On Thu, Jul 25, 2019 at 5:37 PM Mark Salyzyn <salyzyn@xxxxxxxxxxx> wrote: > > Thanks for the review. > > On 7/25/19 4:00 AM, Amir Goldstein wrote: > > On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn <salyzyn@xxxxxxxxxxx> wrote: > >> Check impure, opaque, origin & meta xattr with no sepolicy audit > >> (using __vfs_getxattr) since these operations are internal to > >> overlayfs operations and do not disclose any data. This became > >> an issue for credential override off since sys_admin would have > >> been required by the caller; whereas would have been inherently > >> present for the creator since it performed the mount. > >> > >> This is a change in operations since we do not check in the new > >> ovl_vfs_getxattr function if the credential override is off or > >> not. Reasoning is that the sepolicy check is unnecessary overhead, > >> especially since the check can be expensive. > > I don't know that this reasoning suffice to skip the sepolicy checks > > for overlayfs private xattrs. > > Can't sepolicy be defined to allow get access to trusted.overlay.*? > > Because for override credentials off, _everyone_ would need it (at least > on Android, the sole user AFAIK, and only on userdebug builds, not user > builds), and if everyone is special, and possibly including the random > applications we add from the play store, then no one is ... > OK. I am convinced. One weak argument in favor of the patch: ecryptfs also uses __vfs_getxattr for private xattrs. Thanks, Amir.
