On Fri, Nov 9, 2018 at 7:32 PM Mark Salyzyn <salyzyn@xxxxxxxxxxx> wrote:Alas, I personally object to changes to the kernel that have a limited (well, 1.8billion devices is not limited) use case. If they can benefit others, they become more useful. This paradigm helps prevent spaghetti and areas of the kernel that are not well understood and subject to bitrot.
On 11/08/2018 07:05 PM, Amir Goldstein wrote:I hope my comment below will serve as an example why explaining your use
Mark,I am not a "great communicator"(tm), probably only 50K vocabulary,
I have some Android internals background, so I have a general
understanding of the
use case, but I can understand why people have a hard time connecting to the
motivation, thinking "their security model must be flawed".
I am not sure if you are avoiding laying out the details of the model
because you
are not allowed to expose details or because you feel details may confuse us.
propensity towards quantum leaps, so yes, I was worried about confusion.
non-overlapping security model is the key takeaway I feel.
case is preferred to presenting the abstract and generalized problem.
And still - no objections to your current patch, *because* it can solve your
use cases and *because* we don't need to deal with the abstract and
generalized problem.
adb starts far too late to be useful for the original mount operation. We have to mount at init first stage before sepolicy is loaded and init is re-exec'd. adb root / adb remount / adb push is relegated to updating the content before a reboot to activate _some_ of the possible things that developers adjust.[TL;DR]Since you already have an elephant in the room, might as well use it
In Android there are two use cases this covers:
1) On userdebug (rooted development) builds, adb remount feature
for readonly filesystems which include squashfs, ext4 dedupe,
and any right-sized (zero space left over) filesystems. In these cases
the system will resort to utilizing overlayfs, and allow for
updated content to a scratch backing storage.
2) On operating system updates where new Hardware Abstraction
layers have been added and the vendor/oem supplied components
supplied to an older release. In this corner case the operating
system update may carefully select overrides that are merged into
the vendor partition content directories as hosted by the
operating system partition.
The sepolicy model can be browsed at
https://android.googlesource.com/platform/system/sepolicy/.
In the first use case above the possible insecurity is tempered by the
debug nature
of the system and the lurking big elephant in the room privilege
escalation possibility
(/system/bin/su existing),
to mount overlay. I am guessing most of the work in developer mode is
with sepolicy disabled anyway?
Essentially, adb root/adb remount means gloves are off.
Although with overlayed adb remount gloves could be put back on
when you relinquish the overlay and get back to original /system mount.
in the other a r/o and precise MAC. sepolicyFor this use case, you don't need an upper layer at all and you probably
and credentials
will rule over transitions from one security domain to another for
execution, vendor components are managed by a separate vendor_init and
the actual xattr content is constant.
don't use lower layers redirect_dir. Right?
So all the concerns about get/set trusted overlay xattrs and detecting
opaque directories (do you need those?) are moot.
If you propose that override_creds=off can only be enabled
on lower-only overlayfs, the caveats section of your documentation
would shrink down considerably to the point that it may even be
comprehend-able to mortal users and I don't think you will see much
resistant from overlayfs developers to that "safe side" approach.