On Fri, Dec 3, 2021 at 10:38 AM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > On Wed, Nov 17, 2021 at 09:36:42AM +0200, Amir Goldstein wrote: > > On Wed, Nov 17, 2021 at 3:58 AM David Anderson <dvander@xxxxxxxxxx> wrote: > > > > > > Mark Salyzyn (3): > > > Add flags option to get xattr method paired to __vfs_getxattr > > > overlayfs: handle XATTR_NOSECURITY flag for get xattr method > > > overlayfs: override_creds=off option bypass creator_cred > > > > > > Mark Salyzyn + John Stultz (1): > > > overlayfs: inode_owner_or_capable called during execv > > > > > > The first three patches address fundamental security issues that should > > > be solved regardless of the override_creds=off feature. > > > > > > The fourth adds the feature depends on these other fixes. > > > > > > By default, all access to the upper, lower and work directories is the > > > recorded mounter's MAC and DAC credentials. The incoming accesses are > > > checked against the caller's credentials. > > > > > > If the principles of least privilege are applied for sepolicy, the > > > mounter's credentials might not overlap the credentials of the caller's > > > when accessing the overlayfs filesystem. For example, a file that a > > > lower DAC privileged caller can execute, is MAC denied to the > > > generally higher DAC privileged mounter, to prevent an attack vector. > > > > > > We add the option to turn off override_creds in the mount options; all > > > subsequent operations after mount on the filesystem will be only the > > > caller's credentials. The module boolean parameter and mount option > > > override_creds is also added as a presence check for this "feature", > > > existence of /sys/module/overlay/parameters/overlay_creds > > BTW, where is patch 1 of the series. I can't seem to find it. Lore to the rescue ... https://lore.kernel.org/selinux/20211117015806.2192263-2-dvander@xxxxxxxxxx/ -- paul moore www.paul-moore.com
