Thread (11 messages) 11 messages, 3 authors, 2020-10-23

Re: [PATCH v17 0/4] overlayfs override_creds=off & nested get xattr fix

From: Paul Moore <paul@paul-moore.com>
Date: 2020-10-20 23:11:08
Also in: linux-doc, lkml, selinux 

On Tue, Oct 20, 2020 at 3:17 PM Mark Salyzyn [off-list ref] wrote:
Mark Salyzyn (3):
  Add flags option to get xattr method paired to __vfs_getxattr
  overlayfs: handle XATTR_NOSECURITY flag for get xattr method
  overlayfs: override_creds=off option bypass creator_cred

Mark Salyzyn + John Stultz (1):
  overlayfs: inode_owner_or_capable called during execv

The first three patches address fundamental security issues that should
be solved regardless of the override_creds=off feature.

The fourth adds the feature depends on these other fixes.

By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials.  The incoming accesses are
checked against the caller's credentials.

If the principles of least privilege are applied for sepolicy, the
mounter's credentials might not overlap the credentials of the caller's
when accessing the overlayfs filesystem.  For example, a file that a
lower DAC privileged caller can execute, is MAC denied to the
generally higher DAC privileged mounter, to prevent an attack vector.

We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials.  The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds

Signed-off-by: Mark Salyzyn <redacted>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric W. Biederman <redacted>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Randy Dunlap <redacted>
Cc: Stephen Smalley <redacted>
Cc: John Stultz <redacted>
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
To: linux-fsdevel@vger.kernel.org
To: linux-unionfs@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: kernel-team@android.com
The SELinux list should also be CC'd on these patches.  For those who
may just be seeing this, the lore link is below:

https://lore.kernel.org/linux-security-module/20201020191732.4049987-1-salyzyn@android.com/T/#t (local)

-- 
paul moore
www.paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help