From: Mark Salyzyn <salyzyn@android.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
Miklos Szeredi <miklos@szeredi.hu>,
Jonathan Corbet <corbet@lwn.net>, Vivek Goyal <vgoyal@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Randy Dunlap <rdunlap@infradead.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
overlayfs <linux-unionfs@vger.kernel.org>,
linux-doc@vger.kernel.org
Subject: Re: [PATCH v5 2/3] overlayfs: check CAP_MKNOD before issuing vfs_whiteout
Date: Tue, 28 Aug 2018 11:51:55 -0700 [thread overview]
Message-ID: <004057f1-f0cd-5410-e4e3-a17287613f89@android.com> (raw)
In-Reply-To: <CAOQ4uxg=maKZi=5Xet4mC1=uUXftyyKZagj0TBBm8emPDaLmtg@mail.gmail.com>
On 08/28/2018 11:42 AM, Amir Goldstein wrote:
> On Tue, Aug 28, 2018 at 8:43 PM Amir Goldstein <amir73il@gmail.com> wrote:
>> On Tue, Aug 28, 2018 at 7:53 PM Mark Salyzyn <salyzyn@android.com> wrote:
>>> Assumption never checked, should fail if the mounter creds are not
>>> sufficient.
>>>
>>> Signed-off-by: Mark Salyzyn <salyzyn@android.com>
>>> Cc: Miklos Szeredi <miklos@szeredi.hu>
>>> Cc: Jonathan Corbet <corbet@lwn.net>
>>> Cc: Vivek Goyal <vgoyal@redhat.com>
>>> Cc: Eric W. Biederman <ebiederm@xmission.com>
>>> Cc: Amir Goldstein <amir73il@gmail.com>
>>> Cc: Randy Dunlap <rdunlap@infradead.org>
>>> Cc: Stephen Smalley <sds@tycho.nsa.gov>
>>> Cc: linux-unionfs@vger.kernel.org
>>> Cc: linux-doc@vger.kernel.org
>>> Cc: linux-kernel@vger.kernel.org
>>>
>>> v5
>>> - dependency of "overlayfs: override_creds=off option bypass creator_cred"
>>> ---
>>> fs/overlayfs/overlayfs.h | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
>>> index 7538b9b56237..bf3a80157d42 100644
>>> --- a/fs/overlayfs/overlayfs.h
>>> +++ b/fs/overlayfs/overlayfs.h
>>> @@ -176,7 +176,7 @@ static inline int ovl_do_rename(struct inode *olddir, struct dentry *olddentry,
>>>
>>> static inline int ovl_do_whiteout(struct inode *dir, struct dentry *dentry)
>>> {
>>> - int err = vfs_whiteout(dir, dentry);
>>> + int err = capable(CAP_MKNOD) ? vfs_whiteout(dir, dentry) : -EPERM;
>> Should that be ns_capable()? Should the test go into vfs_whiteout()?
>> I feel there is no convention at all.
>>
> Nevermind, I don't think creating a whiteout poses any risk, so don't think
> we need to worry about CAP_MKNOD.
>
> Thanks,
> Amir.
Ok, will discard from the set, we can address this later if it creates
concern (as in, not a dependency to my proposed feature flag). So we
feel that whiteout node in the writeable playground of workdir/upperdir
is not in itself a security concern. Other (more dangerous) mknod will
be checked against the caller's credentials coming in.
-- Mark
prev parent reply other threads:[~2018-08-28 18:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-28 16:53 [PATCH v5 2/3] overlayfs: check CAP_MKNOD before issuing vfs_whiteout Mark Salyzyn
2018-08-28 17:43 ` Amir Goldstein
2018-08-28 18:42 ` Amir Goldstein
2018-08-28 18:51 ` Mark Salyzyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=004057f1-f0cd-5410-e4e3-a17287613f89@android.com \
--to=salyzyn@android.com \
--cc=amir73il@gmail.com \
--cc=corbet@lwn.net \
--cc=ebiederm@xmission.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=rdunlap@infradead.org \
--cc=sds@tycho.nsa.gov \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox