Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753936Ab3CCSaP (ORCPT ); Sun, 3 Mar 2013 13:30:15 -0500 Received: from mail-oa0-f53.google.com ([209.85.219.53]:42066 "EHLO mail-oa0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753847Ab3CCSaN (ORCPT ); Sun, 3 Mar 2013 13:30:13 -0500 MIME-Version: 1.0 In-Reply-To: <87vc98x019.fsf_-_@xmission.com> References: <20130303005700.GA32213@austin.hallyn.com> <20130303035608.GA2703@austin.hallyn.com> <87vc98x019.fsf_-_@xmission.com> Date: Sun, 3 Mar 2013 10:30:12 -0800 Message-ID: Subject: Re: [RFC][PATCH] fs: Limit sys_mount to only loading filesystem modules. From: Kees Cook To: "Eric W. Biederman" Cc: "Serge E. Hallyn" , LKML , Serge Hallyn , Brad Spengler , Al Viro , Eric Paris , Rusty Russell , "linux-fsdevel@vger.kernel.org" Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1557 Lines: 37 On Sun, Mar 3, 2013 at 2:14 AM, Eric W. Biederman wrote: > > Modify the request_module to prefix the file system type with "fs-" > and add aliases to all of the filesystems that can be built as modules > to match. > > A common practice is to build all of the kernel code and leave code > that is not commonly needed as modules, with the result that many > users are exposed to any bug anywhere in the kernel. > > Looking for filesystems with a fs- prefix limits the pool of possible > modules that can be loaded by mount to just filesystems trivially > making things safer with no real cost. > > Using aliases means user space can control the policy of which > filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf > with blacklist and alias directives. Allowing simple, safe, > well understood work-arounds to known problematic software. > > This also addresses a rare but unfortunate problem where the filesystem > name is not the same as it's module name and module auto-loading > would not work. While writing this patch I saw a handful of such > cases. The most significant being autofs that lives in the module > autofs4. > > Signed-off-by: "Eric W. Biederman" Acked-by: Kees Cook -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/