Re: [PATCH v9 00/15] overlayfs: Delayed copy up of data

public inbox for linux-unionfs@vger.kernel.org
 help / color / mirror / Atom feed

From: Vivek Goyal <vgoyal@redhat.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Amir Goldstein <amir73il@gmail.com>,
	overlayfs <linux-unionfs@vger.kernel.org>
Subject: Re: [PATCH v9 00/15] overlayfs: Delayed copy up of data
Date: Wed, 10 Jan 2018 11:30:30 -0500	[thread overview]
Message-ID: <20180110163030.GE8999@redhat.com> (raw)
In-Reply-To: <CAJfpegvG772bKuzg=AEv8oOByVuixLjjfuTPA0mCX+8OB4Wwcg@mail.gmail.com>

On Wed, Jan 10, 2018 at 05:03:07PM +0100, Miklos Szeredi wrote:
> On Wed, Jan 10, 2018 at 4:54 PM, Amir Goldstein <amir73il@gmail.com> wrote:
> > On Wed, Jan 10, 2018 at 5:47 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
> >> On Wed, Jan 10, 2018 at 04:38:22PM +0100, Miklos Szeredi wrote:
> >>> On Wed, Jan 10, 2018 at 4:27 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
> >>> > On Wed, Jan 10, 2018 at 05:10:22PM +0200, Amir Goldstein wrote:
> >>> >
> > [...]
> >>> >>
> >>> >> It is exactly as you wrote. Not any less or any more of a security concern
> >>> >> than a hand crafted redirect_dir. The only difference is that without
> >>> >> metacopy=on and without redirect_dir=origin, the only implication of
> >>> >> following an hand crafted origin would be to get a different st_dev/st_ino
> >>> >> and for example, to fake that 2 files/dirs are the same while one is actually
> >>> >> a rootkit/malware. So not that easy to exploit in current upstream.
> >>> >
> >>> > Right. Currently we seem to be using origin only for st_dev/st_ino so
> >>> > no big impact. "metadata only copyup" is first feature which will make
> >>> > data of lower file available using ORIGIN. So anymore features we add
> >>> > using ORIGIN, we will have to be extra careful. Atleast make it
> >>> > conditional on a mount option and document that using this mount option
> >>> > on untrusted layer source can lead to privilege escalation.
> >>>
> >>> One more reason to use redirect, rather than origin.   Redirect at
> >>> least constrains things to inside the overlay, while following origin
> >>> can lead to anywhere within the filesystem.
> >>>
> >>> The other reason is backup+restore not breaking.
> >>
> >> Agreed. Looks like using REDIRECT instead of ORIGIN is more appealing. I
> >> will give it a try and see what issues do I run into.
> >>
> >
> > As long as we are listing the pros and cons, REDIRECT is limited by path length
> > and a non-secure decode of non-dir ORIGIN is much faster then following all
> > potential parent redirects.
> 
> True.
> 
> So there may be use case for following ORIGIN, but it should be
> optional and the security and other implications clearly spelled out
> in the doc.

Hmm..., So does that mean we should create both REDIRCT and ORIGIN
during metadata copyup and use ORIGIN if available otherwise fallback
to slower REDIRECT. 

Or something else.

Vivek

next prev parent reply	other threads:[~2018-01-10 16:30 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-29 15:54 [PATCH v9 00/15] overlayfs: Delayed copy up of data Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 01/15] ovl: Do not look for OVL_XATTR_NLINK if index is not there Vivek Goyal
2017-11-29 17:04   ` Amir Goldstein
2017-11-29 15:54 ` [PATCH v9 02/15] ovl: disable redirect_dir and index when no xattr support Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 03/15] ovl: ovl_check_setxattr() get rid of redundant -EOPNOTSUPP check Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 04/15] ovl: Create origin xattr on copy up for all files Vivek Goyal
2018-01-08 10:16   ` Miklos Szeredi
2018-01-08 11:18     ` Amir Goldstein
2018-01-08 15:58       ` Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 05/15] ovl: Provide a mount option metacopy=on/off for metadata copyup Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 06/15] ovl: During copy up, first copy up metadata and then data Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 07/15] ovl: Move the copy up helpers to copy_up.c Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 08/15] ovl: Copy up only metadata during copy up where it makes sense Vivek Goyal
2018-01-08 10:35   ` Miklos Szeredi
2018-01-08 17:03     ` Vivek Goyal
2018-01-09 10:49       ` Miklos Szeredi
2018-01-09 13:26         ` Vivek Goyal
2018-01-09 13:33           ` Amir Goldstein
2018-01-09 20:34             ` Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 09/15] ovl: Add helper ovl_already_copied_up() Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 10/15] ovl: A new xattr OVL_XATTR_METACOPY for file on upper Vivek Goyal
2018-01-08 15:50   ` Miklos Szeredi
2018-01-08 16:17     ` Vivek Goyal
2018-01-08 16:21       ` Miklos Szeredi
2018-01-08 16:25         ` Miklos Szeredi
2017-11-29 15:54 ` [PATCH v9 11/15] ovl: Fix ovl_getattr() to get number of blocks from lower Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 12/15] ovl: Set OVL_UPPERDATA flag during ovl_lookup() Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 13/15] ovl: Do not expose metacopy only upper dentry from d_real() Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 14/15] ovl: Fix encryption/compression status of a metacopy only file Vivek Goyal
2018-01-18 14:24   ` Vivek Goyal
2018-01-18 14:32     ` Amir Goldstein
2018-01-18 14:36       ` Vivek Goyal
2017-11-29 15:54 ` [PATCH v9 15/15] ovl: Enable metadata only feature Vivek Goyal
2018-01-06  7:38 ` [PATCH v9 00/15] overlayfs: Delayed copy up of data Amir Goldstein
2018-01-08 14:13   ` Vivek Goyal
2018-01-08 14:42     ` Amir Goldstein
2018-01-08 15:44       ` Vivek Goyal
2018-01-10 14:56       ` Vivek Goyal
2018-01-10 15:08         ` Miklos Szeredi
2018-01-10 15:23           ` Vivek Goyal
2018-01-10 15:10         ` Amir Goldstein
2018-01-10 15:27           ` Vivek Goyal
2018-01-10 15:38             ` Miklos Szeredi
2018-01-10 15:47               ` Vivek Goyal
2018-01-10 15:54                 ` Amir Goldstein
2018-01-10 16:03                   ` Miklos Szeredi
2018-01-10 16:30                     ` Vivek Goyal [this message]
2018-01-10 17:05                       ` Amir Goldstein

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180110163030.GE8999@redhat.com \
    --to=vgoyal@redhat.com \
    --cc=amir73il@gmail.com \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox