lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <665ec6f3-f16d-681f-30d5-eface14c9808@tycho.nsa.gov>
Date:   Tue, 4 Dec 2018 11:05:46 -0500
From:   Stephen Smalley <sds@...ho.nsa.gov>
To:     Vivek Goyal <vgoyal@...hat.com>, Miklos Szeredi <miklos@...redi.hu>
Cc:     Ondrej Mosnacek <omosnace@...hat.com>,
        "J. Bruce Fields" <bfields@...ldses.org>,
        Mark Salyzyn <salyzyn@...roid.com>,
        Paul Moore <paul@...l-moore.com>, linux-kernel@...r.kernel.org,
        overlayfs <linux-unionfs@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org, selinux@...r.kernel.org,
        Daniel J Walsh <dwalsh@...hat.com>
Subject: Re: overlayfs access checks on underlying layers

On 12/4/18 10:42 AM, Vivek Goyal wrote:
> On Tue, Dec 04, 2018 at 04:31:09PM +0100, Miklos Szeredi wrote:
>> On Tue, Dec 4, 2018 at 4:22 PM Vivek Goyal <vgoyal@...hat.com> wrote:
>>
>>> Having said that, this still create little anomaly when mknod to client
>>> is not allowed on context label. So a device file, which is on lower
>>> and client can not open it for read/write on host, it can now be opened
>>> for read/write because mounter will allow access. So why it is different
>>> that regular copy up. Well, in regular copy up, we created a copy of
>>> the original object and allowed writing to that object (cp --preserve=all)
>>> model. But in case of device file, writes will go to same original
>>> object. (And not a separate copy).
>>
>> That's true.
>>
>> In that sense copy up of special file should result in upper having
>> the same label as of lower, right?
> 
> I guess that might be reasonable (if this behavior is a concern). So even
> after copy up, client will not be able to read/write a device if it was
> not allowed on lower.
> 
> Stephen, what do you think about retaining label of lower for device
> files during copy up. What about socket/fifo.

We don't check client task access to the upper inode label, only to the 
overlay, right?  So the client is still free to access the device 
through the overlay even if we preserve the lower inode label on the 
upper inode?  What do we gain?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ