overlayFS security concern

Patrick Williams patrick at stwcx.xyz
Sun Feb 21 03:50:24 AEDT 2021


On Sat, Feb 20, 2021 at 11:46:08AM +1030, Andrew Jeffery wrote:
> On Sat, 20 Feb 2021, at 11:01, Kun Zhao wrote:
> > 2. don’t use overlayFS (but it’s really useful for debugging during 
> > develop, and configuration management)
> 
> Possibly, but it's probably worth looking at IMA instead:

IMA (or similar) is likely a good option.

There is also work going on to remove 'root' from many users and
daemons so it should be harder to overwrite executables.  If you
have root I'm pretty sure you can always subvert even something like
IMA.

A protection we could do which would make attacks slightly harder
than they are today would be to change how we mount OverlayFS.  Right
now we mount it on top of root, but we could be more explicit about
mounting it only on top of places we expect to be read-write. `/etc`
and `/var` are the two that come to mind but I'm sure there are others.
This shouldn't be very difficult to implement for someone wanting to
take the initiative.

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210220/2e1c80e6/attachment.sig>


More information about the openbmc mailing list