Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

From: Casey Schaufler
Date: Fri Jul 08 2016 - 11:28:41 EST

On 7/8/2016 12:06 AM, Miklos Szeredi wrote:
> On Thu, Jul 7, 2016 at 8:35 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>> On Wed, Jul 06, 2016 at 04:58:37PM +0200, Miklos Szeredi wrote:
>>> On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>>>> On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote:
>>>>> On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>>>>>> On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote:
>>>>>>> On 7/5/2016 8:50 AM, Vivek Goyal wrote:
>>>>>>>> ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails
>>>>>>>> if mounter does not have DAC/MAC permission to access getxattr.
>>>>>>>> Specifically this becomes a problem when selinux is trying to initialize
>>>>>>>> overlay inode and does ->getxattr(overlay_inode). A task might trigger
>>>>>>>> initialization of overlay inode and we will access real inode xattr in the
>>>>>>>> context of mounter and if mounter does not have permissions, then inode
>>>>>>>> selinux context initialization fails and inode is labeled as unlabeled_t.
>>>>>>>> One way to deal with it is to let SELinux do getxattr checks both on
>>>>>>>> overlay inode and underlying inode and overlay can call vfs_getxattr_noperm()
>>>>>>>> to make sure when selinux is trying to initialize label on inode, it does
>>>>>>>> not go through checks on lower levels and initialization is successful.
>>>>>>>> And after inode initialization, SELinux will make sure task has getatttr
>>>>>>>> permission.
>>>>>>>> One issue with this approach is that it does not work for directories as
>>>>>>>> d_real() returns the overlay dentry for directories and not the underlying
>>>>>>>> directory dentry.
>>>>>>>> Another way to deal with it to introduce another function pointer in
>>>>>>>> inode_operations, say getxattr_noperm(), which is responsible to get
>>>>>>>> xattr without any checks. SELinux initialization code will call this
>>>>>>>> first if it is available on inode. So user space code path will call
>>>>>>>> ->getxattr() and that will go through checks and SELinux internal
>>>>>>>> initialization will call ->getxattr_noperm() and that will not
>>>>>>>> go through checks.
>>>>>>>> For now, I am just converting ovl_getxattr() to get xattr without
>>>>>>>> any checks on underlying inode. That means it is possible for
>>>>>>>> a task to get xattr of a file/dir on lower/upper through overlay mount
>>>>>>>> while it is not possible outside overlay mount.
>>>>>>>> If this is a major concern, I can look into implementing getxattr_noperm().
>>>>>>> This is a major concern.
>>>>>> Hmm.., In that case I will write patch to provide another inode operation
>>>>>> getxattr_noperm() and a wrapper which falls back to getxattr() if noperm
>>>>>> variant is not defined. That should take care of this issue.
>>>>> That's not going to fly. A slighly better, but still quite ugly
>>>>> solution would be to add a "flags" arg to the current ->getxattr()
>>>>> callback indicating whether the caller wants permission checking
>>>>> inside the call or not.
>>>> Ok, will try that.
>>>>> But we already have the current->creds. Can't that be used to control
>>>>> the permission checking done by the callback?
>>>> Sorry, did not get how to use current->creds to control permission
>>>> checking.
>>> I'm not sure about the details either. But current->creds *is* the
>>> context provided for the VFS and filesystems to check permissions. It
>>> might make sense to use that to indicate to overlayfs that permission
>>> should not be checked.
>> That sounds like raising capabilities of task temporarily to do
>> getxattr(). But AFAIK, there is no cap which will override SELinux checks.
> So a new capability can be invented for this purpose?

SELinux does not use capabilities as an override mechanism.
The capability you would want if it did is CAP_MAC_OVERRIDE,
which is used by Smack.

>> I am taking a step back re-thinking about the problem.
>> - For context mounts this is not a problem at all as overlay inode will
>> get its label from context= mount option and we will not call into
>> ovl_getxattr().
>> - For non-context mounts this is a problem only if mounter is not
>> privileged enough to do getattr. And that's not going to be a common
>> case either.
>> IOW, this does not look like a common case. And if getxattr() fails,
>> SELinux already seems to mark inode as unlabeled_t. And my understanding
>> is that task can't access unlabeled_t anyway, so there is no information
>> leak.
>> So for now, why not leave it as it is. Only side affect I seem to see
>> is following warnings on console.
>> SELinux: inode_doinit_with_dentry: getxattr returned 13 for dev=overlay ino=29147
>> This is for information purposes only and given getxattr() can fail in
>> stacked configuration, I think we can change this to KERN_DEBUG instead
> I'm fine with this as well.
> Thanks,
> Miklos