Re: [PATCH v2 1/1] OverlayFS: Fix checking permissions during lookup.

From: Ignacy Gawędzki
Date: Mon Feb 29 2016 - 11:54:58 EST

On Mon, Feb 29, 2016 at 11:25:46AM -0500, thus spake Vivek Goyal:
> I agree that semantics should be more consistent. I don't know that
> if upper layer should override lower layer checks or not.
> One could also argue that if root did chown, then changes effectively
> happened in upper layer and anything in upper layer should become
> visible to unpriviliged user but not the one in lower layer.
> I just don't know. I guess those who have more background on this
> could pitch in and clarify that was is supposed to be the design
> intention.
> [...]
> Right, but it does not say anything about what happens to DAC checks
> at lower layer. IOW, it does not say that if lower directory owner
> is different then whether files from that directory will become searchable
> or not.

I suppose that looking at these questions from the perspective of the
primary application of OverlayFS, i.e. embedded systems with lower
being some read-only SquashFS and upper being read-write, may give
some good intuition on how this should work. If the root user changes
access rights to some directories, then it is natural that permissions in
upper are less restrictive than permissions in lower and this in no
way breaks any security. If you're thinking about what happens if
some overlay is mounted where the more permissive directory in upper
shadows a less permissive one in lower, then well, the only user able
to mount such an overlay, i.e. root, should know what she's doing.

Anyway, DAC checks should be consistent from the standpoint of
userland, first and foremost.

Ignacy Gawędzki
R&D Engineer
Green Communications