Re: overlayfs: caller_credentials option bypass creator_cred

From: Mark Salyzyn
Date: Mon Jun 18 2018 - 15:18:32 EST

Next message: Mark Rutland: "Re: [PATCHv3 00/18] atomics: API cleanups"
Previous message: Krzysztof Kozlowski: "[PATCH] ARC: dts: Remove leading 0x from node unit addresses"
In reply to: Vivek Goyal: "Re: overlayfs: caller_credentials option bypass creator_cred"
Next in thread: Vivek Goyal: "Re: overlayfs: caller_credentials option bypass creator_cred"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 06/18/2018 11:54 AM, Vivek Goyal wrote:

On Mon, Jun 18, 2018 at 08:42:15AM -0700, Mark Salyzyn wrote:

All accesses to the lower filesystems reference the creator (mount)
and not the source context. This is a security issue.

Can you elaborate with an example that how this is a security issue.
mounter's check is in addition to caller's check. So we have two
checks in ovl_permission(). overlay inode gets the credentials from
underlying inode and we first check if caller is allowed to the
operation and if that's allowed, then we check if mounter is allowed
to do the operation.

init which does the mount and represents the creator_cred which is granted a restricted MAC to do just what it needs to do, eg mount, but not be able to access the files. The caller comes in and is rejected because init domain is not allowed, even though the caller's domain is. MAC does not require overlap in privileges between the creator and the user.

-- Mark

Next message: Mark Rutland: "Re: [PATCHv3 00/18] atomics: API cleanups"
Previous message: Krzysztof Kozlowski: "[PATCH] ARC: dts: Remove leading 0x from node unit addresses"
In reply to: Vivek Goyal: "Re: overlayfs: caller_credentials option bypass creator_cred"
Next in thread: Vivek Goyal: "Re: overlayfs: caller_credentials option bypass creator_cred"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]