On Thu, Nov 29, 2018 at 5:14 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > Possibly I misunderstood you, but I don't think we want to copy-up on > permission denial, as that would still allow the mounter to read/write > special files or execute regular files to which it would normally be > denied access, because the copy would inherit the context specified by > the mounter in the context mount case. It still represents an > escalation of privilege for the mounter. In contrast, the copy-up on > write behavior does not allow the mounter to do anything it could not do > already (i.e. read from the lower, write to the upper). Let's get this straight: when file is copied up, it inherits label from context=, not from label of lower file? Next question: permission to change metadata is tied to permission to open? Is it possible that open is denied, but metadata can be changed? DAC model allows this: metadata change is tied to ownership, not mode bits. And different capability flag. If the same is true for MAC, then the pre-v4.20-rc1 is already susceptible to the privilege escalation you describe, right? Thanks, Miklos
