[PATCH v19 0/4] overlayfs override_creds=off & nested get xattr fix
Paul Moore
paul at paul-moore.com
Thu Mar 10 22:11:05 UTC 2022
On Wed, Mar 9, 2022 at 4:13 PM Paul Moore <paul at paul-moore.com> wrote:
> On Tue, Mar 1, 2022 at 12:05 AM David Anderson <dvander at google.com> wrote:
> > On Mon, Feb 28, 2022 at 5:09 PM Paul Moore <paul at paul-moore.com> wrote:
...
> >> This patchset may not have been The Answer, but surely there is
> >> something we can do to support this use-case.
> >
> > Yup exactly, and we still need patches 3 & 4 to deal with this. My current plan is to try and rework our sepolicy (we have some ideas on how it could be made compatible with how overlayfs works). If that doesn't pan out we'll revisit these patches and think harder about how to deal with the coherency issues.
>
> Can you elaborate a bit more on the coherency issues? Is this the dir
> cache issue that is alluded to in the patchset? Anything else that
> has come up on review?
>
> Before I start looking at the dir cache in any detail, did you have
> any thoughts on how to resolve the problems that have arisen?
David, Vivek, Amir, Miklos, or anyone for that matter, can you please
go into more detail on the cache issues? I *think* I may have found a
potential solution for an issue that could arise when the credential
override is not in place, but I'm not certain it's the only issue :)
There is motivation on our part to try and get the
"override_creds=off" portion of the patchset working and suitable for
upstreaming, but I need some help in making sure I understand all the
objections/problems.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list