From: vgoyal@redhat.com (Vivek Goyal)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v2 22/35] vfs: don't open real
Date: Tue, 15 May 2018 16:42:10 -0400 [thread overview]
Message-ID: <20180515204210.GA26411@redhat.com> (raw)
In-Reply-To: <20180514135803.GA2777@redhat.com>
On Mon, May 14, 2018 at 09:58:03AM -0400, Vivek Goyal wrote:
[..]
> Talked to Dan and he mentioned that he was trying to test entrypoint
> failure (and not exec failure) and that's whey he might have allowed exec
> to mounter.
>
> I think that current entrypoint test's expectations are wrong.
> User process sees overlay inode lablel which is rwx_t and that means
> overlay layer will allow entrypoint into that executable. This will be the
> behavior on a normal file system where underlying file's label will be
> completely overridden by context=.
>
> So in my opinion, we should modify testsuite and not run this test with
> context= mounts.
Miklos, now a fix has been merged to the tests so that test passes both with
current kernels and proposed changes.
https://github.com/SELinuxProject/selinux-testsuite/pull/36
Thanks Dan Walsh, Stephen Smalley and Paul More.
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com>
To: Miklos Szeredi <mszeredi@redhat.com>, Daniel J Walsh <dwalsh@redhat.com>
Cc: linux-unionfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
linux-security-module@vger.kernel.org,
Paul Moore <pmoore@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v2 22/35] vfs: don't open real
Date: Tue, 15 May 2018 16:42:10 -0400 [thread overview]
Message-ID: <20180515204210.GA26411@redhat.com> (raw)
In-Reply-To: <20180514135803.GA2777@redhat.com>
On Mon, May 14, 2018 at 09:58:03AM -0400, Vivek Goyal wrote:
[..]
> Talked to Dan and he mentioned that he was trying to test entrypoint
> failure (and not exec failure) and that's whey he might have allowed exec
> to mounter.
>
> I think that current entrypoint test's expectations are wrong.
> User process sees overlay inode lablel which is rwx_t and that means
> overlay layer will allow entrypoint into that executable. This will be the
> behavior on a normal file system where underlying file's label will be
> completely overridden by context=.
>
> So in my opinion, we should modify testsuite and not run this test with
> context= mounts.
Miklos, now a fix has been merged to the tests so that test passes both with
current kernels and proposed changes.
https://github.com/SELinuxProject/selinux-testsuite/pull/36
Thanks Dan Walsh, Stephen Smalley and Paul More.
Vivek
next prev parent reply other threads:[~2018-05-15 20:42 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-07 8:37 [PATCH v2 00/35] overlayfs: stack file operations Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 01/35] vfs: add path_open() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 02/35] vfs: optionally don't account file in nr_files Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 03/35] vfs: add f_op->pre_mmap() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 04/35] vfs: export vfs_ioctl() to modules Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 05/35] vfs: export vfs_dedupe_file_range_one() " Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 06/35] ovl: copy up times Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 07/35] ovl: copy up inode flags Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 08/35] Revert "Revert "ovl: get_write_access() in truncate"" Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 09/35] ovl: copy up file size as well Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 10/35] ovl: deal with overlay files in ovl_d_real() Miklos Szeredi
2018-05-07 13:17 ` Vivek Goyal
2018-05-07 8:37 ` [PATCH v2 11/35] ovl: stack file ops Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 12/35] ovl: add helper to return real file Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 13/35] ovl: add ovl_read_iter() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 14/35] ovl: add ovl_write_iter() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 15/35] ovl: add ovl_fsync() Miklos Szeredi
2018-05-08 5:14 ` Amir Goldstein
2018-05-08 14:57 ` Miklos Szeredi
2018-05-08 15:02 ` Amir Goldstein
2018-05-07 8:37 ` [PATCH v2 16/35] ovl: add ovl_mmap() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 17/35] ovl: add ovl_fallocate() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 18/35] ovl: add lsattr/chattr support Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 19/35] ovl: add ovl_fiemap() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 20/35] ovl: add O_DIRECT support Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 21/35] ovl: add reflink/copyfile/dedup support Miklos Szeredi
2018-05-07 20:43 ` Darrick J. Wong
2018-05-08 14:13 ` Miklos Szeredi
2018-05-08 14:38 ` Darrick J. Wong
2018-05-07 8:37 ` [PATCH v2 22/35] vfs: don't open real Miklos Szeredi
2018-05-07 10:27 ` Amir Goldstein
2018-05-07 10:29 ` Miklos Szeredi
2018-05-11 18:54 ` Vivek Goyal
2018-05-11 18:54 ` Vivek Goyal
2018-05-11 19:42 ` Vivek Goyal
2018-05-11 19:42 ` Vivek Goyal
2018-05-14 13:58 ` Vivek Goyal
2018-05-14 13:58 ` Vivek Goyal
2018-05-15 20:42 ` Vivek Goyal [this message]
2018-05-15 20:42 ` Vivek Goyal
2018-05-14 14:03 ` Daniel Walsh
2018-05-14 14:03 ` Daniel Walsh
2018-05-07 8:37 ` [PATCH v2 23/35] ovl: copy-up on MAP_SHARED Miklos Szeredi
2018-05-07 19:28 ` Randy Dunlap
2018-05-08 15:03 ` Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 24/35] vfs: simplify dentry_open() Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 25/35] Revert "ovl: fix may_write_real() for overlayfs directories" Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 26/35] Revert "ovl: don't allow writing ioctl on lower layer" Miklos Szeredi
2018-05-07 8:37 ` [PATCH v2 27/35] vfs: fix freeze protection in mnt_want_write_file() for overlayfs Miklos Szeredi
2018-05-07 8:38 ` [PATCH v2 28/35] Revert "ovl: fix relatime for directories" Miklos Szeredi
2018-05-07 8:38 ` [PATCH v2 29/35] Revert "vfs: update ovl inode before relatime check" Miklos Szeredi
2018-05-07 8:38 ` [PATCH v2 30/35] Revert "vfs: add flags to d_real()" Miklos Szeredi
2018-05-07 8:38 ` [PATCH v2 31/35] Revert "vfs: do get_write_access() on upper layer of overlayfs" Miklos Szeredi
2018-05-07 8:38 ` [PATCH v2 32/35] Partially revert "locks: fix file locking on overlayfs" Miklos Szeredi
2018-05-08 15:15 ` Jeff Layton
2018-05-07 8:38 ` [PATCH v2 33/35] Revert "fsnotify: support overlayfs" Miklos Szeredi
2018-05-07 8:38 ` [PATCH v2 34/35] vfs: remove open_flags from d_real() Miklos Szeredi
2018-05-07 8:38 ` [PATCH v2 35/35] ovl: fix documentation of non-standard behavior Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180515204210.GA26411@redhat.com \
--to=vgoyal@redhat.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.