From: Mengchi Cheng <mengcc@amazon.com>
To: <miklos@szeredi.hu>, <casey@schaufler-ca.com>
Cc: <linux-unionfs@vger.kernel.org>,
<linux-security-module@vger.kernel.org>, <kamatam@amazon.com>,
<yoonjaeh@amazon.com>
Subject: Transmute flag is not inheritted on overlay fs
Date: Tue, 18 Apr 2023 17:23:38 -0700 [thread overview]
Message-ID: <20230419002338.566487-1-mengcc@amazon.com> (raw)
Hello,
On the overlay ext4 file system, we found that transmute flag is not
inherited by newly created sub-directories. The issue can be recreated on
the newest kernel(6.3.0-rc6) on qemux86-64 with following steps.
/data directory is mounted on /dev/vdb which is a ext4 fs. It is remounted
as an overlay again to upperdir /home/root/data.
# mount -t overlay overlay -o lowerdir=/data,upperdir=/home/root/data,workdir=/home/root/data_work /data
Add a new smack rule and set label and flag to /data directory.
# echo "_ system rwxatl" > /sys/fs/smackfs/load2
# chsmack -a "system" /data
# chsmack -t /data
Create directories under /data.
# mkdir -p /data/dir1/dir2
And then check the smack label of dir1 and dir2.
# chsmack /data/dir1
/data/dir1 access="system"
# chsmack /data/dir1/dir2
/data/dir1/dir2 access="_"
We can see dir1 did not inherit transmute flag from data and dir2 got the
process label.
The transmute xattr of the inode is set inside the smack_d_instantiate
which depends on SMK_INODE_CHANGED bit of isp->smk_flags. But the bit is
not set in the overlay fs mkdir function call chain. So one simple solution
we have is passing inode ptr into smack_dentry_create_files_as and set the
SMK_INODE_CHANGED bit if parent dir is transmuting. Although it looks
reasonable to me and we did not meet any issue in testing, I am not sure if
there is a better solution to it. It will be great, if experts could take
a look.
Thanks,
Mengchi Cheng
next reply other threads:[~2023-04-19 0:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-19 0:23 Mengchi Cheng [this message]
2023-04-19 2:09 ` Transmute flag is not inheritted on overlay fs Casey Schaufler
2023-04-19 23:18 ` [RFC PATCH] Set SMK_INODE_CHANGED inside smack_dentry_create_files_as Mengchi Cheng
2023-04-19 23:24 ` Transmute flag is not inheritted on overlay fs Mengchi Cheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230419002338.566487-1-mengcc@amazon.com \
--to=mengcc@amazon.com \
--cc=casey@schaufler-ca.com \
--cc=kamatam@amazon.com \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=yoonjaeh@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox