On Tue, Oct 22, 2019 at 11:45 PM Mark Salyzyn <salyzyn@xxxxxxxxxxx> wrote: > > Patch series: > > Mark Salyzyn (5): > Add flags option to get xattr method paired to __vfs_getxattr > overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh > overlayfs: handle XATTR_NOSECURITY flag for get xattr method > overlayfs: internal getxattr operations without sepolicy checking > overlayfs: override_creds=off option bypass creator_cred > > The first four patches address fundamental security issues that should > be solved regardless of the override_creds=off feature. > > The fifth adds the feature depends on these other fixes. > > By default, all access to the upper, lower and work directories is the > recorded mounter's MAC and DAC credentials. The incoming accesses are > checked against the caller's credentials. > > If the principles of least privilege are applied for sepolicy, the > mounter's credentials might not overlap the credentials of the caller's > when accessing the overlayfs filesystem. For example, a file that a > lower DAC privileged caller can execute, is MAC denied to the > generally higher DAC privileged mounter, to prevent an attack vector. > > We add the option to turn off override_creds in the mount options; all > subsequent operations after mount on the filesystem will be only the > caller's credentials. The module boolean parameter and mount option > override_creds is also added as a presence check for this "feature", > existence of /sys/module/overlay/parameters/overlay_creds > > Signed-off-by: Mark Salyzyn <salyzyn@xxxxxxxxxxx> > Cc: Miklos Szeredi <miklos@xxxxxxxxxx> > Cc: Jonathan Corbet <corbet@xxxxxxx> > Cc: Vivek Goyal <vgoyal@xxxxxxxxxx> > Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > Cc: Amir Goldstein <amir73il@xxxxxxxxx> > Cc: Randy Dunlap <rdunlap@xxxxxxxxxxxxx> > Cc: Stephen Smalley <sds@xxxxxxxxxxxxx> > Cc: linux-unionfs@xxxxxxxxxxxxxxx > Cc: linux-doc@xxxxxxxxxxxxxxx > Cc: linux-kernel@xxxxxxxxxxxxxxx > > --- > v14: > - Rejoin, rebase and a few adjustments. > > v13: > - Pull out first patch and try to get it in alone feedback, some > Acks, and then <crickets> because people forgot why we were doing i. Mark, I do not see the first patch on fsdevel and I am confused from all the suggested APIs I recall Christoph's comment on v8 for not using xattr_gs_args and just adding flags to existing get() method. I agree to that comment. I remember asking - don't remember the answer - do you have any testing for this feature? I have a WIP branch to run unionmount-testsuite not as root, which is a start, but I didn't get to finish the work. Let me know if you want to take up this work. Thanks, Amir.
