Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp3010963imm; Thu, 24 May 2018 21:07:09 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrTfMMBHRHs7Jea0Eyw2ULU0Obgv9WrBQ9DekqqKd3Uk7hFkH+JuCFVuVDNTZ8YBVGG510g X-Received: by 2002:a17:902:28e8:: with SMTP id f95-v6mr893692plb.250.1527221229624; Thu, 24 May 2018 21:07:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527221229; cv=none; d=google.com; s=arc-20160816; b=glVWaw8+Dw9RujjEicS24mTw8IIPcjPcMxwoJn6nP8vq2BGiDYC35apupAS9aSSUeO Cw1nFz+DeRWKP+4dIK0SFNaxmOsp9OsxNdSlSMwtVEUt0ozdo2B0Tzkn4+AbImrasF6W W14rtYCd8CyOHALRKYcd1Nh0rseoy/qd+XukFId1jkHkOH4NFYE4+VgYNms1BCYeza3/ sQyNo3wi+w7OFj27u2FxhyMWZv/6LnNSccOZu5y1egqQgUHgEmwXvJlEdDYrhtcvAZuf s7CfkWi9Gfb7GhbhCokduiHk8c4WN+4STgMr/bo+LlH3Zy0J1e24c5fTtZK92DUSDpjb chYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=QdVa4WvwYXWzRswMx5gEvGfy543KQaiNVyaiQtmGmVU=; b=T54vE9RxtsTFQU7DnDDGtGP3ifKWRRdcMyZSFkv4H4czd8WgZAi+SDKkcxIS5Etl7D B44EHdee5ftavIbaqpqiYUGZFG2S9e1DAdnnkwX1eiWoTTqDCdl6vV+jrxbxGISB3P6c Azb75r7frQAWTorBXlz/1eUzNdLiMNDazUa3x3vKeOVj2uxBV+PiBb8PR0fWIzyppkS0 Fy1mJUXDVXqljFwFZtgmXdexF1c9nSMQw6UncWkuKFPRxTfP5BiAB2mwIW8xPXI4buji l4gbFewoK/Dcfm7W7vfNxot7jR+kSEtbcycfsPqX6vPw6sDnEaQJKTqebWoyEzOCzGTQ 51bg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=Bcw7b5a/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c11-v6si17317229pgu.454.2018.05.24.21.06.54; Thu, 24 May 2018 21:07:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=Bcw7b5a/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752099AbeEYEGm (ORCPT + 99 others); Fri, 25 May 2018 00:06:42 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:48012 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750795AbeEYEGk (ORCPT ); Fri, 25 May 2018 00:06:40 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w4P45lIX035125; Fri, 25 May 2018 04:06:24 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=QdVa4WvwYXWzRswMx5gEvGfy543KQaiNVyaiQtmGmVU=; b=Bcw7b5a/PzzC2/zxS9ldQOhN5Opm4irGORS+tzF1Ew8K+TtNm4tyCSJgioOKiBUGsNQI i97uae1Ev9WFon7DM0u/y9d5A/+RmdcnT7MgEibXWwr+OCvIFeTOc50QqtQdTy6m4wj5 NSXWix71UjmzkRESWW+VbKRuNgbODg5HkjXFqIWwkvUMhVh5RkdFDuOb6u55UF53YB/a Ze0/huNvYQosAhtpiERGB2mf3IcgNO5vEA5hViWnv3IPi0ojtmxDHFCEkhUkUTO/+k3q JLk4NDfxqggBhWDGSYLzvqIqRsutsAeo69z7+Af1OjAqexgfw0c1Fp6BAklOVMHnqkD3 Pg== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2120.oracle.com with ESMTP id 2j62swhjmp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 May 2018 04:06:24 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w4P46Ndd019179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 25 May 2018 04:06:23 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w4P46M2r005910; Fri, 25 May 2018 04:06:22 GMT Received: from localhost (/67.161.8.12) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 24 May 2018 21:06:21 -0700 Date: Thu, 24 May 2018 21:06:20 -0700 From: "Darrick J. Wong" To: Dave Chinner Cc: "Eric W. Biederman" , "Theodore Y. Ts'o" , Linux Containers , linux-fsdevel@vger.kernel.org, Seth Forshee , "Serge E. Hallyn" , Christian Brauner , linux-kernel@vger.kernel.org Subject: Re: [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts Message-ID: <20180525040620.GD4507@magnolia> References: <87o9h6554f.fsf@xmission.com> <20180524214617.GG7712@thunk.org> <87y3g8y6x9.fsf@xmission.com> <20180525035716.GE10363@dastard> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180525035716.GE10363@dastard> User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8903 signatures=668700 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805250049 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 25, 2018 at 01:57:16PM +1000, Dave Chinner wrote: > On Thu, May 24, 2018 at 06:23:30PM -0500, Eric W. Biederman wrote: > > "Theodore Y. Ts'o" writes: > > > > > On Wed, May 23, 2018 at 06:22:56PM -0500, Eric W. Biederman wrote: > > >> > > >> Very slowly the work has been progressing to ensure the vfs has the > > >> necessary support for mounting filesystems without privilege. > > > > > > What's the thinking behind how system administrators and/or file > > > systems would configure whether or not a particular file system type > > > will be allowed to be mounted w/o privilege? > > > > The mechanism is .fs_flags in file_system_type. If the FS_USERNS_MOUNT > > flag is set then root in a user namespace (AKA an unprivileged user) > > will be allowed to mount to mount the filesystem. > > > > There are very real concerns about attacking a filesystem with an > > invalid filesystem image, or by a malicious protocol speaker. So I > > don't want to enable anything without the file system maintainers > > consent and without a reasonable expecation that neither a system wide > > denial of service attack nor a privilege escalation attack is possible > > from if the filesystem is enabled. > > > > So at a practical level what we have in the vfs is the non-fuse specific > > bits that enable unprivileged mounts of fuse. Things like handling > > of unmapped uid and gids, how normally trusted xattrs are dealt with, > > etc. > > > > A big practical one for me is that if either the uid or gid is not > > mapped the vfs avoids writing to the inode. > > > > Right now my practical goal is to be able to say: "Go run your > > filesystem in userspace with fuse if you want stronger security > > guarantees." I think that will be enough to make removable media > > reasonably safe from privilege escalation attacks. > > > > There is enough code in most filesystems that I don't know what our > > chances of locking down very many of them are. But I figure a few more > > of them are possible. > > I'm not sure we need to - fusefs-lkl gives users the ability to > mount any of the kernel filesystems via fuse without us needing to > support unprivileged kernel mounts for those filesystems. /me wonders, is there a fusefs-lkl package for Linux? (He says, knowing that freebsd has one... :)) --D > Cheers, > > Dave. > -- > Dave Chinner > david@fromorbit.com