diff options
author | Amit Pundir <amit.pundir@linaro.org> | 2024-01-15 14:37:20 +0530 |
---|---|---|
committer | Amit Pundir <amit.pundir@linaro.org> | 2024-01-22 11:45:08 +0530 |
commit | 6c3fdaa6b505c960767dc6df2a66dd3fa0baf884 (patch) | |
tree | 420a4ca55a68577aa97a243e1a2993f0f30708c7 /Documentation/filesystems/overlayfs.rst | |
parent | d88aa862799a7cc8555338217f0f2ecfd0a89040 (diff) |
Revert "ANDROID: overlayfs: override_creds=off option bypass creator_cred"rbX-6.8-rc1
This reverts commit fc6f370400e94a947610fa9d1c49401a52e072a8.
Diffstat (limited to 'Documentation/filesystems/overlayfs.rst')
-rw-r--r-- | Documentation/filesystems/overlayfs.rst | 24 |
1 files changed, 0 insertions, 24 deletions
diff --git a/Documentation/filesystems/overlayfs.rst b/Documentation/filesystems/overlayfs.rst index 58574e08a841..1c244866041a 100644 --- a/Documentation/filesystems/overlayfs.rst +++ b/Documentation/filesystems/overlayfs.rst @@ -323,30 +323,6 @@ and:: The resulting access permissions should be the same. The difference is in the time of copy (on-demand vs. up-front). -### Non overlapping credentials - -As noted above, all access to the upper, lower and work directories is the -recorded mounter's MAC and DAC credentials. The incoming accesses are -checked against the caller's credentials. - -In the case where caller MAC or DAC credentials do not overlap the mounter, a -use case available in older versions of the driver, the override_creds mount -flag can be turned off. For when the use pattern has caller with legitimate -credentials where the mounter does not. For example init may have been the -mounter, but the caller would have execute or read MAC permissions where -init would not. override_creds off means all access, incoming, upper, lower -or working, will be tested against the caller. - -Several unintended side effects will occur though. The caller without certain -key capabilities or lower privilege will not always be able to delete files or -directories, create nodes, or search some restricted directories. The ability -to search and read a directory entry is spotty as a result of the cache -mechanism not re-testing the credentials because of the assumption, a -privileged caller can fill cache, then a lower privilege can read the directory -cache. The uneven security model where cache, upperdir and workdir are opened -at privilege, but accessed without creating a form of privilege escalation, -should only be used with strict understanding of the side effects and of the -security policies. Multiple lower layers --------------------- |