From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756354AbcB0KuE (ORCPT ); Sat, 27 Feb 2016 05:50:04 -0500 Received: from forward12p.cmail.yandex.net ([87.250.241.138]:39308 "EHLO forward12p.cmail.yandex.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756253AbcB0KuC (ORCPT ); Sat, 27 Feb 2016 05:50:02 -0500 X-Greylist: delayed 591 seconds by postgrey-1.27 at vger.kernel.org; Sat, 27 Feb 2016 05:50:01 EST From: Nazarov Sergey To: Vivek Goyal , =?utf-8?B?SWduYWN5IEdhd8SZZHpraQ==?= , "linux-unionfs@vger.kernel.org" , "linux-kernel@vger.kernel.org" Cc: "linux-fsdevel@vger.kernel.org" In-Reply-To: <20160226194143.GB13054@redhat.com> References: <20160224135552.GB8422@zenon.in.qult.net> <20160226194143.GB13054@redhat.com> Subject: Re: [PATCH v2 1/1] OverlayFS: Fix checking permissions during lookup. MIME-Version: 1.0 Message-Id: <419661456569602@web21g.yandex.ru> X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Sat, 27 Feb 2016 13:40:02 +0300 Content-Transfer-Encoding: 7bit Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 26.02.2016, 22:41, "Vivek Goyal" : > > So what's the problem we are trying to solve. Why should we able to > override the DAC checks of lower layer if same directory in upper > is searchable for user but it is not searchable in lower layer. > If I right, this is a one of the main feature of overlayfs - upper layer has priority over lower ones. Override AC checks necessary for lookup operation only. Lower layer files access AC checks remain, so this should not be a security problem. Sergey.