[Cluster-devel] [PATCH v13 0/5] overlayfs override_creds=off
Patch series: overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh Add flags option to get xattr method paired to __vfs_getxattr overlayfs: handle XATTR_NOSECURITY flag for get xattr method overlayfs: internal getxattr operations without sepolicy checking overlayfs: override_creds=off option bypass creator_cred The first four patches address fundamental security issues that should be solved regardless of the override_creds=off feature. on them). The fifth adds the feature depends on these other fixes. By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied for sepolicy, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/overlay_creds Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernandez Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-de...@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-devel@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13: - add flags argument to __vfs_getxattr - drop GFP_NOFS side-effect v12: - Restore squished out patch 2 and 3 in the series, then change algorithm to add flags argument. Per-thread flag is a large security surface. v11: - Squish out v10 introduced patch 2 and 3 in the series, then and use per-thread flag instead for nesting. - Switch name to ovl_do_vds_getxattr for __vds_getxattr wrapper. - Add sb argument to ovl_revert_creds to match future work. v10: - Return NULL on CAP_DAC_READ_SEARCH - Add __get xattr method to solve sepolicy logging issue - Drop unnecessary sys_admin sepolicy checking for administrative driver internal xattr functions. v6: - Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS. - Do better with the documentation, drop rationalizations. - pr_warn message adjusted to report consequences. v5: - beefed up the caveats in the Documentation - Is dependent on "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh" "overlayfs: check CAP_MKNOD before issuing vfs_whiteout" - Added prwarn when override_creds=off v4: - spelling and grammar errors in text v3: - Change name from caller_credentials / creator_credentials to the boolean override_creds. - Changed from creator to mounter credentials. - Updated and fortified the documentation. - Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS v2: - Forward port changed attr to stat, resulting in a build error. - altered commit message.
[Cluster-devel] [PATCH v13 3/5] overlayfs: handle XATTR_NOSECURITY flag for get xattr method
Because of the overlayfs getxattr recursion, the incoming inode fails
to update the selinux sid resulting in avc denials being reported
against a target context of u:object_r:unlabeled:s0.
Solution is to respond to the XATTR_NOSECURITY flag in get xattr
method that calls the __vfs_getxattr handler instead so that the
context can be read in, rather than being denied with an -EACCES
when vfs_getxattr handler is called.
For the use case where access is to be blocked by the security layer.
The path then would be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECURITY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(realdentry...XATTR_NOSECURITY) ->
lower_handler->get(realdentry...XATTR_NOSECURITY) which
would report back through the chain data and success as expected,
the logging security layer at the top would have the data to
determine the access permissions and report back to the logs and
the caller that the target context was blocked.
For selinux this would solve the cosmetic issue of the selinux log
and allow audit2allow to correctly report the rule needed to address
the access problem.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Eric Van Hensbergen
Cc: Latchesar Ionkov
Cc: Dominique Martinet
Cc: David Howells
Cc: Chris Mason
Cc: Josef Bacik
Cc: David Sterba
Cc: Jeff Layton
Cc: Sage Weil
Cc: Ilya Dryomov
Cc: Steve French
Cc: Tyler Hicks
Cc: Jan Kara
Cc: Theodore Ts'o
Cc: Andreas Dilger
Cc: Jaegeuk Kim
Cc: Chao Yu
Cc: Bob Peterson
Cc: Andreas Gruenbacher
Cc: David Woodhouse
Cc: Richard Weinberger
Cc: Dave Kleikamp
Cc: Greg Kroah-Hartman
Cc: Tejun Heo
Cc: Trond Myklebust
Cc: Anna Schumaker
Cc: Mark Fasheh
Cc: Joel Becker
Cc: Joseph Qi
Cc: Mike Marshall
Cc: Martin Brandenburg
Cc: Alexander Viro
Cc: Phillip Lougher
Cc: Darrick J. Wong
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins
Cc: David S. Miller
Cc: Andrew Morton
Cc: Mathieu Malaterre
Cc: Ernesto A. Fernández
Cc: Vyacheslav Dubeyko
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-de...@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-devel@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v13 - rebase to use __vfs_getxattr flags option.
v12 - Added back to patch series as get xattr with flag option.
v11 - Squashed out of patch series and replaced with per-thread flag
solution.
v10 - Added to patch series as __get xattr method.
---
fs/overlayfs/inode.c | 5 +++--
fs/overlayfs/overlayfs.h | 2 +-
fs/overlayfs/super.c | 4 ++--
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 7663aeb85fa3..1bf11ae44313 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -363,7 +363,7 @@ int ovl_xattr_set(struct dentry *dentry, struct inode
*inode, const char *name,
}
int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
- void *value, size_t size)
+ void *value, size_t size, int flags)
{
ssize_t res;
const struct cred *old_cred;
@@ -371,7 +371,8 @@ int ovl_xattr_get(struct dentry *dentry, struct inode
*inode, const char *name,
ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry);
old_cred = ovl_override_creds(dentry->d_sb);
- res = vfs_getxattr(realdentry, name, value, size);
+ res = __vfs_getxattr(realdentry, d_inode(realdentry), name,
+value, size, flags);
revert_creds(old_cred);
return res;
}
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index 6934bcf030f0..ab3d031c422b 100644
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -356,7 +356,7 @@ int ovl_permission(struct inode *inode, int mask);
int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
const void *value, size_t size, int flags);
int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
- void *value, size_t size);
+ void *value, size_t size, int flags);
ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size);
struct posix_acl *ovl_get_acl(struct inode
[Cluster-devel] [PATCH v13 4/5] overlayfs: internal getxattr operations without sepolicy checking
Check impure, opaque, origin & meta xattr with no sepolicy audit
(using __vfs_getxattr) since these operations are internal to
overlayfs operations and do not disclose any data. This became
an issue for credential override off since sys_admin would have
been required by the caller; whereas would have been inherently
present for the creator since it performed the mount.
This is a change in operations since we do not check in the new
ovl_do_vfs_getxattr function if the credential override is off or
not. Reasoning is that the sepolicy check is unnecessary overhead,
especially since the check can be expensive.
Because for override credentials off, this affects _everyone_ that
underneath performs private xattr calls without the appropriate
sepolicy permissions and sys_admin capability. Providing blanket
support for sys_admin would be bad for all possible callers.
For the override credentials on, this will affect only the mounter,
should it lack sepolicy permissions. Not considered a security
problem since mounting by definition has sys_admin capabilities,
but sepolicy contexts would still need to be crafted.
It should be noted that there is precedence, __vfs_getxattr is used
in other filesystems for their own internal trusted xattr management.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kernel-t...@android.com
Cc: Eric Van Hensbergen
Cc: Latchesar Ionkov
Cc: Dominique Martinet
Cc: David Howells
Cc: Chris Mason
Cc: Josef Bacik
Cc: David Sterba
Cc: Jeff Layton
Cc: Sage Weil
Cc: Ilya Dryomov
Cc: Steve French
Cc: Tyler Hicks
Cc: Jan Kara
Cc: Theodore Ts'o
Cc: Andreas Dilger
Cc: Jaegeuk Kim
Cc: Chao Yu
Cc: Bob Peterson
Cc: Andreas Gruenbacher
Cc: David Woodhouse
Cc: Richard Weinberger
Cc: Dave Kleikamp
Cc: Greg Kroah-Hartman
Cc: Tejun Heo
Cc: Trond Myklebust
Cc: Anna Schumaker
Cc: Mark Fasheh
Cc: Joel Becker
Cc: Joseph Qi
Cc: Mike Marshall
Cc: Martin Brandenburg
Cc: Alexander Viro
Cc: Phillip Lougher
Cc: Darrick J. Wong
Cc: linux-...@vger.kernel.org
Cc: Hugh Dickins
Cc: David S. Miller
Cc: Andrew Morton
Cc: Mathieu Malaterre
Cc: Ernesto A. Fernández
Cc: Vyacheslav Dubeyko
Cc: v9fs-develo...@lists.sourceforge.net
Cc: linux-...@lists.infradead.org
Cc: linux-bt...@vger.kernel.org
Cc: ceph-de...@vger.kernel.org
Cc: linux-c...@vger.kernel.org
Cc: samba-techni...@lists.samba.org
Cc: ecryp...@vger.kernel.org
Cc: linux-e...@vger.kernel.org
Cc: linux-f2fs-de...@lists.sourceforge.net
Cc: linux-fsde...@vger.kernel.org
Cc: cluster-devel@redhat.com
Cc: linux-...@lists.infradead.org
Cc: jfs-discuss...@lists.sourceforge.net
Cc: linux-...@vger.kernel.org
Cc: ocfs2-de...@oss.oracle.com
Cc: de...@lists.orangefs.org
Cc: reiserfs-de...@vger.kernel.org
Cc: linux...@kvack.org
Cc: net...@vger.kernel.org
Cc: linux-security-mod...@vger.kernel.org
Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19
---
v13 - rebase to use __vfs_getxattr flags option
v12 - rebase
v11 - switch name to ovl_do_vfs_getxattr, fortify comment
v10 - added to patch series
---
fs/overlayfs/namei.c | 12 +++-
fs/overlayfs/overlayfs.h | 2 ++
fs/overlayfs/util.c | 25 -
3 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index 9702f0d5309d..a4a452c489fa 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -106,10 +106,11 @@ int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name)
{
- int res, err;
+ ssize_t res;
+ int err;
struct ovl_fh *fh = NULL;
- res = vfs_getxattr(dentry, name, NULL, 0);
+ res = ovl_do_vfs_getxattr(dentry, name, NULL, 0);
if (res < 0) {
if (res == -ENODATA || res == -EOPNOTSUPP)
return NULL;
@@ -123,7 +124,7 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry,
const char *name)
if (!fh)
return ERR_PTR(-ENOMEM);
- res = vfs_getxattr(dentry, name, fh, res);
+ res = ovl_do_vfs_getxattr(dentry, name, fh, res);
if (res < 0)
goto fail;
@@ -141,10 +142,11 @@ static struct ovl_fh *ovl_get_fh(struct dentry *dentry,
const char *name)
return NULL;
fail:
- pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res);
+ pr_warn_ratelimited("overlayfs: failed to get origin (%zi)\n", res);
goto out;
invalid:
- pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh);
+ pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n",
+ (int)res, fh);
goto out;
}
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index ab3d031c422b..9d26d8758513 100644
[Cluster-devel] [PATCH v13 5/5] overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/override_creds. It was not always this way. Circa 4.6 there was no recorded mounter's credentials, instead privileged access to upper or work directories were temporarily increased to perform the operations. The MAC (selinux) policies were caller's in all cases. override_creds=off partially returns us to this older access model minus the insecure temporary credential increases. This is to permit use in a system with non-overlapping security models for each executable including the agent that mounts the overlayfs filesystem. In Android this is the case since init, which performs the mount operations, has a minimal MAC set of privileges to reduce any attack surface, and services that use the content have a different set of MAC privileges (eg: read, for vendor labelled configuration, execute for vendor libraries and modules). The caveats are not a problem in the Android usage model, however they should be fixed for completeness and for general use in time. Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-de...@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-devel@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 NB: this is a desired feature --- v12 + v13: - Rebase v11: - add sb argument to ovl_revert_creds to match future work v10: - Rebase (and expand because of increased revert_cred usage) v9: - Add to the caveats v8: - drop pr_warn message after straw poll to remove it. - added a use case in the commit message v7: - change name of internal parameter to ovl_override_creds_def - report override_creds only if different than default v6: - Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS. - Do better with the documentation. - pr_warn message adjusted to report consequences. v5: - beefed up the caveats in the Documentation - Is dependent on "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh" "overlayfs: check CAP_MKNOD before issuing vfs_whiteout" - Added prwarn when override_creds=off v4: - spelling and grammar errors in text v3: - Change name from caller_credentials / creator_credentials to the boolean override_creds. - Changed from creator to mounter credentials. - Updated and fortified the documentation. - Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS v2: - Forward port changed attr to stat, resulting in a build error. - altered commit message. --- Documentation/filesystems/overlayfs.txt | 23 +++ fs/overlayfs/copy_up.c | 2 +- fs/overlayfs/dir.c | 11 ++-
[Cluster-devel] [PATCH v13 2/5] Add flags option to get xattr method paired to __vfs_getxattr
Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path. This handles the case of a union filesystem driver that is being requested by the security layer to report back the data that is the target label or context embedded into wrapped filesystem's xattr. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECUIRTY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECUIRTY) -> lower_handler->get(lower_dentry...XATTR_NOSECUIRTY) which would report back through the chain data and success as expected, but the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first corrected case a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of _vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-de...@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-devel@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13 - added flags to __vfs_getxattr call, and moved all the security code from vfs_getxattr into it. v12 - Added back to patch series as get xattr with flag option. v11 - Squashed out of patch series and replaced with per-thread flag solution. v10 - Added to patch series as __get xattr method. --- fs/9p/acl.c | 3 ++- fs/9p/xattr.c | 3 ++- fs/afs/xattr.c| 6 +++--- fs/btrfs/xattr.c | 3 ++- fs/ceph/xattr.c | 3 ++- fs/cifs/xattr.c | 2 +- fs/ecryptfs/inode.c | 6 -- fs/ecryptfs/mmap.c| 2 +- fs/ext2/xattr_trusted.c | 2 +- fs/ext2/xattr_user.c | 2 +- fs/ext4/xattr_security.c | 2 +- fs/ext4/xattr_trusted.c | 2 +- fs/ext4/xattr_user.c | 2 +- fs/f2fs/xattr.c | 4 ++-- fs/fuse/xattr.c | 4 ++-- fs/gfs2/xattr.c | 3 ++- fs/hfs/attr.c | 2 +- fs/hfsplus/xattr.c| 3 ++- fs/hfsplus/xattr_trusted.c| 3 ++- fs/hfsplus/xattr_user.c | 3 ++- fs/jffs2/security.c | 3 ++- fs/jffs2/xattr_trusted.c | 3 ++- fs/jffs2/xattr_user.c | 3 ++- fs/jfs/xattr.c| 5 +++-- fs/kernfs/inode.c | 3 ++- fs/nfs/nfs4proc.c
[Cluster-devel] [PATCH v13 0/5] overlayfs override_creds=off
Patch series: overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh Add flags option to get xattr method paired to __vfs_getxattr overlayfs: handle XATTR_NOSECURITY flag for get xattr method overlayfs: internal getxattr operations without sepolicy checking overlayfs: override_creds=off option bypass creator_cred The first four patches address fundamental security issues that should be solved regardless of the override_creds=off feature. on them). The fifth adds the feature depends on these other fixes. By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied for sepolicy, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/overlay_creds Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-de...@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-devel@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v13: - add flags argument to __vfs_getxattr - drop GFP_NOFS side-effect v12: - Restore squished out patch 2 and 3 in the series, then change algorithm to add flags argument. Per-thread flag is a large security surface. v11: - Squish out v10 introduced patch 2 and 3 in the series, then and use per-thread flag instead for nesting. - Switch name to ovl_do_vds_getxattr for __vds_getxattr wrapper. - Add sb argument to ovl_revert_creds to match future work. v10: - Return NULL on CAP_DAC_READ_SEARCH - Add __get xattr method to solve sepolicy logging issue - Drop unnecessary sys_admin sepolicy checking for administrative driver internal xattr functions. v6: - Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS. - Do better with the documentation, drop rationalizations. - pr_warn message adjusted to report consequences. v5: - beefed up the caveats in the Documentation - Is dependent on "overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh" "overlayfs: check CAP_MKNOD before issuing vfs_whiteout" - Added prwarn when override_creds=off v4: - spelling and grammar errors in text v3: - Change name from caller_credentials / creator_credentials to the boolean override_creds. - Changed from creator to mounter credentials. - Updated and fortified the documentation. - Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS v2: - Forward port changed attr to stat, resulting in a build error. - altered commit message.
[Cluster-devel] [PATCH v13 1/5] overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh
Assumption never checked, should fail if the mounter creds are not sufficient. Signed-off-by: Mark Salyzyn Cc: Miklos Szeredi Cc: Jonathan Corbet Cc: Vivek Goyal Cc: Eric W. Biederman Cc: Amir Goldstein Cc: Randy Dunlap Cc: Stephen Smalley Cc: linux-unio...@vger.kernel.org Cc: linux-...@vger.kernel.org Cc: linux-ker...@vger.kernel.org Cc: kernel-t...@android.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: David Howells Cc: Chris Mason Cc: Josef Bacik Cc: David Sterba Cc: Jeff Layton Cc: Sage Weil Cc: Ilya Dryomov Cc: Steve French Cc: Tyler Hicks Cc: Jan Kara Cc: Theodore Ts'o Cc: Andreas Dilger Cc: Jaegeuk Kim Cc: Chao Yu Cc: Bob Peterson Cc: Andreas Gruenbacher Cc: David Woodhouse Cc: Richard Weinberger Cc: Dave Kleikamp Cc: Greg Kroah-Hartman Cc: Tejun Heo Cc: Trond Myklebust Cc: Anna Schumaker Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Mike Marshall Cc: Martin Brandenburg Cc: Alexander Viro Cc: Phillip Lougher Cc: Darrick J. Wong Cc: linux-...@vger.kernel.org Cc: Hugh Dickins Cc: David S. Miller Cc: Andrew Morton Cc: Mathieu Malaterre Cc: Ernesto A. Fernández Cc: Vyacheslav Dubeyko Cc: v9fs-develo...@lists.sourceforge.net Cc: linux-...@lists.infradead.org Cc: linux-bt...@vger.kernel.org Cc: ceph-de...@vger.kernel.org Cc: linux-c...@vger.kernel.org Cc: samba-techni...@lists.samba.org Cc: ecryp...@vger.kernel.org Cc: linux-e...@vger.kernel.org Cc: linux-f2fs-de...@lists.sourceforge.net Cc: linux-fsde...@vger.kernel.org Cc: cluster-devel@redhat.com Cc: linux-...@lists.infradead.org Cc: jfs-discuss...@lists.sourceforge.net Cc: linux-...@vger.kernel.org Cc: ocfs2-de...@oss.oracle.com Cc: de...@lists.orangefs.org Cc: reiserfs-de...@vger.kernel.org Cc: linux...@kvack.org Cc: net...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@vger.kernel.org # 4.4, 4.9, 4.14 & 4.19 --- v11 + v12 + v13 - rebase v10: - return NULL rather than ERR_PTR(-EPERM) - did _not_ add it ovl_can_decode_fh() because of changes since last review, suspect needs to be added to ovl_lower_uuid_ok()? v8 + v9: - rebase v7: - This time for realz v6: - rebase v5: - dependency of "overlayfs: override_creds=off option bypass creator_cred" --- fs/overlayfs/namei.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c index e9717c2f7d45..9702f0d5309d 100644 --- a/fs/overlayfs/namei.c +++ b/fs/overlayfs/namei.c @@ -161,6 +161,9 @@ struct dentry *ovl_decode_real_fh(struct ovl_fh *fh, struct vfsmount *mnt, if (!uuid_equal(>uuid, >mnt_sb->s_uuid)) return NULL; + if (!capable(CAP_DAC_READ_SEARCH)) + return NULL; + bytes = (fh->len - offsetof(struct ovl_fh, fid)); real = exportfs_decode_fh(mnt, (struct fid *)fh->fid, bytes >> 2, (int)fh->type, -- 2.22.0.770.g0f2c4a37fd-goog
