Re: overlayFS security concern

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Williams <patrick@stwcx.xyz>
To: Andrew Jeffery <andrew@aj.id.au>
Cc: "openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>,
	Kun Zhao <zkxz@hotmail.com>
Subject: Re: overlayFS security concern
Date: Sat, 20 Feb 2021 10:50:24 -0600	[thread overview]
Message-ID: <YDE90CWoSXCHjgYK@heinlein> (raw)
In-Reply-To: <3803c1a3-bee8-4e78-a23f-7e50858eda1a@beta.fastmail.com>

[-- Attachment #1: Type: text/plain, Size: 1026 bytes --]

On Sat, Feb 20, 2021 at 11:46:08AM +1030, Andrew Jeffery wrote:
> On Sat, 20 Feb 2021, at 11:01, Kun Zhao wrote:
> > 2. don’t use overlayFS (but it’s really useful for debugging during 
> > develop, and configuration management)
> 
> Possibly, but it's probably worth looking at IMA instead:

IMA (or similar) is likely a good option.

There is also work going on to remove 'root' from many users and
daemons so it should be harder to overwrite executables.  If you
have root I'm pretty sure you can always subvert even something like
IMA.

A protection we could do which would make attacks slightly harder
than they are today would be to change how we mount OverlayFS.  Right
now we mount it on top of root, but we could be more explicit about
mounting it only on top of places we expect to be read-write. `/etc`
and `/var` are the two that come to mind but I'm sure there are others.
This shouldn't be very difficult to implement for someone wanting to
take the initiative.

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2021-02-20 16:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-20  0:31 overlayFS security concern Kun Zhao
2021-02-20  0:52 ` chunhui.jia
2021-02-20  1:13   ` Kun Zhao
2021-02-20  1:17     ` chunhui.jia
2021-02-20  1:16 ` Andrew Jeffery
2021-02-20 16:50   ` Patrick Williams [this message]
2021-02-20 22:29     ` Michael Richardson
2021-02-23  5:22     ` Lei Yu
2021-02-23  5:49       ` Milton Miller II
2021-02-22 17:36 ` overlayFS security concern - threat model Joseph Reynolds
2021-03-03 17:55   ` Kun Zhao
2021-03-03 18:00     ` Joseph Reynolds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YDE90CWoSXCHjgYK@heinlein \
    --to=patrick@stwcx.xyz \
    --cc=andrew@aj.id.au \
    --cc=openbmc@lists.ozlabs.org \
    --cc=zkxz@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.