[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <d8e6c8ce-6305-67d8-6213-5460e5d0d88c@android.com>
Date: Wed, 20 Jun 2018 08:28:30 -0700
From: Mark Salyzyn <salyzyn@...roid.com>
To: Vivek Goyal <vgoyal@...hat.com>
Cc: linux-kernel@...r.kernel.org, Miklos Szeredi <miklos@...redi.hu>,
Jonathan Corbet <corbet@....net>,
linux-unionfs@...r.kernel.org, linux-doc@...r.kernel.org,
Daniel Walsh <dwalsh@...hat.com>,
Stephen Smalley <sds@...ho.nsa.gov>
Subject: Re: overlayfs: caller_credentials option bypass creator_cred
On 06/19/2018 07:36 AM, Vivek Goyal wrote:
> On Mon, Jun 18, 2018 at 02:59:50PM -0700, Mark Salyzyn wrote:
> So in this system all callers are priviliged and have the capability to
> mknod and set trusted xattrs.
This is true of the callers that make adjustments (in Android's Case
this is an su context provided to the adb tool for sync and push). More
importantly the large variety of callers have the passive/read MAC
credentials for their domain set of files; where the mounter/creator
does not.
> (Amir mentioned the reason why we switch
> creds). If not, then file unlink (Should do mknod), lower non-empty directory
> rename (should set trusted REDIRECT) and bunch of other operations should fail.
Hmmm, neither was part of my test plan b/c these operations are more
esoteric for development ... need to add them and address them.
Thanks all (You, Eric, Amir and private) for your comments, will
regroup, test and address concerns!
-- Mark
Powered by blists - more mailing lists