From mboxrd@z Thu Jan 1 00:00:00 1970 From: Miklos Szeredi Subject: Re: overlayfs access checks on underlying layers Date: Tue, 27 Nov 2018 20:58:06 +0100 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Stephen Smalley , Vivek Goyal , Ondrej Mosnacek , "J. Bruce Fields" , Mark Salyzyn , Paul Moore Cc: linux-kernel@vger.kernel.org, overlayfs , linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org List-Id: linux-unionfs@vger.kernel.org [resending with fixed email address for Paul Moore] Moving discussion from github[1] to here. To summarize: commit 007ea44892e6 ("ovl: relax permission checking on underlying layers") was added in 4.20-rc1 to make overlayfs access checks on underlying "real" filesystems more consistent. The discussion leading up to this commit can be found at [2]. The commit broke some selinux-testsuite cases, possibly indicating a security hole opened by this commit. The model this patch tries to follow is that if "cp --preserve=all" was allowed to the mounter from underlying layer to the overlay layer, then operation is allowed. That means even if mounter's creds doesn't provide permission to for example execute underying file X, if mounter's creds provide sufficient permission to perform "cp --preserve=all X Y" and original creds allow execute on Y, then the operation is allowed. This provides consistency in the face of copy-ups. Consistency is only provided in sane setups, where mounter has sufficient privileges to access both the lower and upper layers. The model may not have been perfectly followed, or possibly the model itself is flawed. I'd like to better understand the issues here. Thanks, Miklos [1] https://github.com/SELinuxProject/selinux-kernel/issues/43#issuecomment-442148920 [2] https://marc.info/?t=152762608800002&r=1