Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755788AbbKRMrU (ORCPT ); Wed, 18 Nov 2015 07:47:20 -0500 Received: from mail-io0-f171.google.com ([209.85.223.171]:33980 "EHLO mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755760AbbKRMrR (ORCPT ); Wed, 18 Nov 2015 07:47:17 -0500 Subject: Re: [PATCH v3 0/7] User namespace mount updates To: Seth Forshee , Al Viro References: <1447778351-118699-1-git-send-email-seth.forshee@canonical.com> <20151117170556.GV22011@ZenIV.linux.org.uk> <20151117172551.GA108807@ubuntu-hedt> <20151117175506.GW22011@ZenIV.linux.org.uk> <564B79B1.3040207@gmail.com> <20151117193012.GX22011@ZenIV.linux.org.uk> <564B9074.5030305@gmail.com> <20151117210542.GY22011@ZenIV.linux.org.uk> <20151117220125.GF108807@ubuntu-hedt> Cc: "Eric W. Biederman" , linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Serge Hallyn , Andy Lutomirski , linux-kernel@vger.kernel.org, "Theodore Ts'o" From: Austin S Hemmelgarn Message-ID: <564C733D.7010601@gmail.com> Date: Wed, 18 Nov 2015 07:46:53 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151117220125.GF108807@ubuntu-hedt> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms020205030405070905090406" X-Antivirus: avast! (VPS 151118-0, 2015-11-18), Outbound message X-Antivirus-Status: Clean Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 8056 Lines: 147 This is a cryptographically signed message in MIME format. --------------ms020205030405070905090406 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable On 2015-11-17 17:01, Seth Forshee wrote: > On Tue, Nov 17, 2015 at 09:05:42PM +0000, Al Viro wrote: >> On Tue, Nov 17, 2015 at 03:39:16PM -0500, Austin S Hemmelgarn wrote: >> >>>> This is absolutely insane, no matter how much LSM snake oil you slat= ter on >>>> the whole thing. All of a sudden you are exposing a huge attack sur= face >>>> in the place where it would hurt most and as the consolation we are = offered >>>> basically "Ted is willing to fix holes when they are found". > > None of the LSM changes are intended to protect against attacks from > these sorts of attacks at all, so that's irrelevant. > > As I said before, I'm also working to find holes up front. That plus a > commitment from the maintainer seems like a good start at least. What > bar would you set for a given filesystem to be considered "safe enough"= ? > >>> For the context of static image attacks, anything that's foun >>> _needs_ to be fixed regardless, and unless you can find some way to >>> actually prevent attacks on mounted filesystems that doesn't involve >>> a complete re-write of the filesystem drivers, then there's not much >>> we can do about it. Yes, unprivileged mounts expose an attack >>> surface, but so does userspace access to the network stack, and so >>> do a lot of other features that are considered essential in a modern >>> general purpose operating system. >> >> "X is exposes an attack surface. Y exposes a diferent attack surface.= >> Y is considered important. Therefore X is important enough to impleme= nt it" >> >> Right... > > That isn't the argument he made. I would summarize the argument as, > "Saying that X exposes an attack surface isn't by itself enough to > reject X, otherwise we wouldn't expose anything (such as example Y)." It's good to see someone understood my meaning... > > You believe that the attack surface is too large, and that's > understandable. Is it your opinion that this is a fundamental problem > for an in-kernel filesystem driver, i.e. that we can never be confident= > enough in an in-kernel filesystem parser to allow untrusted data? If > not, what would it take to establish a level of confidence that you > would be comfortable with? While I can't speak for Al's opinion on this, I would like to point out=20 my earlier comment: > It's unfeasible from a practical standpoint to expect filesystems to=20 > assume that stuff they write might change under them due to malicious = > intent of a third party. We can't protect against everything, not without making the system=20 completely unusable for general purpose computing. There is always some = degree of trust involved in usage of a computer, the OS has to trust=20 that the hardware works correctly, the administrator has to trust the OS = to behave correctly, and the users have to trust the administrator. The = administrator also needs to have at least some trust in the users,=20 otherwise he shouldn't be allowing them to use the system. Perhaps we should have an option that can only be enabled on creation of = the userns that would allow it to use regular kernel mounts, and without = that option we default to only allowing FUSE and a couple of virtual=20 filesystems (like /proc and devtmpfs). --------------ms020205030405070905090406 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Brgwgga0MIIEnKADAgECAgMRLfgwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNp Z25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcN MTUwOTIxMTEzNTEzWhcNMTYwMzE5MTEzNTEzWjBjMRgwFgYDVQQDEw9DQWNlcnQgV29UIFVz ZXIxIzAhBgkqhkiG9w0BCQEWFGFoZmVycm9pbjdAZ21haWwuY29tMSIwIAYJKoZIhvcNAQkB FhNhaGVtbWVsZ0BvaGlvZ3QuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA nQ/81tq0QBQi5w316VsVNfjg6kVVIMx760TuwA1MUaNQgQ3NyUl+UyFtjhpkNwwChjgAqfGd LIMTHAdObcwGfzO5uI2o1a8MHVQna8FRsU3QGouysIOGQlX8jFYXMKPEdnlt0GoQcd+BtESr pivbGWUEkPs1CwM6WOrs+09bAJP3qzKIr0VxervFrzrC5Dg9Rf18r9WXHElBuWHg4GYHNJ2V Ab8iKc10h44FnqxZK8RDN8ts/xX93i9bIBmHnFfyNRfiOUtNVeynJbf6kVtdHP+CRBkXCNRZ qyQT7gbTGD24P92PS2UTmDfplSBcWcTn65o3xWfesbf02jF6PL3BCrVnDRI4RgYxG3zFBJuG qvMoEODLhHKSXPAyQhwZINigZNdw5G1NqjXqUw+lIqdQvoPijK9J3eijiakh9u2bjWOMaleI SMRR6XsdM2O5qun1dqOrCgRkM0XSNtBQ2JjY7CycIx+qifJWsRaYWZz0aQU4ZrtAI7gVhO9h pyNaAGjvm7PdjEBiXq57e4QcgpwzvNlv8pG1c/hnt0msfDWNJtl3b6elhQ2Pz4w/QnWifZ8E BrFEmjeeJa2dqjE3giPVWrsH+lOvQQONsYJOuVb8b0zao4vrWeGmW2q2e3pdv0Axzm/60cJQ haZUv8+JdX9ZzqxOm5w5eUQSclt84u+D+hsCAwEAAaOCAVkwggFVMAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBo ZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBABgNV HSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2Vy dC5vcmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5j cmwwNAYDVR0RBC0wK4EUYWhmZXJyb2luN0BnbWFpbC5jb22BE2FoZW1tZWxnQG9oaW9ndC5j b20wDQYJKoZIhvcNAQENBQADggIBADMnxtSLiIunh/TQcjnRdf63yf2D8jMtYUm4yDoCF++J jCXbPQBGrpCEHztlNSGIkF3PH7ohKZvlqF4XePWxpY9dkr/pNyCF1PRkwxUURqvuHXbu8Lwn 8D3U2HeOEU3KmrfEo65DcbanJCMTTW7+mU9lZICPP7ZA9/zB+L0Gm1UNFZ6AU50N/86vjQfY WgkCd6dZD4rQ5y8L+d/lRbJW7ZGEQw1bSFVTRpkxxDTOwXH4/GpQfnfqTAtQuJ1CsKT12e+H NSD/RUWGTr289dA3P4nunBlz7qfvKamxPymHeBEUcuICKkL9/OZrnuYnGROFwcdvfjGE5iLB kjp/ttrY4aaVW5EsLASNgiRmA6mbgEAMlw3RwVx0sVelbiIAJg9Twzk4Ct6U9uBKiJ8S0sS2 8RCSyTmCRhJs0vvva5W9QUFGmp5kyFQEoSfBRJlbZfGX2ehI2Hi3U2/PMUm2ONuQG1E+a0AP u7I0NJc/Xil7rqR0gdbfkbWp0a+8dAvaM6J00aIcNo+HkcQkUgtfrw+C2Oyl3q8IjivGXZqT 5UdGUb2KujLjqjG91Dun3/RJ/qgQlotH7WkVBs7YJVTCxfkdN36rToPcnMYOI30FWa0Q06gn F6gUv9/mo6riv3A5bem/BdbgaJoPnWQD9D8wSyci9G4LKC+HQAMdLmGoeZfpJzKHMYIE0TCC BM0CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNl cnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcN AQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxEt+DANBglghkgBZQMEAgMFAKCCAiEwGAYJKoZI hvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUxMTE4MTI0NjUzWjBPBgkq hkiG9w0BCQQxQgRASPcPYc4psO/7952jaH6XgNFkRIItnb5hNmSa37sfzSW1VWcQdTB1EjKi lL4ITN/Gjbop+LE56SWok8+bNQCORzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGRBgkrBgEEAYI3EAQxgYMwgYAweTEQMA4GA1UE ChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlD QSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy dC5vcmcCAxEt+DCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBDQTEe MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAxEt+DAN BgkqhkiG9w0BAQEFAASCAgBjvEty1MnC3m2g3DetLapfSmpk8KmH+pbOUtp0zAB5g5cElY4a 9j3AinkOhOFSwtqbEhPTBXWtjcasxVt8S48QQUBTF7Q4V6eIooEEtXoGV4oLVXoHn3QpKl2z ph7ohWZJZOVu+qSYR4WNZ8xJzwDNxJGolhu66iN3fp5SIy13biw4cZ8HaGSqse/0CSZDAqdC 1DT0zpaxQDWed2wb4bE2txesBP8OaCgGkMbWEPH9pQQnIozBZ3+64uJZ9hF3v1LFe+C9lRFU GaQ3BjoG4t3Ndz6PULSj2+U++Qw+laLtTGEwewgaolFn6Ju+Z/bCo/LU9VWUMqdUKwSyT5A/ hE6Qft9mdad7OWPBcEidqEwMjRsB9mgakO2N2W7BkHl9T8MWtkc6oqyIBIOrpAUNV0yOl8Z8 EpFqUUhB0vxBMpyObW9ree9m4Q5GZjaEQH7OfIRGuWYepEXgQPtd6XJFcizAvE8sTD4WCJVM GsV3yv+5d9A1nz4V8akaDmAdUzb1FBMYfB3ge2SLwdc4MI4jCi2aXjvZMNmrdwrB1DBuwNgD fWQnwDjE1w66XCphL9KfY//vtqXk9CmHZS12BX2woao7dBhgNGJ/wa7forcsyK1aRJ+a2cly sUUtRERCBzvtUQ7hpxGTzWf+87i8joHN+MZRpAQaOz/rGVG7Xog1vEesUAAAAAAAAA== --------------ms020205030405070905090406-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/