From: Mengchi Cheng <mengcc@amazon.com>
To: <casey@schaufler-ca.com>
Cc: <kamatam@amazon.com>, <linux-security-module@vger.kernel.org>,
<linux-unionfs@vger.kernel.org>, <mengcc@amazon.com>,
<miklos@szeredi.hu>, <yoonjaeh@amazon.com>,
<roberto.sassu@huaweicloud.com>
Subject: Re: Transmute flag is not inheritted on overlay fs
Date: Wed, 19 Apr 2023 16:24:39 -0700 [thread overview]
Message-ID: <20230419232439.883241-1-mengcc@amazon.com> (raw)
In-Reply-To: <7d5c10b6-68da-dea9-b460-1427b17250b5@schaufler-ca.com>
On Wed, 2023-04-19 02:09:37 +0000, Casey Schaufler wrote:
>
> On 4/18/2023 5:23 PM, Mengchi Cheng wrote:
> > Hello,
> >
> > On the overlay ext4 file system, we found that transmute flag is not
> > inherited by newly created sub-directories. The issue can be recreated on
> > the newest kernel(6.3.0-rc6) on qemux86-64 with following steps.
> >
> > /data directory is mounted on /dev/vdb which is a ext4 fs. It is remounted
> > as an overlay again to upperdir /home/root/data.
> > # mount -t overlay overlay -o lowerdir=/data,upperdir=/home/root/data,workdir=/home/root/data_work /data
> > Add a new smack rule and set label and flag to /data directory.
> > # echo "_ system rwxatl" > /sys/fs/smackfs/load2
> > # chsmack -a "system" /data
> > # chsmack -t /data
> > Create directories under /data.
> > # mkdir -p /data/dir1/dir2
> > And then check the smack label of dir1 and dir2.
> > # chsmack /data/dir1
> > /data/dir1 access="system"
> > # chsmack /data/dir1/dir2
> > /data/dir1/dir2 access="_"
> > We can see dir1 did not inherit transmute flag from data and dir2 got the
> > process label.
> >
> > The transmute xattr of the inode is set inside the smack_d_instantiate
> > which depends on SMK_INODE_CHANGED bit of isp->smk_flags. But the bit is
> > not set in the overlay fs mkdir function call chain. So one simple solution
> > we have is passing inode ptr into smack_dentry_create_files_as and set the
> > SMK_INODE_CHANGED bit if parent dir is transmuting. Although it looks
> > reasonable to me and we did not meet any issue in testing, I am not sure if
> > there is a better solution to it. It will be great, if experts could take
> > a look.
>
> I will be happy to look at your solution. Please post a patch.
>
Sorry, it takes me a while to review and send out the patch.
It contains a few files because it breaks kernel API. But the core is only
in the change of smack_dentry_create_files_as.
If Roberto's patch will work, we can drop it. I posted my concern in that
thread.
https://lore.kernel.org/all/20230419192516.757220-1-mengcc@amazon.com/
> >
> >
> > Thanks,
> > Mengchi Cheng
> >
>
prev parent reply other threads:[~2023-04-19 23:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-19 0:23 Transmute flag is not inheritted on overlay fs Mengchi Cheng
2023-04-19 2:09 ` Casey Schaufler
2023-04-19 23:18 ` [RFC PATCH] Set SMK_INODE_CHANGED inside smack_dentry_create_files_as Mengchi Cheng
2023-04-19 23:24 ` Mengchi Cheng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230419232439.883241-1-mengcc@amazon.com \
--to=mengcc@amazon.com \
--cc=casey@schaufler-ca.com \
--cc=kamatam@amazon.com \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=roberto.sassu@huaweicloud.com \
--cc=yoonjaeh@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox