Re: overlayfs: caller_credentials option bypass creator_cred

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/18/2018 11:54 AM, Vivek Goyal wrote:
On Mon, Jun 18, 2018 at 08:42:15AM -0700, Mark Salyzyn wrote:
All accesses to the lower filesystems reference the creator (mount)
and not the source context.  This is a security issue.
Can you elaborate with an example that how this is a security issue.
mounter's check is in addition to caller's check. So we have two
checks in ovl_permission(). overlay inode gets the credentials from
underlying inode and we first check if caller is allowed to the
operation and if that's allowed, then we check if mounter is allowed
to do the operation.
init which does the mount and represents the creator_cred which is granted a restricted MAC to do just what it needs to do, eg mount, but not be able to access the files. The caller comes in and is rejected because init domain is not allowed, even though the caller's domain is. MAC does not require overlap in privileges between the creator and the user.

-- Mark
--
To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Filesystems Devel]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux