lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F71ECC4.5080402@schaufler-ca.com>
Date:	Tue, 27 Mar 2012 09:37:24 -0700
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	David Quigley <selinux@...equigley.com>
CC:	David Howells <dhowells@...hat.com>,
	"J. R. Okajima" <hooanon05@...oo.co.jp>,
	linux-fsdevel@...r.kernel.org, viro@...iv.linux.org.uk,
	valerie.aurora@...il.com, linux-kernel@...r.kernel.org,
	sds@...ho.nsa.gov, selinux@...ho.nsa.gov,
	LSM <linux-security-module@...r.kernel.org>,
	Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: copy-up xattr (Re: [RFC][PATCH 00/73] Union Mount [ver #2])

On 3/27/2012 6:10 AM, David Quigley wrote:
> On 03/27/2012 00:38, Casey Schaufler wrote:
>> On 3/26/2012 7:22 AM, David Howells wrote:
>>> J. R. Okajima <hooanon05@...oo.co.jp> wrote:
>>>
>>>>>  (4) Added some code to override the credentials around upper inode
>>>>>      creation to make sure the inode gets the right UID/GID.  This
>>>>> doesn't
>>>>>      help if the lower inode has some sort of foreign user
>>>>> identifier.
>>>>>
>>>>>      Also, I'm not sure whether the LSM xattrs should be blindly
>>>>> copied up.
>>>>>      Should the LSM policies applicable to the lower fs's apply to
>>>>> the upper
>>>>>      fs too?
>>>> Obviously the xattr entry may not have its meanings on the upper fs,
>>> True.  I'm not sure what's the best way to deal with that.  Possibly
>>> add an
>>> extra flag to vfs_setxattr() and have the fs vet them...  OTOH, this
>>> gives us
>>> files on the lowerfs that may well differ in appearance to files on the
>>> upperfs with respect to their xattrs.
>>
>> Are you suggesting that you would have heterogeneous filesystems
>> with different xattr behavior stacked at the same time as you're
>> using an LSM that cares about the behavior of xattrs? Oh dear. As
>> I typed that sentence I identified a viable use case.
>
> The most common use case for union mounts is a livecd. In this case
> the livecd iso has a tmpfs rw mount above it for copyup. I don't know
> how useful having a smart xattr copyup mechanism is in that place as
> most of the labels will be whatever is assigned to the iso. Another
> usecase is snapshotting of a filesystem for rollback. In this case it
> is probably important to retain the existing label as the copyup is
> supposed to be to the same location. The last case which is similar to
> the snapshotting case but with a persistant upper branch would be to
> have an NFS mount and have local configuration changes stored locally.
> In that case as well I can see simple copy up as being ok to do since
> you're using it more as an overlay than a union mount.
>
> Now the tricky case is when you have two filesystems with two
> different directories with the same name. You're going to merge those
> namespaces. The problem occurs when the parent directories have
> different labels.
>
> For example /mnt/upper/foo is labeled foo_t and /mnt/lower/foo is
> labeled foo2_t. What do you use for the label for files created in
> /mnt/union/foo?

The label for the directory on the filesystem on which the file
physically resides.
If all of the filesystem secede from the union, whichever directory will
be the
file's parent.


>
>>
>>>> or the upper fs may return an error when setting the xattr.
>>>> Additionally the
>>>> returned errno may not follow the generic semantics (ENOTSUP,
>>>> ENOSPC, or
>>>> EDQUOT) since the fs may return fs-specific error.
>>> Also true.  It's possible that the best way is just to ignore
>>> everything but a
>>> medium-related error such as EIO, ENOSPC and EDQUOT: We tried...  Oh
>>> well.
>>>
>>>> On the other hand, users may expect that the all xattrs are copied-up,
>>>> particulary when he knows that the xattrs works well on the upper
>>>> fs too.
>>>> In copy-up, it will be hard to support all cases.
>>> Yeah.  Ideally, the copied-up file would be indistinguishable from
>>> the lower
>>> file, but in practice that's not possible unless inode numbers and
>>> other
>>> physical characteristics of the lower file are recorded in the upper
>>> fs (say
>>> on an xattr).
>>>
>>>> In order to leave users how to handle the xattrs, I'd suggest
>>>> introducing some mount options, which are similar to cp(1).
>>>> cp(1) has several options
>>>>     --preserve=mode,ownership,timestamps,context,links,xattr,all
>>>>     ('mode' includes acl which are based upon xattr)
>>>>
>>>> Since the mode (without acl), ownership and timestamps should
>>>> always be
>>>> copied-up, the new mount options will be something like
>>>>     cpup-xattr=acl,context,all
>>> I would suggest 'cpyup' or 'copyup' rather than 'cpup' - the latter
>>> looks like
>>> something to do with CPUs, but yes, it's worth considering.
>>>
>>>> And only when the option is specfied, the xattrs are copied up. No
>>>> special error handling is necessary, all the errors should be returned
>>>> to users unconditionally.
>>> That's not necessarily good enough.  What if and LSM, say SELinux,
>>> is in
>>> force?  Now SELinux will happily label the files for you - but
>>> there's a
>>> reasonable chance they won't be correct.  OTOH, they may not be
>>> correct even
>>> if they are copied up.
>>
>> The underlying storage (the "real" file) has to have the xattr attached
>> to it.
>> Any other behavior is incorrect. If the underlying filesystem does not
>> support
>> xattrs that lack of support has to be propagated upwards even if the
>> higher
>> layer filesystem supports xattrs.
>>
>> In the case of Smack filesystems that don't support xattrs are still
>> given
>> labels based on mount options. If the lower filesystem is NTFS and
>> the upper
>> ext4 you've got to respect the NTFS labeling behavior for files there.
>>
>>>> Does union-mount preserve mtime? If not, it is critical for some
>>>> applications such like "make" I am afraid.
>>> Ummm...  Interesting question.  If it copies up a file, then that
>>> file must
>>> have been opened for writing.  Is the mtime altered by such an
>>> event, or only
>>> by a write() having been issued?  Also, what about ctime?  That
>>> doesn't seem
>>> to have been copied up either.
>>
>> What is the expected behavior of union mounts for all attributes? Is it
>> specified anywhere?
>>
>
> I would assume its under their documentation patch. I tried to lookup
> up what we did for our copyup semantics for file attributes. Its not
> simple or straight forward in the original UnionFS. I think its safe
> to say all the first class attributes need to be copied up. When
> possible we also copied the xattrs as well. Its important to realize
> though that union mounts are namespace unification and not
> fileunification so if you copy one xattr up you need to copy them all
> because any that don't get copied will get left behind.
>
>>>
>>> David
>>> -- 
>>> To unsubscribe from this list: send the line "unsubscribe
>>> linux-kernel" in
>>> the body of a message to majordomo@...r.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> Please read the FAQ at  http://www.tux.org/lkml/
>>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@...ho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ