Re: overlayfs: caller_credentials option bypass creator_cred

From: Mark Salyzyn
Date: Mon Jun 18 2018 - 15:18:32 EST


On 06/18/2018 11:54 AM, Vivek Goyal wrote:
On Mon, Jun 18, 2018 at 08:42:15AM -0700, Mark Salyzyn wrote:
All accesses to the lower filesystems reference the creator (mount)
and not the source context. This is a security issue.
Can you elaborate with an example that how this is a security issue.
mounter's check is in addition to caller's check. So we have two
checks in ovl_permission(). overlay inode gets the credentials from
underlying inode and we first check if caller is allowed to the
operation and if that's allowed, then we check if mounter is allowed
to do the operation.
init which does the mount and represents the creator_cred which is granted a restricted MAC to do just what it needs to do, eg mount, but not be able to access the files. The caller comes in and is rejected because init domain is not allowed, even though the caller's domain is. MAC does not require overlap in privileges between the creator and the user.

-- Mark