Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp3520457ybg;
        Mon, 28 Oct 2019 14:15:29 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwguNAIxAzgXch9PAq33RLweaAwOtWwUfVK2M1t7O1n+wobOd+FRixZdP0oTVh3Cku2ka6S
X-Received: by 2002:aa7:cd11:: with SMTP id b17mr21458205edw.144.1572297328909;
        Mon, 28 Oct 2019 14:15:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572297328; cv=none;
        d=google.com; s=arc-20160816;
        b=l+ybqdhA54oduhJdvD5+e8UO2XUDLWmkTH3p/8TYUyeHCRI4Z28GvNS+f4YTR7RvXo
         rhOGlJIBsbm2IaiEbBJvrDcWKVP9H3vCu6te13CdYrIyeWBtngtLIdLwk0E2bgj8Oql2
         nIywcgt/Rr9HVztwE/rq2U+ivlWn/xi3JEjtlIURbt4qQhJtbGYEGVsJRjnJl5K9bfP6
         ZFb2RMDArOFuJFvVOEWw3qye9u/zuChejrUe/fmRBANvsC750nSy7Oi8UwcE/8NHaEDw
         CVRnOuIBk8oX1D6Ju2tdkitn+/MVvJ1+8tTyvwzFZIVZrspqVsyyXtyJmeV0Qy0mmtfD
         scXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=Jb2PmBE+G4VOQltXF/CiZsV51E2dYw6xpdBbGD8qE/o=;
        b=Qjn3VqCY1WKe3hXTV4eBAGeCb5//kBypVkrj4xtceFZQJZg1n7gAXlKSz3G7sgTpMd
         NEdFQbAVL3sa02LGql4Aw+RoIB8yDmbCbJcy86HZzhpjvGOFRT69+eK0fp3GD1DgUiFP
         bTtby5iAhPMgDP42qUi6O0CTAoCDZIFXhxmNdO3yiQSZgaw6OcunuUQsg2HlZgnr7wBc
         pmMJ6dztwwYHDST1SXVjuKX61HVwkgDa3+EtWxdWtUEnIpOwi7hH8/z4EFi8PQVLPfBh
         Ns3v3Hc+NJ2blZ+tR+v3nNNaVbY6zSYFWjjdQcYDwULGXpmRHU7lf+TQrIgIMA/bRi3r
         nCug==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p9si8354046edc.96.2019.10.28.14.15.04;
        Mon, 28 Oct 2019 14:15:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732512AbfJ1Q1S (ORCPT <rfc822;suyanjun218@gmail.com>
        + 99 others); Mon, 28 Oct 2019 12:27:18 -0400
Received: from fieldses.org ([173.255.197.46]:34636 "EHLO fieldses.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732424AbfJ1Q1S (ORCPT <rfc822;linux-nfs@vger.kernel.org>);
        Mon, 28 Oct 2019 12:27:18 -0400
Received: by fieldses.org (Postfix, from userid 2815)
        id E2C0F1510; Mon, 28 Oct 2019 12:27:17 -0400 (EDT)
Date:   Mon, 28 Oct 2019 12:27:17 -0400
From:   "J. Bruce Fields" <bfields@fieldses.org>
To:     Amir Goldstein <amir73il@gmail.com>
Cc:     Miklos Szeredi <miklos@szeredi.hu>,
        Mark Salyzyn <salyzyn@android.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        kernel-team@android.com, Jonathan Corbet <corbet@lwn.net>,
        Vivek Goyal <vgoyal@redhat.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-doc@vger.kernel.org,
        Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
        Jeff Layton <jlayton@kernel.org>
Subject: Re: [PATCH v14 2/5] overlayfs: check CAP_DAC_READ_SEARCH before
 issuing exportfs_decode_fh
Message-ID: <20191028162717.GB5339@fieldses.org>
References: <20191022204453.97058-1-salyzyn@android.com>
 <20191022204453.97058-3-salyzyn@android.com>
 <CAJfpegsCzwXF5fD1oA+XMrPQ7u8URsXRGOOHkB=ON7fLnd_gFQ@mail.gmail.com>
 <CAOQ4uxh_K=p7z+qbkjSf_+hhVsw9xBuNc61dYnpkHFVUfxJaCw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAOQ4uxh_K=p7z+qbkjSf_+hhVsw9xBuNc61dYnpkHFVUfxJaCw@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

On Sun, Oct 27, 2019 at 09:24:52AM +0200, Amir Goldstein wrote:
> Well, it's not that simple (TM).
> If you are considering unprivileged overlay mounts, then this should be
> ns_capable() check, even though open_by_handle_at(2) does not
> currently allow userspace nfsd to decode file handles.
> 
> Unlike open_by_handle_at(2), overlayfs (currently) never exposes file
> data via decoded origin fh. AFAIK, it only exposes the origin st_ino
> st_dev and some nlink related accounting.
> 
> I have been trying to understand from code if nfsd exports are allowed
> from non privileged containers and couldn't figure it out (?).
> If non privileged container is allowed to export nosubtreecheck export
> then non privileged container root can already decode file handles...

I don't see any special checks in nfsctl_transaction_write() or
write_threads().  I guess it's just depending on the (0600) file
permissions.  I'm vague on how file permissions work in containers.

The issue with filehandles is that they allow you to bypass directory
lookup permissions.  Keeping a file private by denying permission to
look it up doesn't sound like a good idea to me, honestly, but it does
work on local posix filesystems, so we don't want to break that.

Filehandles are generally pretty easy to guess, and can't be revoked, so
we're more worried about using them (with open_by_handle_at()) than
reading them (with name_to_handle_at()), but we try to prevent the
latter as well.

--b.