protecting overlayfs's lower consistently.
Alexander Ivanov
amivanov at fastmail.com
Fri Feb 28 18:31:04 UTC 2020
We have LSM that implements file_open call back to protect fs object based on path. Now, supposed are to protect /mnt/l in the following setup
mount -t overlay -orw,lowerdir=/mnt/l,upperdir=/mnt/u,workdir=/mnt/w none /mnt/m
However, when one attempts to change the upper (for the objects that originates on lower) the dentry passed into vfs_open() and then to do_dentry_open() points to the lower and there seems no easy way to calculate its upper. It
This seems was different in older kernels, eg. 3.10 (rhel7). The changes the seemingly broke that behaviour happened around kernel 4.4. What was a reason for that change and is there anyway to figure out the upper given the lower passed into vfs_open()?
Thanks,
--Alex
More information about the Linux-security-module-archive
mailing list