Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756836AbbKRTdP (ORCPT ); Wed, 18 Nov 2015 14:33:15 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:44039 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755830AbbKRTdL (ORCPT ); Wed, 18 Nov 2015 14:33:11 -0500 Date: Wed, 18 Nov 2015 19:32:40 +0000 From: Serge Hallyn To: "Theodore Ts'o" , Seth Forshee , Al Viro , "Eric W. Biederman" , linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, linux-mtd@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, Serge Hallyn , Andy Lutomirski , linux-kernel@vger.kernel.org Subject: Re: [PATCH v3 0/7] User namespace mount updates Message-ID: <20151118193240.GA26454@ubuntumail> References: <1447778351-118699-1-git-send-email-seth.forshee@canonical.com> <20151117170556.GV22011@ZenIV.linux.org.uk> <20151117172551.GA108807@ubuntu-hedt> <20151117175506.GW22011@ZenIV.linux.org.uk> <20151117183444.GB108807@ubuntu-hedt> <20151118191045.GB3434@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151118191045.GB3434@thunk.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2371 Lines: 48 Quoting Theodore Ts'o (tytso@mit.edu): > On Tue, Nov 17, 2015 at 12:34:44PM -0600, Seth Forshee wrote: > > On Tue, Nov 17, 2015 at 05:55:06PM +0000, Al Viro wrote: > > > On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote: > > > > > > > Shortly after that I plan to follow with support for ext4. I've been > > > > fuzzing ext4 for a while now and it has held up well, and I'm currently > > > > working on hand-crafted attacks. Ted has commented privately (to others, > > > > not to me personally) that he will fix bugs for such attacks, though I > > > > haven't seen any public comments to that effect. > > > > > > _Static_ attacks, or change-image-under-mounted-fs attacks? > > > > Right now only static attacks, change-image-under-mounted-fs attacks > > will be next. > > I will fix bugs about static attacks. That is, it's interesting to me > that a buggy file system (no matter how it is created), not cause the > kernel to crash --- and privilege escalation attacks tend to be > strongly related to those bugs where we're not doing strong enough > checking. > > Protecting against a malicious user which changes the image under the > file system is a whole other kettle of fish. I am not at all user you > can do this without completely sacrificing performance or making the > code impossible to maintain. So my comments do *not* extend to > protecting against a malicious user who is changing the block device > underneath the kernel. Yup, thanks, Ted. I think the only sane thing to do is work on making the mounted files immutable. Guarding against under-mounted-writes seems crazy. Well, actually it seems like a fascinating problem, and maybe solvable without fs changes, but not in scope here. > If you want to submit patches to make the kernel more robust against > these attacks, I'm certainly willing to look at the patches. But I'm > certainly not guaranteeing that they will go in, and I'm certainly not > promising to fix all vulnerabilities that you might find that are > caused by a malicious block device. Sorry, that's too much buying a > pig in a poke.... > > - Ted > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/