9bBqV50Qf8vV26z91o0iqPWfA+lSoj vig29cSGj1DuLP7jJi6BuVYgIrnEfcl5+gAdgupoVZFAUV2zhYoaQJpUSCw0fmTMfxXv E0ntjsmwG+EC63SHqFqJO16Ads8ZvA7S2WGbIyDjWvdN6GDvFtl+gayAnFdkUTA4p54K I91g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=1GNOH6IByfdma2vK0oN46OfXdE9F5N+dlrc1RJjEFIk=; b=NfMETDlc3u0GljCYgjxk1Hf/Zo/AtwCfl7knrW9VlG+E06avXGzStJPfQyhPpjSuFL cmqeB+OPr7uVI8O4Gna8+nPAM9PRbme5kKkXzlAT9y0AZJPrKJ30CSmfEM8NTXK9ou0R ZzxmKOmwR/z3SaM1+Kt/v10ufjobrv90t86RA8Izncha8DvakExZR2XR1N5x1W+JOy4Y G3yEYfS/Ok/9/4J1aibXlfNt2OD+3HYWulvXOD0zAOBbs+kpKr1DgrtG58HcXIAFP1Bj BmWQ99wL+TI/x9z6QDbuWFC6OjAuC1FNvmd8uMD2CSmenGW2zcubdVkpFX1ZafStoRhn oyKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=RjeIvEgA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id q3-20020a632a03000000b0038077f652b0si8974539pgq.815.2022.03.11.15.31.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 15:31:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=RjeIvEgA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 581253D2323; Fri, 11 Mar 2022 14:18:22 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230505AbiCKUyY (ORCPT + 99 others); Fri, 11 Mar 2022 15:54:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230324AbiCKUyT (ORCPT ); Fri, 11 Mar 2022 15:54:19 -0500 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8B0A1D6C9D for ; Fri, 11 Mar 2022 12:53:08 -0800 (PST) Received: by mail-ed1-x52e.google.com with SMTP id r29so3139430edc.0 for ; Fri, 11 Mar 2022 12:53:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1GNOH6IByfdma2vK0oN46OfXdE9F5N+dlrc1RJjEFIk=; b=RjeIvEgAZemAjh7MW5o+VKfWDPmEow0ENexq1P+K144S2pVSqDjee0cdc4oZOCqpUn owc6GknawkgmT4HhECQzAJruWMy4OX5wgfWGvHcgiqL4Qn6FKSh6eGCkSDNwOO3qdYGB TVWBvbiYnMqIZynJcRgG7j1ULCqToHZ8s7RStTM0nXC2XpGJcy0gpFg/MzsARoANMg+r k9zcJafb990WHJIKgVy/EKpW/Qcr4zOM3f5frffwcfKqHDShTtlEF/JkKxeslfOPaUpd 8IjkL0X9Q8vwC5RBPVsVuob5Sx7UFW+kiv5dty0Da0xaxC8eAlrZfes2eJXxABHjCXT0 KBLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1GNOH6IByfdma2vK0oN46OfXdE9F5N+dlrc1RJjEFIk=; b=X3YtkuqcjAx8vF/yLCyzTL566MoPEQxJGV3pQzOpmg6aZllFwDj9+QF3fBZ03sMcco vHXwW18O/FtU/n/Wyw42PrvtCVD3N42QpEv0EgpJCOZ7so0zYUGuZqYyQ6DHu1KxoCsd DckBBICSN+DySRvbWNnVDzL66+J7/XrNAEPWay23+g6t2iyvzFoZxrkGsazTfuj73ASy Zm51h3yp4PijkviXOP8T2CDvu6T8nL+95eBLB0AgBwyliOVMM3uUFyNdXqM3VLzKcLbm iPzgxwb1WkLmNKcrm83vtwA9MfXaKgRSKdWY2a3MOlgGbfDCrXUNsdB4Hx6QRlWsA3X+ nRzg== X-Gm-Message-State: AOAM531ZRaMDA7bgE6oHS/ZacVBZvRet4kuUK9Go6/BjA7VoLo6k8t00 MnBKUQbhhEx70BJLmtA8xFCaf+3oZ1LeawI0wZyC X-Received: by 2002:aa7:d494:0:b0:415:a309:7815 with SMTP id b20-20020aa7d494000000b00415a3097815mr10502424edr.340.1647031985810; Fri, 11 Mar 2022 12:53:05 -0800 (PST) MIME-Version: 1.0 References: <20211117015806.2192263-1-dvander@google.com> In-Reply-To: From: Paul Moore Date: Fri, 11 Mar 2022 15:52:54 -0500 Message-ID: Subject: Re: [PATCH v19 0/4] overlayfs override_creds=off & nested get xattr fix To: Amir Goldstein , Vivek Goyal Cc: Miklos Szeredi , David Anderson , Mark Salyzyn , Jonathan Corbet , "Eric W . Biederman" , Randy Dunlap , Stephen Smalley , John Stultz , linux-doc@vger.kernel.org, linux-kernel , linux-fsdevel , overlayfs , LSM List , kernel-team , selinux@vger.kernel.org, paulmoore@microsoft.com, luca.boccassi@microsoft.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 11, 2022 at 9:01 AM Vivek Goyal wrote: > On Fri, Mar 11, 2022 at 06:09:56AM +0200, Amir Goldstein wrote: > > Hi Paul, Hi Amir, Vivek, Thanks for the replies, I think I now have a better understanding of the concerns which is starting to make the path forward a bit more clear. A few more comments below ... > > In this thread I claimed that the authors of the patches did not present > > a security model for overlayfs, such as the one currently in overlayfs.rst. > > If we had a model we could have debated its correctness and review its > > implementation. > > Agreed. After going through the patch set, I was wondering what's the > overall security model and how to visualize that. > > So probably there needs to be a documentation patch which explains > what's the new security model and how does it work. Yes, of course. I'll be sure to add a section to the existing docs. > Also think both in terms of DAC and MAC. (Instead of just focussing too > hard on SELinux). Definitely. Most of what I've been thinking about the past day or so has been how to properly handle some of the DAC/capability issues; I have yet to start playing with the code, but for the most part I think the MAC/SELinux bits are already working properly. > My understanding is that in current model, some of the overlayfs > operations require priviliges. So mounter is supposed to be priviliged > and does the operation on underlying layers. > > Now in this new model, there will be two levels of check. Both overlay > level and underlying layer checks will happen in the context of task > which is doing the operation. So first of all, all tasks will need > to have enough priviliges to be able to perform various operations > on lower layer. > > If we do checks at both the levels in with the creds of calling task, > I guess that probably is fine. (But will require a closer code inspection > to make sure there is no privilege escalation both for mounter as well > calling task). I have thoughts on this, but I don't think I'm yet in a position to debate this in depth just yet; I still need to finish poking around the code and playing with a few things :) It may take some time before I'm back with patches, but I appreciate all of the tips and insight - thank you! -- paul-moore.com