| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKtyLkG1_evj7=yrB6nH-8fJuP3DsWyxwrhv7O_Mk=Fy8FOvVw@mail.gmail.com> Date: Fri, 30 Jan 2026 11:21:00 -0800 From: Fan Wu <wufan@...nel.org> To: Amir Goldstein <amir73il@...il.com> Cc: wufan@...nel.org, linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, corbet@....net, mic@...ikod.net, miklos@...redi.hu, linux-unionfs@...r.kernel.org Subject: Re: [PATCH] ipe: document AT_EXECVE_CHECK TOCTOU issue on OverlayFS On Fri, Jan 30, 2026 at 3:06 AM Amir Goldstein <amir73il@...il.com> wrote: > > On Fri, Jan 30, 2026 at 1:14 AM <wufan@...nel.org> wrote: > > > > From: Fan Wu <wufan@...nel.org> > > > > Document a known TOCTOU (time-of-check to time-of-use) issue when using > > AT_EXECVE_CHECK with read() on OverlayFS. > > Hi Fan Wu, > > TBH, I don't like the way that this problem is being framed. > IIUC, the problem is using IPE on a non-read-only fs. > Is that correct? > > That fact that IPE metadata is usually coupled with read-only fs > is interesting for the understanding of the use case, but unless > IPE feature mandates read-only fs, this is a generic problem. > > OverlayFS is just one private case, which happens to be common > in Android or containers? IDK, you did not mention this. > > Please describe the problem as a generic problem and give > overlayfs as an example, preferable with references to the > real world use cases. > > If I misunderstood, please explain why this problem is exclusive > to overlayfs. > > Thanks, > Amir. > Hi Amir, Thanks for the review. That's exactly why we CC'd you and the overlayfs folks, we wanted to get your perspective before documenting this. Let me give some background. IPE enforces execution policy based on file integrity properties, primarily dm-verity and fs-verity. These are the trust anchors, and files without these protections won't be trusted by IPE. Since dm-verity and fs-verity are inherently read-only, in typical deployments the TOCTOU issue doesn't exist. To support overlayfs, IPE uses d_real_inode() to look through the overlay and get the real inode from the lower layer. Recently a new feature AT_EXECVE_CHECK was introduced to allow script interpreters to request LSM checks on script files before execution. The idea is: interpreter opens the script, calls execveat() with AT_EXECVE_CHECK to verify the file passes security policy, then reads and executes the content. What we found is that on overlayfs with a dm-verity lower layer and writable upper layer, when a script file only exists in the lower layer, AT_EXECVE_CHECK passes because IPE sees it's dm-verity protected. But if another process writes to the same path after execveat() returns, copy-up happens and subsequent read() from the original fd returns content from the upper layer. We verified this through testing. Overlayfs is popular in container environments, so we want to document this for IPE users. We noticed the overlayfs documentation (https://docs.kernel.org/filesystems/overlayfs.html#non-standard-behavior) states that if a lower layer file is opened and memory mapped, subsequent changes are not reflected in the memory mapping. We also verified this: mmap keeps the original lower layer content after copy-up. One reason we CC'd you is to ask: is relying on mmap to keep the original lower file reference a reasonable choice? Or would you recommend against depending on this behavior? The narrative in the patch can definitely be adjusted. Would something like this work better: "When using AT_EXECVE_CHECK on overlayfs, if the lower layer is integrity-protected but the upper layer is writable, a copy-up between the check and read() may cause the interpreter to read unverified content." Let us know what you think. -Fan
Powered by blists - more mailing lists