From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755715AbbFRPEc (ORCPT ); Thu, 18 Jun 2015 11:04:32 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45520 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753929AbbFRPEZ (ORCPT ); Thu, 18 Jun 2015 11:04:25 -0400 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <5582DB99.70001@tycho.nsa.gov> References: <5582DB99.70001@tycho.nsa.gov> <20150618133215.12722.70352.stgit@warthog.procyon.org.uk> <20150618133302.12722.14996.stgit@warthog.procyon.org.uk> To: Stephen Smalley Cc: dhowells@redhat.com, viro@zeniv.linux.org.uk, miklos@szeredi.hu, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, Selinux@tycho.nsa.gov, Paul Moore Subject: Re: [PATCH 6/8] SELinux: Handle opening of a unioned file MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <17086.1434639859.1@warthog.procyon.org.uk> Date: Thu, 18 Jun 2015 16:04:19 +0100 Message-ID: <17087.1434639859@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Stephen Smalley wrote: > > + /* We need to check that the union file is allowed to be opened as well > > + * as checking that the lower file is allowed to be opened. > > Hmm...so if I try to open a file for write access, then we are going to > require that the process be allowed to write to both the union/overlay > inode and to the lower inode? That seems problematic for the containers > use case where no write access will be granted to the lower files. Actually, this comment should probably be deleted. I am currently thinking that access through the overlay fs should only be mediated by the label on the overlay inode and should not involve the lower inode. Possibly, then the lower file label should be reckoned against the label of whoever created the *mount*. David From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Howells In-Reply-To: <5582DB99.70001@tycho.nsa.gov> References: <5582DB99.70001@tycho.nsa.gov> <20150618133215.12722.70352.stgit@warthog.procyon.org.uk> <20150618133302.12722.14996.stgit@warthog.procyon.org.uk> To: Stephen Smalley Subject: Re: [PATCH 6/8] SELinux: Handle opening of a unioned file MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 18 Jun 2015 16:04:19 +0100 Message-ID: <17087.1434639859@warthog.procyon.org.uk> Cc: miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, viro@zeniv.linux.org.uk, Selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Stephen Smalley wrote: > > + /* We need to check that the union file is allowed to be opened as well > > + * as checking that the lower file is allowed to be opened. > > Hmm...so if I try to open a file for write access, then we are going to > require that the process be allowed to write to both the union/overlay > inode and to the lower inode? That seems problematic for the containers > use case where no write access will be granted to the lower files. Actually, this comment should probably be deleted. I am currently thinking that access through the overlay fs should only be mediated by the label on the overlay inode and should not involve the lower inode. Possibly, then the lower file label should be reckoned against the label of whoever created the *mount*. David