ANDROID: overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the recorded mounter's MAC and DAC credentials. The incoming accesses are checked against the caller's credentials. If the principles of least privilege are applied, the mounter's credentials might not overlap the credentials of the caller's when accessing the overlayfs filesystem. For example, a file that a lower DAC privileged caller can execute, is MAC denied to the generally higher DAC privileged mounter, to prevent an attack vector. We add the option to turn off override_creds in the mount options; all subsequent operations after mount on the filesystem will be only the caller's credentials. The module boolean parameter and mount option override_creds is also added as a presence check for this "feature", existence of /sys/module/overlay/parameters/override_creds. It was not always this way. Circa 4.6 there was no recorded mounter's credentials, instead privileged access to upper or work directories were temporarily increased to perform the operations. The MAC (selinux) policies were caller's in all cases. override_creds=off partially returns us to this older access model minus the insecure temporary credential increases. This is to permit use in a system with non-overlapping security models for each executable including the agent that mounts the overlayfs filesystem. In Android this is the case since init, which performs the mount operations, has a minimal MAC set of privileges to reduce any attack surface, and services that use the content have a different set of MAC privileges (eg: read, for vendor labelled configuration, execute for vendor libraries and modules). The caveats are not a problem in the Android usage model, however they should be fixed for completeness and for general use in time. Bug: 329657783 Change-Id: I3d59cdae4984b5eee87f226bdb8a9dd7fbd5248c Signed-off-by:David Anderson <dvander@google.com> Signed-off-by:
Mark Salyzyn <salyzyn@android.com> Signed-off-by:
Daniel Rosenberg <drosen@google.com> Test: adb-remount-test.sh
Showing
- Documentation/filesystems/overlayfs.rst 25 additions, 1 deletionDocumentation/filesystems/overlayfs.rst
- fs/backing-file.c 25 additions, 15 deletionsfs/backing-file.c
- fs/overlayfs/copy_up.c 1 addition, 1 deletionfs/overlayfs/copy_up.c
- fs/overlayfs/dir.c 22 additions, 12 deletionsfs/overlayfs/dir.c
- fs/overlayfs/file.c 7 additions, 7 deletionsfs/overlayfs/file.c
- fs/overlayfs/inode.c 10 additions, 10 deletionsfs/overlayfs/inode.c
- fs/overlayfs/namei.c 5 additions, 5 deletionsfs/overlayfs/namei.c
- fs/overlayfs/overlayfs.h 6 additions, 1 deletionfs/overlayfs/overlayfs.h
- fs/overlayfs/ovl_entry.h 1 addition, 0 deletionsfs/overlayfs/ovl_entry.h
- fs/overlayfs/params.c 10 additions, 0 deletionsfs/overlayfs/params.c
- fs/overlayfs/readdir.c 4 additions, 4 deletionsfs/overlayfs/readdir.c
- fs/overlayfs/util.c 10 additions, 2 deletionsfs/overlayfs/util.c
- fs/overlayfs/xattrs.c 4 additions, 4 deletionsfs/overlayfs/xattrs.c
Loading
Please register or sign in to comment