From: Randy Dunlap <rdunlap@infradead.org>
To: Mark Salyzyn <salyzyn@android.com>, linux-kernel@vger.kernel.org
Cc: Miklos Szeredi <miklos@szeredi.hu>,
Jonathan Corbet <corbet@lwn.net>, Vivek Goyal <vgoyal@redhat.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Amir Goldstein <amir73il@gmail.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org
Subject: Re: [PATCH v5 3/3] overlayfs: override_creds=off option bypass creator_cred
Date: Tue, 28 Aug 2018 11:09:39 -0700 [thread overview]
Message-ID: <a8dc66c4-4761-4876-abd3-6dc135692404@infradead.org> (raw)
In-Reply-To: <20180828165336.211643-1-salyzyn@android.com>
On 08/28/2018 09:53 AM, Mark Salyzyn wrote:
> diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt
> index 72615a2c0752..953e52971eb0 100644
> --- a/Documentation/filesystems/overlayfs.txt
> +++ b/Documentation/filesystems/overlayfs.txt
> @@ -106,6 +106,35 @@ Only the lists of names from directories are merged. Other content
> such as metadata and extended attributes are reported for the upper
> directory only. These attributes of the lower directory are hidden.
>
> +credentials
> +-----------
> +
> +By default, all access to the upper, lower and work directories is the
> +recorded mounter's MAC and DAC credentials. The incoming accesses are
> +checked against the caller's credentials.
> +
> +If the principles of least privilege are applied, the mounter's
> +credentials might not overlap the credentials of the caller's when
> +accessing the overlayfs filesystem. For example, a file that a lower
> +DAC privileged caller can execute, but is MAC denied to the
> +generally higher DAC privileged mounter, to prevent an attack vector
> +executing with the increased privileges of the mounter. One option is
> +to turn off override_creds in the mount options; all subsequent
> +operations after mount on the filesystem will be only the caller's
> +credentials. This option default is set in the CONFIG
> +OVERLAY_FS_OVERRIDE_CREDS or in the module option override_creds.
> +Fundamentally The mounter has privileges, its ability to execute,
the
but this entire sentence is jumbled and awkward and could use some work.
I tried to come up with something but I can't quite get what is intended here.
> +for example, files and grant them these higher privileges is to be
> +blocked except to lower privileged and appropriate callers. This
> +option turned off permits this kind of security policy.
> +
> +With override_creds turned off, several unintended side effects will
> +occur. The caller with a lower privilege will not be able to delete
> +files or directories, create nodes, or search some directories. The
> +uneven security model where upperdir and workdir are opened at
> +privilege, but accessed without, should only be used with strict
> +understanding of the side effects and of the security policies.
> +
> whiteouts and opaque directories
> --------------------------------
--
~Randy
next prev parent reply other threads:[~2018-08-28 18:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-28 16:53 [PATCH v5 3/3] overlayfs: override_creds=off option bypass creator_cred Mark Salyzyn
2018-08-28 18:09 ` Randy Dunlap [this message]
2018-08-28 21:20 ` Amir Goldstein
2018-08-28 21:32 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a8dc66c4-4761-4876-abd3-6dc135692404@infradead.org \
--to=rdunlap@infradead.org \
--cc=amir73il@gmail.com \
--cc=corbet@lwn.net \
--cc=ebiederm@xmission.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=salyzyn@android.com \
--cc=sds@tycho.nsa.gov \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).