Revert "ANDROID: overlayfs: override_creds=off option bypass creator_cred"

This reverts commit 90f11a7d45.

The override_creds patches are no longer needed thanks to the work
documented in the below bug.

Test: adb remount still works
Bug: 388912628
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I8b64898f0968deb6ca0753df7601db4f668f0824
This commit is contained in:
Paul Lawrence
2025-02-14 13:05:01 -08:00
parent 203a476f9e
commit d3e34d865e
13 changed files with 62 additions and 130 deletions
+1 -25
View File
@@ -204,7 +204,7 @@ handle it in two different ways:
1. return EXDEV error: this error is returned by rename(2) when trying to
move a file or directory across filesystem boundaries. Hence
applications are usually prepared to handle this error (mv(1) for example
applications are usually prepared to hande this error (mv(1) for example
recursively copies the directory tree). This is the default behavior.
2. If the "redirect_dir" feature is enabled, then the directory will be
@@ -332,30 +332,6 @@ and::
The resulting access permissions should be the same. The difference is in
the time of copy (on-demand vs. up-front).
### Non overlapping credentials
As noted above, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials. The incoming accesses are
checked against the caller's credentials.
It is possible, however, that the mounting process (say, init) has access to
mount an overlay, but not access to read or execute certain files in the lower
dir. Meanwhile another process may ONLY have access to files in the lower dir.
This scenario is very common in a "principle of least privilege" security
model. And in this case, using the mounter's credentials will result in access
errors for the calling process, even though the calling process can access the
lower dir.
To address this, the override_creds=off mount option will disable using the
mounter's credentials.
The ability to search and read a directory entry is spotty as a result of the
cache mechanism not re-testing the credentials because of the assumption, a
privileged caller can fill cache, then a lower privilege can read the directory
cache. The uneven security model where cache, upperdir and workdir are opened
at privilege, but accessed without creating a form of privilege escalation,
should only be used with strict understanding of the side effects and of the
security policies.
Multiple lower layers
---------------------