From: Vivek Goyal <vgoyal@redhat.com>
To: Mark Salyzyn <salyzyn@android.com>
Cc: linux-kernel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Jonathan Corbet <corbet@lwn.net>,
linux-unionfs@vger.kernel.org, linux-doc@vger.kernel.org,
Daniel Walsh <dwalsh@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: overlayfs: caller_credentials option bypass creator_cred
Date: Tue, 19 Jun 2018 10:36:17 -0400 [thread overview]
Message-ID: <20180619143617.GC22657@redhat.com> (raw)
In-Reply-To: <aecdeaca-74cf-54b1-3ea9-4751972074f5@android.com>
On Mon, Jun 18, 2018 at 02:59:50PM -0700, Mark Salyzyn wrote:
> On 06/18/2018 12:43 PM, Vivek Goyal wrote:
> > Will it be acceptable to write security policies in such a way so that
> > mounter has access as well.
> Unfortunately No. Policy of minimizing attack surface for a contained root
> service (init in this case). Just because it can mount, does not mean it can
> modify critical content; an attacker could use this to open a hole.
>
> > Current model does assume that mounter has privileges on underlying files.
>
> Only ones it appears to need is the workdir AFAIK, had to add ability to
> create in the <wordir> xattr in order to enable r/w mounts later. Although
> not all corners were tested, I did not see any copy_up issues b/c the caller
> had the privs in the Android security model when mounted with this new flag.
So in this system all callers are priviliged and have the capability to
mknod and set trusted xattrs. (Amir mentioned the reason why we switch
creds). If not, then file unlink (Should do mknod), lower non-empty directory
rename (should set trusted REDIRECT) and bunch of other operations should fail.
Thanks
Vivek
next prev parent reply other threads:[~2018-06-19 14:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-18 15:42 overlayfs: caller_credentials option bypass creator_cred Mark Salyzyn
2018-06-18 18:54 ` Vivek Goyal
2018-06-18 19:18 ` Mark Salyzyn
2018-06-18 19:43 ` Vivek Goyal
2018-06-18 21:59 ` Mark Salyzyn
2018-06-19 14:36 ` Vivek Goyal [this message]
2018-06-20 15:28 ` Mark Salyzyn
2018-06-18 18:57 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180619143617.GC22657@redhat.com \
--to=vgoyal@redhat.com \
--cc=corbet@lwn.net \
--cc=dwalsh@redhat.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=salyzyn@android.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox