From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Dan Walsh <dwalsh@redhat.com>,
miklos@szeredi.hu, vgoyal@redhat.com, omosnace@redhat.com,
bfields@fieldses.org, salyzyn@android.com,
linux-kernel@vger.kernel.org, linux-unionfs@vger.kernel.org,
linux-fsdevel@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: overlayfs access checks on underlying layers
Date: Tue, 4 Dec 2018 18:01:23 -0500 [thread overview]
Message-ID: <CAHC9VhSh7NxLdiaJV+SFF64wnw8i2vm2hs3XpeyACGF=FHAH_Q@mail.gmail.com> (raw)
In-Reply-To: <5b52869e-b979-dcf6-becf-a97b8ed33909@tycho.nsa.gov>
On Tue, Dec 4, 2018 at 9:40 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 12/3/18 6:27 PM, Paul Moore wrote:
> > On Thu, Nov 29, 2018 at 5:22 PM Daniel Walsh <dwalsh@redhat.com> wrote:
> >> On 11/29/18 2:47 PM, Miklos Szeredi wrote:
> >>> On Thu, Nov 29, 2018 at 5:14 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >>>
> >>>> Possibly I misunderstood you, but I don't think we want to copy-up on
> >>>> permission denial, as that would still allow the mounter to read/write
> >>>> special files or execute regular files to which it would normally be
> >>>> denied access, because the copy would inherit the context specified by
> >>>> the mounter in the context mount case. It still represents an
> >>>> escalation of privilege for the mounter. In contrast, the copy-up on
> >>>> write behavior does not allow the mounter to do anything it could not do
> >>>> already (i.e. read from the lower, write to the upper).
> >>> Let's get this straight: when file is copied up, it inherits label
> >>> from context=, not from label of lower file?
> >>
> >> Yes, in the case of context mount, it will get the context mount directory.
> >>
> >> In the case of not context mount, it should maintain the label of the
> >> lower.
> >>
> >>> Next question: permission to change metadata is tied to permission to
> >>> open? Is it possible that open is denied, but metadata can be
> >>> changed?
> >>
> >> Yes, SElinux handles open differently then setattr. Although I am not
> >> sure if any tools handle this.
> >>
> >>> DAC model allows this: metadata change is tied to ownership, not mode
> >>> bits. And different capability flag.
> >>>
> >>> If the same is true for MAC, then the pre-v4.20-rc1 is already
> >>> susceptible to the privilege escalation you describe, right?
> >>
> >> After talking to Vivek, I am not sure their is a privilege escallation.
> >
> > More on this below, but this thread doesn't have me convinced, and we
> > are at -rc5 right now. We need to come to some decision on this soon
> > because we are running out of time before v4.20 is released with this
> > code.
> >
> >> For device nodes, the mounter has to have the ability to create the
> >> devicenode with the context mount, if he can do this, then he can do it
> >> with or without Overlay. This might lead to users making mistakes on
> >> security, but the model is sound. And I think this stands even in the
> >> case of the lower is mounted NODEV and the upper is not. If the mounter
> >> can create a device on the upper with a particular label, then he does
> >> not need the lower.
> >
> > The problem I have when looking at the current code is that permission
> > is given, regardless of what is requested, for any special_file() on
> > an overlayfs mount.
> >
> > It also looks like the mounter's creds are used when checking
> > permissions regardless of the file has been copied up or not; I would
> > expect that the mounter's permissions would only used when checking
> > permissions against the lower inode, no?
>
> No, that's never been the model as far as I know. mounter's permissions
> are checked to the underlying inode, whether upper or lower. client's
> permissions are only checked to the overlay inode. upper and lower are
> logically backing store - upper for writes and lower for reads from
> unmodified files. Now, in theory, upper should always be labeled the
> same as overlay, so client check against overlay should already imply
> client access to upper, unless someone has manually relabeled upper
> outside of the overlay.
Okay, thanks for the clarification on the model. This seems a little
odd at first, but I'm trying to convince myself that it makes sense.
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2018-12-04 23:01 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-27 19:55 overlayfs access checks on underlying layers Miklos Szeredi
2018-11-27 19:58 ` Miklos Szeredi
2018-11-27 21:05 ` Vivek Goyal
2018-11-28 10:00 ` Miklos Szeredi
2018-11-28 17:03 ` Vivek Goyal
2018-11-28 19:34 ` Stephen Smalley
2018-11-28 20:24 ` Miklos Szeredi
2018-11-28 21:46 ` Stephen Smalley
2018-11-29 11:04 ` Miklos Szeredi
2018-11-29 13:49 ` Vivek Goyal
2019-03-04 17:01 ` Mark Salyzyn
2019-03-04 17:56 ` Casey Schaufler
2019-03-04 18:44 ` Stephen Smalley
2019-03-04 19:21 ` Amir Goldstein
2018-11-29 16:16 ` Stephen Smalley
2018-11-29 16:22 ` Stephen Smalley
2018-11-29 19:47 ` Miklos Szeredi
2018-11-29 21:03 ` Stephen Smalley
2018-11-29 21:19 ` Stephen Smalley
2018-12-04 13:32 ` Miklos Szeredi
2018-12-04 14:30 ` Stephen Smalley
2018-12-04 14:45 ` Miklos Szeredi
2018-12-04 15:35 ` Stephen Smalley
2018-12-04 15:39 ` Miklos Szeredi
2018-12-11 15:50 ` Paul Moore
2018-12-04 15:15 ` Vivek Goyal
2018-12-04 15:22 ` Vivek Goyal
2018-12-04 15:31 ` Miklos Szeredi
2018-12-04 15:42 ` Vivek Goyal
2018-12-04 16:05 ` Stephen Smalley
2018-12-04 16:17 ` Vivek Goyal
2018-12-04 16:49 ` Stephen Smalley
2018-12-05 13:43 ` Vivek Goyal
2018-12-06 20:26 ` Stephen Smalley
2018-12-11 21:48 ` Vivek Goyal
2018-12-12 14:51 ` Stephen Smalley
2018-12-13 14:58 ` Vivek Goyal
2018-12-13 16:12 ` Stephen Smalley
2018-12-13 18:54 ` Vivek Goyal
2018-12-13 20:09 ` Stephen Smalley
2018-12-13 20:26 ` Vivek Goyal
2018-12-04 15:42 ` Stephen Smalley
2018-12-04 16:15 ` Vivek Goyal
2018-11-29 22:22 ` Daniel Walsh
2018-12-03 23:27 ` Paul Moore
2018-12-04 14:43 ` Stephen Smalley
2018-12-04 23:01 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhSh7NxLdiaJV+SFF64wnw8i2vm2hs3XpeyACGF=FHAH_Q@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=bfields@fieldses.org \
--cc=dwalsh@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=omosnace@redhat.com \
--cc=salyzyn@android.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).