overlayFS security concern
Lei Yu
yulei.sh at bytedance.com
Tue Feb 23 16:22:24 AEDT 2021
On Sun, Feb 21, 2021 at 12:56 AM Patrick Williams <patrick at stwcx.xyz> wrote:
>
> On Sat, Feb 20, 2021 at 11:46:08AM +1030, Andrew Jeffery wrote:
> > On Sat, 20 Feb 2021, at 11:01, Kun Zhao wrote:
> > > 2. don’t use overlayFS (but it’s really useful for debugging during
> > > develop, and configuration management)
> >
> > Possibly, but it's probably worth looking at IMA instead:
>
> IMA (or similar) is likely a good option.
>
> There is also work going on to remove 'root' from many users and
> daemons so it should be harder to overwrite executables. If you
> have root I'm pretty sure you can always subvert even something like
> IMA.
>
> A protection we could do which would make attacks slightly harder
> than they are today would be to change how we mount OverlayFS. Right
> now we mount it on top of root, but we could be more explicit about
> mounting it only on top of places we expect to be read-write. `/etc`
> and `/var` are the two that come to mind but I'm sure there are others.
> This shouldn't be very difficult to implement for someone wanting to
> take the initiative.
Yup, as far as I remember, the "ubi layout" distro feature only mount
specific directories instead of root.
Checking the code, it enables the `read-only-rootfs`
IMAGE_FEATURES[1], and use a different init script to mount only /etc
by `preinit-mounts.bb`[2]
The same for `phosphor-mmc` as well.
@anoo should know this well :)
[1]: https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/images/obmc-phosphor-image.bb#L35
[2]: https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/preinit-mounts/preinit-mounts/init
--
BRs,
Lei YU
More information about the openbmc
mailing list