From: Jan Kara <jack@suse.cz>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Jan Kara <jack@suse.cz>,
Christian Brauner <christian.brauner@ubuntu.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [RFC][PATCH] fanotify: introduce filesystem view mark
Date: Mon, 10 May 2021 17:27:58 +0200 [thread overview]
Message-ID: <20210510152758.GC24154@quack2.suse.cz> (raw)
In-Reply-To: <CAOQ4uxhKk3oJdWF8YxYRPyomimg9xQaHnMo3ggALOhTuwWxYBw@mail.gmail.com>
On Mon 10-05-21 18:08:31, Amir Goldstein wrote:
> > > > OK, so this feature would effectively allow sb-wide watching of events that
> > > > are generated from within the container (or its descendants). That sounds
> > > > useful. Just one question: If there's some part of a filesystem, that is
> > > > accesible by multiple containers (and thus multiple namespaces), or if
> > > > there's some change done to the filesystem say by container management SW,
> > > > then event for this change won't be visible inside the container (despite
> > > > that the fs change itself will be visible).
> > >
> > > That is correct.
> > > FYI, a privileged user can already mount an overlayfs in order to indirectly
> > > open and write to a file.
> > >
> > > Because overlayfs opens the underlying file FMODE_NONOTIFY this will
> > > hide OPEN/ACCESS/MODIFY/CLOSE events also for inode/sb marks.
> > > Since 459c7c565ac3 ("ovl: unprivieged mounts"), so can unprivileged users.
> > >
> > > I wonder if that is a problem that we need to fix...
> >
> > I assume you are speaking of the filesystem that is absorbing the changes?
> > AFAIU usually you are not supposed to access that filesystem alone but
> > always access it only through overlayfs and in that case you won't see the
> > problem?
> >
>
> Yes I am talking about the "backend" store for overlayfs.
> Normally, that would be a subtree where changes are not expected
> except through overlayfs and indeed it is documented that:
> "If the underlying filesystem is changed, the behavior of the overlay
> is undefined, though it will not result in a crash or deadlock."
> Not reporting events falls well under "undefined".
>
> But that is not the problem.
> The problem is that if user A is watching a directory D for changes, then
> an adversary user B which has read/write access to D can:
> - Clone a userns wherein user B id is 0
> - Mount a private overlayfs instance using D as upperdir
> - Open file in D indirectly via private overlayfs and edit it
>
> So it does not require any special privileges to circumvent generating
> events. Unless I am missing something.
I see, right. I agree that is unfortunate especially for stuff like audit
or fanotify permission events so we should fix that.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2021-05-10 15:29 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-09 18:00 [RFC][PATCH] fanotify: introduce filesystem view mark Amir Goldstein
2020-11-10 5:07 ` Amir Goldstein
2020-11-17 7:09 ` [fanotify] a23a7dc576: unixbench.score -3.7% regression kernel test robot
2020-11-24 13:49 ` [RFC][PATCH] fanotify: introduce filesystem view mark Jan Kara
2020-11-24 14:47 ` Amir Goldstein
2020-11-25 11:01 ` Jan Kara
2020-11-25 12:34 ` Amir Goldstein
2020-11-26 11:10 ` Jan Kara
2020-11-26 11:50 ` Amir Goldstein
2020-11-26 3:42 ` Amir Goldstein
2020-11-26 11:17 ` Jan Kara
2021-04-28 18:28 ` Amir Goldstein
2021-05-03 16:53 ` Jan Kara
2021-05-03 18:44 ` Amir Goldstein
2021-05-05 12:28 ` Jan Kara
2021-05-05 14:24 ` Christian Brauner
2021-05-05 14:42 ` Amir Goldstein
2021-05-05 14:56 ` Christian Brauner
2021-05-10 10:13 ` Jan Kara
2021-05-10 11:37 ` Amir Goldstein
2021-05-10 14:21 ` Jan Kara
2021-05-10 15:08 ` Amir Goldstein
2021-05-10 15:27 ` Jan Kara [this message]
2021-05-12 13:07 ` Christian Brauner
2021-05-12 13:34 ` Jan Kara
2021-05-12 16:15 ` Christian Brauner
2021-05-12 15:26 ` Christian Brauner
2021-05-13 10:55 ` Jan Kara
2021-05-14 13:56 ` Christian Brauner
2021-05-15 14:28 ` Amir Goldstein
2021-05-17 9:09 ` Jan Kara
2021-05-17 12:45 ` Amir Goldstein
2021-05-17 13:07 ` Jan Kara
2021-05-18 10:11 ` Christian Brauner
2021-05-18 16:02 ` Amir Goldstein
2021-05-19 9:31 ` Christian Brauner
2021-05-12 16:11 ` Christian Brauner
2021-05-05 13:25 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210510152758.GC24154@quack2.suse.cz \
--to=jack@suse.cz \
--cc=amir73il@gmail.com \
--cc=christian.brauner@ubuntu.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.