Re: [PATCH v14 2/5] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh

public inbox for linux-unionfs@vger.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
	Mark Salyzyn <salyzyn@android.com>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	kernel-team@android.com, Jonathan Corbet <corbet@lwn.net>,
	Vivek Goyal <vgoyal@redhat.com>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	overlayfs <linux-unionfs@vger.kernel.org>,
	linux-doc@vger.kernel.org,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	Jeff Layton <jlayton@kernel.org>
Subject: Re: [PATCH v14 2/5] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh
Date: Mon, 28 Oct 2019 12:27:17 -0400	[thread overview]
Message-ID: <20191028162717.GB5339@fieldses.org> (raw)
In-Reply-To: <CAOQ4uxh_K=p7z+qbkjSf_+hhVsw9xBuNc61dYnpkHFVUfxJaCw@mail.gmail.com>

On Sun, Oct 27, 2019 at 09:24:52AM +0200, Amir Goldstein wrote:
> Well, it's not that simple (TM).
> If you are considering unprivileged overlay mounts, then this should be
> ns_capable() check, even though open_by_handle_at(2) does not
> currently allow userspace nfsd to decode file handles.
> 
> Unlike open_by_handle_at(2), overlayfs (currently) never exposes file
> data via decoded origin fh. AFAIK, it only exposes the origin st_ino
> st_dev and some nlink related accounting.
> 
> I have been trying to understand from code if nfsd exports are allowed
> from non privileged containers and couldn't figure it out (?).
> If non privileged container is allowed to export nosubtreecheck export
> then non privileged container root can already decode file handles...

I don't see any special checks in nfsctl_transaction_write() or
write_threads().  I guess it's just depending on the (0600) file
permissions.  I'm vague on how file permissions work in containers.

The issue with filehandles is that they allow you to bypass directory
lookup permissions.  Keeping a file private by denying permission to
look it up doesn't sound like a good idea to me, honestly, but it does
work on local posix filesystems, so we don't want to break that.

Filehandles are generally pretty easy to guess, and can't be revoked, so
we're more worried about using them (with open_by_handle_at()) than
reading them (with name_to_handle_at()), but we try to prevent the
latter as well.

--b.

next prev parent reply	other threads:[~2019-10-28 16:27 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-22 20:44 [PATCH v14 0/5] overlayfs override_creds=off & nested get xattr fix Mark Salyzyn
2019-10-22 20:44 ` [PATCH v14 1/5] Add flags option to get xattr method paired to __vfs_getxattr Mark Salyzyn
2019-10-22 22:13   ` Andreas Dilger
2019-10-24  4:57     ` Amir Goldstein
2019-11-04 21:51       ` Mark Salyzyn
2019-10-25  4:39   ` e984eb5108: BUG:kernel_NULL_pointer_dereference,address kernel test robot
2019-10-22 20:44 ` [PATCH v14 2/5] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh Mark Salyzyn
2019-10-23  6:17   ` Amir Goldstein
2019-10-23  8:08   ` Miklos Szeredi
2019-10-27  7:24     ` Amir Goldstein
2019-10-28 16:27       ` J. Bruce Fields [this message]
2019-10-22 20:44 ` [PATCH v14 3/5] overlayfs: handle XATTR_NOSECURITY flag for get xattr method Mark Salyzyn
2019-10-22 20:44 ` [PATCH v14 4/5] overlayfs: internal getxattr operations without sepolicy checking Mark Salyzyn
2019-10-23  6:39   ` Amir Goldstein
2019-11-04 21:47     ` Mark Salyzyn
2019-10-22 20:44 ` [PATCH v14 5/5] overlayfs: override_creds=off option bypass creator_cred Mark Salyzyn
2019-10-23  6:54 ` [PATCH v14 0/5] overlayfs override_creds=off & nested get xattr fix Amir Goldstein
2019-10-23 14:13   ` Mark Salyzyn
2019-10-24  5:28     ` Amir Goldstein

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191028162717.GB5339@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=amir73il@gmail.com \
    --cc=corbet@lwn.net \
    --cc=ebiederm@xmission.com \
    --cc=jlayton@kernel.org \
    --cc=kernel-team@android.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=rdunlap@infradead.org \
    --cc=salyzyn@android.com \
    --cc=sds@tycho.nsa.gov \
    --cc=vgoyal@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox