| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5d85b054-0e84-45ec-a1b3-c6281243c306@linux.alibaba.com> Date: Thu, 12 Jun 2025 19:28:54 +0800 From: Gao Xiang <hsiangkao@...ux.alibaba.com> To: Tatsuyuki Ishi <ishitatsuyuki@...gle.com>, Gao Xiang <xiang@...nel.org>, Chao Yu <chao@...nel.org>, Yue Hu <zbestahu@...il.com>, Jeffle Xu <jefflexu@...ux.alibaba.com>, Sandeep Dhavale <dhavale@...gle.com>, Hongbo Li <lihongbo22@...wei.com> Cc: linux-erofs@...ts.ozlabs.org, linux-kernel@...r.kernel.org, shengyong1@...omi.com, wangshuai12@...omi.com Subject: Re: [PATCH] erofs: impersonate the opener's credentials when accessing backing file Hi Tatsuyuki, On 2025/6/12 18:18, Tatsuyuki Ishi wrote: > Previously, file operations on a file-backed mount used the current > process' credentials to access the backing FD. Attempting to do so on > Android lead to SELinux denials, as ACL rules on the backing file (e.g. > /system/apex/foo.apex) is restricted to a small set of process. > Arguably, this error is redundant and leaking implementation details, as > access to files on a mount is already ACL'ed by path. > > Instead, override to use the opener's cred when accessing the backing > file. This makes the behavior similar to a loop-backed mount, which > uses kworker cred when accessing the backing file and does not cause > SELinux denials. > > Signed-off-by: Tatsuyuki Ishi <ishitatsuyuki@...gle.com> Thanks for the patch. I think overlayfs uses the similar policy (mounter's cred), which is the same as the opener's cred here (because it opens backing file in the mount context), so: Reviewed-by: Gao Xiang <hsiangkao@...ux.alibaba.com> Thanks, Gao Xiang
Powered by blists - more mailing lists