On Fri, Mar 11, 2022 at 9:01 AM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote: > On Fri, Mar 11, 2022 at 06:09:56AM +0200, Amir Goldstein wrote: > > Hi Paul, Hi Amir, Vivek, Thanks for the replies, I think I now have a better understanding of the concerns which is starting to make the path forward a bit more clear. A few more comments below ... > > In this thread I claimed that the authors of the patches did not present > > a security model for overlayfs, such as the one currently in overlayfs.rst. > > If we had a model we could have debated its correctness and review its > > implementation. > > Agreed. After going through the patch set, I was wondering what's the > overall security model and how to visualize that. > > So probably there needs to be a documentation patch which explains > what's the new security model and how does it work. Yes, of course. I'll be sure to add a section to the existing docs. > Also think both in terms of DAC and MAC. (Instead of just focussing too > hard on SELinux). Definitely. Most of what I've been thinking about the past day or so has been how to properly handle some of the DAC/capability issues; I have yet to start playing with the code, but for the most part I think the MAC/SELinux bits are already working properly. > My understanding is that in current model, some of the overlayfs > operations require priviliges. So mounter is supposed to be priviliged > and does the operation on underlying layers. > > Now in this new model, there will be two levels of check. Both overlay > level and underlying layer checks will happen in the context of task > which is doing the operation. So first of all, all tasks will need > to have enough priviliges to be able to perform various operations > on lower layer. > > If we do checks at both the levels in with the creds of calling task, > I guess that probably is fine. (But will require a closer code inspection > to make sure there is no privilege escalation both for mounter as well > calling task). I have thoughts on this, but I don't think I'm yet in a position to debate this in depth just yet; I still need to finish poking around the code and playing with a few things :) It may take some time before I'm back with patches, but I appreciate all of the tips and insight - thank you! -- paul-moore.com
