On Tue, Oct 20, 2020 at 3:17 PM Mark Salyzyn <[email protected]> wrote: > > Mark Salyzyn (3): > Add flags option to get xattr method paired to __vfs_getxattr > overlayfs: handle XATTR_NOSECURITY flag for get xattr method > overlayfs: override_creds=off option bypass creator_cred > > Mark Salyzyn + John Stultz (1): > overlayfs: inode_owner_or_capable called during execv > > The first three patches address fundamental security issues that should > be solved regardless of the override_creds=off feature. > > The fourth adds the feature depends on these other fixes. > > By default, all access to the upper, lower and work directories is the > recorded mounter's MAC and DAC credentials. The incoming accesses are > checked against the caller's credentials. > > If the principles of least privilege are applied for sepolicy, the > mounter's credentials might not overlap the credentials of the caller's > when accessing the overlayfs filesystem. For example, a file that a > lower DAC privileged caller can execute, is MAC denied to the > generally higher DAC privileged mounter, to prevent an attack vector. > > We add the option to turn off override_creds in the mount options; all > subsequent operations after mount on the filesystem will be only the > caller's credentials. The module boolean parameter and mount option > override_creds is also added as a presence check for this "feature", > existence of /sys/module/overlay/parameters/overlay_creds > > Signed-off-by: Mark Salyzyn <[email protected]> > Cc: Miklos Szeredi <[email protected]> > Cc: Jonathan Corbet <[email protected]> > Cc: Vivek Goyal <[email protected]> > Cc: Eric W. Biederman <[email protected]> > Cc: Amir Goldstein <[email protected]> > Cc: Randy Dunlap <[email protected]> > Cc: Stephen Smalley <[email protected]> > Cc: John Stultz <[email protected]> > Cc: [email protected] > Cc: [email protected] > To: [email protected] > To: [email protected] > Cc: [email protected] > Cc: [email protected]
The SELinux list should also be CC'd on these patches. For those who may just be seeing this, the lore link is below: https://lore.kernel.org/linux-security-module/[email protected]/T/#t -- paul moore www.paul-moore.com
