From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark Salyzyn Subject: Re: overlayfs: caller_credentials option bypass creator_cred Date: Mon, 18 Jun 2018 14:59:50 -0700 Message-ID: References: <20180618154222.19279-1-salyzyn@android.com> <20180618185448.GA8749@redhat.com> <20180618194345.GA15973@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20180618194345.GA15973@redhat.com> Content-Language: en-GB Sender: linux-kernel-owner@vger.kernel.org To: Vivek Goyal Cc: linux-kernel@vger.kernel.org, Miklos Szeredi , Jonathan Corbet , linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org, Daniel Walsh , Stephen Smalley List-Id: linux-unionfs@vger.kernel.org On 06/18/2018 12:43 PM, Vivek Goyal wrote: > Will it be acceptable to write security policies in such a way so that > mounter has access as well. Unfortunately No. Policy of minimizing attack surface for a contained root service (init in this case). Just because it can mount, does not mean it can modify critical content; an attacker could use this to open a hole. > Current model does assume that mounter has privileges on underlying files. Only ones it appears to need is the workdir AFAIK, had to add ability to create in the xattr in order to enable r/w mounts later. Although not all corners were tested, I did not see any copy_up issues b/c the caller had the privs in the Android security model when mounted with this new flag. -- Mark