Re: [PATCH v2 00/10] allow unprivileged overlay mounts
From: Tetsuo Handa
Date: Tue Dec 08 2020 - 05:28:37 EST
On 2020/12/08 1:32, Miklos Szeredi wrote:
> A general observation is that overlayfs does not call security_path_*()
> hooks on the underlying fs. I don't see this as a problem, because a
> simple bind mount done inside a private mount namespace also defeats the
> path based security checks. Maybe I'm missing something here, so I'm
> interested in comments from AppArmor and Tomoyo developers.
Regarding TOMOYO, I don't want overlayfs to call security_path_*() hooks on the
underlying fs, but the reason is different. It is not because a simple bind mount
done inside a private mount namespace defeats the path based security checks.
TOMOYO does want to check what device/filesystem is mounted on which location. But
currently TOMOYO is failing to check it due to fsopen()/fsmount()/move_mount() API.