From: Mark Salyzyn <salyzyn@android.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: linux-kernel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Jonathan Corbet <corbet@lwn.net>,
linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org,
Daniel Walsh <dwalsh@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: overlayfs: caller_credentials option bypass creator_cred
Date: Mon, 18 Jun 2018 14:59:50 -0700 [thread overview]
Message-ID: <aecdeaca-74cf-54b1-3ea9-4751972074f5@android.com> (raw)
In-Reply-To: <20180618194345.GA15973@redhat.com>
On 06/18/2018 12:43 PM, Vivek Goyal wrote:
> Will it be acceptable to write security policies in such a way so that
> mounter has access as well.
Unfortunately No. Policy of minimizing attack surface for a contained
root service (init in this case). Just because it can mount, does not
mean it can modify critical content; an attacker could use this to open
a hole.
> Current model does assume that mounter has privileges on underlying files.
Only ones it appears to need is the workdir AFAIK, had to add ability to
create in the <wordir> xattr in order to enable r/w mounts later.
Although not all corners were tested, I did not see any copy_up issues
b/c the caller had the privs in the Android security model when mounted
with this new flag.
-- Mark
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mark Salyzyn <salyzyn@android.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: linux-kernel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Jonathan Corbet <corbet@lwn.net>,
linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org,
Daniel Walsh <dwalsh@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: overlayfs: caller_credentials option bypass creator_cred
Date: Mon, 18 Jun 2018 14:59:50 -0700 [thread overview]
Message-ID: <aecdeaca-74cf-54b1-3ea9-4751972074f5@android.com> (raw)
In-Reply-To: <20180618194345.GA15973@redhat.com>
On 06/18/2018 12:43 PM, Vivek Goyal wrote:
> Will it be acceptable to write security policies in such a way so that
> mounter has access as well.
Unfortunately No. Policy of minimizing attack surface for a contained
root service (init in this case). Just because it can mount, does not
mean it can modify critical content; an attacker could use this to open
a hole.
> Current model does assume that mounter has privileges on underlying files.
Only ones it appears to need is the workdir AFAIK, had to add ability to
create in the <wordir> xattr in order to enable r/w mounts later.
Although not all corners were tested, I did not see any copy_up issues
b/c the caller had the privs in the Android security model when mounted
with this new flag.
-- Mark
next prev parent reply other threads:[~2018-06-18 21:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-18 15:42 overlayfs: caller_credentials option bypass creator_cred Mark Salyzyn
2018-06-18 15:42 ` Mark Salyzyn
2018-06-18 18:54 ` Vivek Goyal
2018-06-18 18:54 ` Vivek Goyal
2018-06-18 19:18 ` Mark Salyzyn
2018-06-18 19:18 ` Mark Salyzyn
2018-06-18 19:43 ` Vivek Goyal
2018-06-18 19:43 ` Vivek Goyal
2018-06-18 21:59 ` Mark Salyzyn [this message]
2018-06-18 21:59 ` Mark Salyzyn
2018-06-19 14:36 ` Vivek Goyal
2018-06-19 14:36 ` Vivek Goyal
2018-06-20 15:28 ` Mark Salyzyn
2018-06-20 15:28 ` Mark Salyzyn
2018-06-18 18:57 ` kbuild test robot
2018-06-18 18:57 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aecdeaca-74cf-54b1-3ea9-4751972074f5@android.com \
--to=salyzyn@android.com \
--cc=corbet@lwn.net \
--cc=dwalsh@redhat.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=sds@tycho.nsa.gov \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.