On 06/18/2018 11:54 AM, Vivek Goyal wrote:
On Mon, Jun 18, 2018 at 08:42:15AM -0700, Mark Salyzyn wrote:
All accesses to the lower filesystems reference the creator (mount)
and not the source context. This is a security issue.
Can you elaborate with an example that how this is a security issue.
mounter's check is in addition to caller's check. So we have two
checks in ovl_permission(). overlay inode gets the credentials from
underlying inode and we first check if caller is allowed to the
operation and if that's allowed, then we check if mounter is allowed
to do the operation.
init which does the mount and represents the creator_cred which is
granted a restricted MAC to do just what it needs to do, eg mount, but
not be able to access the files. The caller comes in and is rejected
because init domain is not allowed, even though the caller's domain is.
MAC does not require overlap in privileges between the creator and the user.
-- Mark
--
To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html