On Thu, Jul 25, 2019 at 5:37 PM Mark Salyzyn [off-list ref] wrote:

Thanks for the review.

On 7/25/19 4:00 AM, Amir Goldstein wrote:

quoted

On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn [off-list ref] wrote:

quoted

Check impure, opaque, origin & meta xattr with no sepolicy audit
(using __vfs_getxattr) since these operations are internal to
overlayfs operations and do not disclose any data.  This became
an issue for credential override off since sys_admin would have
been required by the caller; whereas would have been inherently
present for the creator since it performed the mount.

This is a change in operations since we do not check in the new
ovl_vfs_getxattr function if the credential override is off or
not.  Reasoning is that the sepolicy check is unnecessary overhead,
especially since the check can be expensive.

I don't know that this reasoning suffice to skip the sepolicy checks
for overlayfs private xattrs.
Can't sepolicy be defined to allow get access to trusted.overlay.*?

Because for override credentials off, _everyone_ would need it (at least
on Android, the sole user AFAIK, and only on userdebug builds, not user
builds), and if everyone is special, and possibly including the random
applications we add from the play store, then no one is ...

OK. I am convinced.

One weak argument in favor of the patch:
ecryptfs also uses __vfs_getxattr for private xattrs.

Thanks,
Amir.