Re: [PATCH v8 2/2] overlayfs: override_creds=off option bypass creator_cred

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vivek Goyal <vgoyal@redhat.com>
To: Mark Salyzyn <salyzyn@android.com>
Cc: linux-kernel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
	Jonathan Corbet <corbet@lwn.net>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	Amir Goldstein <amir73il@gmail.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org,
	kernel-team@android.com
Subject: Re: [PATCH v8 2/2] overlayfs: override_creds=off option bypass creator_cred
Date: Fri, 9 Nov 2018 10:20:41 -0500	[thread overview]
Message-ID: <20181109152041.GC28565@redhat.com> (raw)
In-Reply-To: <b057da99-adc6-b355-fb57-b314a29f298f@android.com>

On Thu, Nov 08, 2018 at 01:28:32PM -0800, Mark Salyzyn wrote:
> On 11/08/2018 12:01 PM, Vivek Goyal wrote:
> > On Tue, Nov 06, 2018 at 03:01:15PM -0800, Mark Salyzyn wrote:
> > > By default, all access to the upper, lower and work directories is the
> > > recorded mounter's MAC and DAC credentials.  The incoming accesses are
> > > checked against the caller's credentials.
> > Ok, I am trying to think of scenarios where override_creds=off can
> > provide any privilege escalation. How about following.
> > 
> > $ mkdir lower lower/foo upper upper/foo work merged
> > $ touch lower/foo/bar.txt
> > $ chmod 700 lower/foo/
> > 
> > # Mount overlay with override_creds=off
> > 
> > $ mount -t overlay -o
> > lowerdir=lower,upperdir=upper,workdir=work,override_creds=off none merged
> > 
> > # Try to read lower/foo as unpriviliged user. Say "test"
> > # su test
> > # ls merged/foo/
> > ls: cannot access 'merged/foo/': Operation not permitted
> > 
> > # Now first try to do same operation as root and retry as test user.
> > $ exit
> > $ ls merged/foo
> > bar.txt
> > $ su test
> > $ ls merged/foo
> > bar.txt
> > 
> > lower/foo/ is not readable by user "test". So it fails in first try. Later
> > "root" accesses it and it populates cache in overlayfs. When test retries,
> > it gets these entries from cache.
> > 
> > With override_creds=on this is not a problem because overlay provides
> > this as functionality as long as mounter as access to lower/foo/.
> > 
> > But with override_creds=off, mounter is not providing any such
> > functionality and we are exposing an issue where cache will make
> > something available which is not normally available.
> > 
> > I think it probably is a good idea to do something about it?
> > 
> > Thanks
> > Vivek
> > 
> Good stuff.
> 
> That sounds like a bug in cache (!) to not recheck caller's credentials.
> Currently unsure how/where to force bypass of the cache (performance hit) as
> it is wired in throughout the code without a clear off switch, or rechecking
> of the credentials at access. This does need to be addressed to make this
> 'feature' more useful/trusted for non-MAC controlled, use cases.

DAC is just an example. There is no reason same issue will not happen
with MAC? Proacess A with correct MAC priviliges will fill overlay
cache and process B without correct MAC priviliges will still be able
to get information about dentry.

As Amir suggested, for now documenting this probably is fine. I can't
think of any other good options either. May be Miklos has some ideas here.

Thanks
Vivek

next prev parent reply	other threads:[~2018-11-09 15:20 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-06 23:01 [PATCH v8 1/2] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh Mark Salyzyn
2018-11-06 23:01 ` [PATCH v8 2/2] overlayfs: override_creds=off option bypass creator_cred Mark Salyzyn
2018-11-08 15:56   ` Vivek Goyal
2018-11-08 16:27     ` Mark Salyzyn
2018-11-08 20:01   ` Vivek Goyal
2018-11-08 21:28     ` Mark Salyzyn
2018-11-09  3:05       ` Amir Goldstein
2018-11-09 17:32         ` Mark Salyzyn
2018-11-10  7:51           ` Amir Goldstein
2018-11-12 18:15             ` Mark Salyzyn
2018-11-09 15:20       ` Vivek Goyal [this message]
2018-11-14 22:00   ` Vivek Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181109152041.GC28565@redhat.com \
    --to=vgoyal@redhat.com \
    --cc=amir73il@gmail.com \
    --cc=corbet@lwn.net \
    --cc=ebiederm@xmission.com \
    --cc=kernel-team@android.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=rdunlap@infradead.org \
    --cc=salyzyn@android.com \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.