selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Vivek Goyal <vgoyal@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	"J. Bruce Fields" <bfields@fieldses.org>,
	Mark Salyzyn <salyzyn@android.com>,
	Paul Moore <paul@paul-moore.com>,
	linux-kernel@vger.kernel.org,
	overlayfs <linux-unionfs@vger.kernel.org>,
	linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org,
	Daniel J Walsh <dwalsh@redhat.com>
Subject: Re: overlayfs access checks on underlying layers
Date: Thu, 13 Dec 2018 15:26:08 -0500	[thread overview]
Message-ID: <20181213202608.GD4384@redhat.com> (raw)
In-Reply-To: <6de7d35e-9ee7-5324-86d0-e0e42c6a6d29@tycho.nsa.gov>

On Thu, Dec 13, 2018 at 03:09:55PM -0500, Stephen Smalley wrote:
> On 12/13/18 1:54 PM, Vivek Goyal wrote:
> > On Thu, Dec 13, 2018 at 11:12:31AM -0500, Stephen Smalley wrote:
> > 
> > [..]
> > > > > > Can you elaborate a bit more on how this is leaking data through overlay
> > > > > > mount. If it is, then why accessing file on lower is not equivalent of
> > > > > > leaking of data.
> > > > > 
> > > > > In the container use case, retaining the lower label on copy-up for a
> > > > > context-mounted overlay permits a process in the container to leak the
> > > > > container data out to host files not labeled with the container label and
> > > > > thus potentially accessible to other containers or host processes.
> > > > 
> > > > > The
> > > > > container process appears to just be writing to files labeled with the
> > > > > container label via the overlay, but the written data and/or metadata is
> > > > > directly accessible through the lower label, which is likely readable to
> > > > > all/many containers and host processes.
> > > > > 
> > > > > In the multi-level security (MLS) use case, an analogy would a situation
> > > > > where you have an unclassified lower dir with some content to be shared
> > > > > read-only across all levels, and an overlay is context-mounted at each level
> > > > > with a corresponding upper dir and work dir private to that level.  If a
> > > > > client process at secret performs a write to a file via the secret overlay,
> > > > > and if the written data is stored in a file in the upper dir that inherits
> > > > > the label from the lower file (unclassified), then the secret process can
> > > > > leak data to unclassified processes at will, violating the MLS policy.
> > > > 
> > > > For the case of devices, its already happening. One might change metadata
> > > > of a device (hence trigger copy up). Now all writes to upper device file
> > > > from secret process still go to same underlying device and are still
> > > > readable from lower device file.
> > > 
> > > This is an argument for not copying up device files IMHO, not for preserving
> > > the lower label on them.
> > 
> > How do we handle metadata change to device node (like timestamp, ownership
> > change) without copy up.
> 
> Do we need to support such metadata changes to device nodes through an
> overlay mount?  Is that required for some legitimate purpose (and if so,
> what is the use case?)?  If not, just deny it up front.  Much simpler and no
> potential for a leak.

This will be overlay specific behavior and further from POSIX
like filesystem behavior. Don't know which workloads depend on changing
ownership of devices of changing metadata of devices.

Thanks
Vivek

  reply	other threads:[~2018-12-13 20:26 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-27 19:55 overlayfs access checks on underlying layers Miklos Szeredi
2018-11-27 19:58 ` Miklos Szeredi
2018-11-27 21:05   ` Vivek Goyal
2018-11-28 10:00     ` Miklos Szeredi
2018-11-28 17:03       ` Vivek Goyal
2018-11-28 19:34         ` Stephen Smalley
2018-11-28 20:24           ` Miklos Szeredi
2018-11-28 21:46             ` Stephen Smalley
2018-11-29 11:04               ` Miklos Szeredi
2018-11-29 13:49                 ` Vivek Goyal
2019-03-04 17:01                   ` Mark Salyzyn
2019-03-04 17:56                     ` Casey Schaufler
2019-03-04 18:44                     ` Stephen Smalley
2019-03-04 19:21                       ` Amir Goldstein
2018-11-29 16:16                 ` Stephen Smalley
2018-11-29 16:22                   ` Stephen Smalley
2018-11-29 19:47                   ` Miklos Szeredi
2018-11-29 21:03                     ` Stephen Smalley
2018-11-29 21:19                       ` Stephen Smalley
2018-12-04 13:32                         ` Miklos Szeredi
2018-12-04 14:30                           ` Stephen Smalley
2018-12-04 14:45                             ` Miklos Szeredi
2018-12-04 15:35                               ` Stephen Smalley
2018-12-04 15:39                                 ` Miklos Szeredi
2018-12-11 15:50                                   ` Paul Moore
2018-12-04 15:15                             ` Vivek Goyal
2018-12-04 15:22                               ` Vivek Goyal
2018-12-04 15:31                                 ` Miklos Szeredi
2018-12-04 15:42                                   ` Vivek Goyal
2018-12-04 16:05                                     ` Stephen Smalley
2018-12-04 16:17                                       ` Vivek Goyal
2018-12-04 16:49                                         ` Stephen Smalley
2018-12-05 13:43                                           ` Vivek Goyal
2018-12-06 20:26                                             ` Stephen Smalley
2018-12-11 21:48                                               ` Vivek Goyal
2018-12-12 14:51                                                 ` Stephen Smalley
2018-12-13 14:58                                                   ` Vivek Goyal
2018-12-13 16:12                                                     ` Stephen Smalley
2018-12-13 18:54                                                       ` Vivek Goyal
2018-12-13 20:09                                                         ` Stephen Smalley
2018-12-13 20:26                                                           ` Vivek Goyal [this message]
2018-12-04 15:42                               ` Stephen Smalley
2018-12-04 16:15                                 ` Vivek Goyal
2018-11-29 22:22                     ` Daniel Walsh
2018-12-03 23:27                       ` Paul Moore
2018-12-04 14:43                         ` Stephen Smalley
2018-12-04 23:01                           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181213202608.GD4384@redhat.com \
    --to=vgoyal@redhat.com \
    --cc=bfields@fieldses.org \
    --cc=dwalsh@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=salyzyn@android.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).