Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp483281imm; Fri, 10 Aug 2018 15:14:36 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxGU9Tp0RfTikZMI0hWNcQrlCUuDErhFFG5eiz5wIxzguYr8tV1g/zz0xo67MpbHBnzbvnh X-Received: by 2002:a17:902:bd84:: with SMTP id q4-v6mr7843176pls.145.1533939276275; Fri, 10 Aug 2018 15:14:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533939276; cv=none; d=google.com; s=arc-20160816; b=tFh+tn56OlcIb+3z1r3nSb9Fd5kt/qhAaXX7MDNlabOiU1O3w7o87NmvKWZBtGutbw B0q2BCzo0z/cbEQ2GR8gIdNrXP847fKdyx1fHFdUVg5gHX8EKpY0I6QDoiyoM4jhRFlr PDsYoA+sCGgzYSk9xVKn9OGafJTakR6c4WRGnlBE/pBDYtDF1LDLd2Bcta2/dxwVWBAW +zGqXY1GLPLl91dYkXpPCmC/W2Vv/CxqvLPwQfrEKIxEJNFoPLJVUmZaJdPIPuxeayUA LEPe0YgRv8W2SDgIdTJXXodsfDXtTgoujIcvrHsMCKb91QZjrItUJcZx9T2NQYxhqwA6 AzmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date:dkim-signature:arc-authentication-results; bh=djArXZKJdMFL042r/VtUyGz0O3VM1QSbk/Y1/OYLPnA=; b=gOWDCdQ9qwSICe4r6RMtKZXtYc1dKaB6hrvjGnQpgFwQDalRCwmhI3HDzSVY8mV/cp SsgTns5kVZFmWodeh6k25t5pdX2Mh8mW473kFR6x8S4K6G9TRUtBF0RlUp8NnZY86Uuu Mr4IhKroj+MatWvkp+R/NjomY4giopgpRgwgatXINa12tgFixQeXRj1qLpc82l6V98tg jlDia6RkjYwJNkkxvYPqGPgRPtjOEcRa54VT3vvhQ4At3Qwpcfam/5Vx4M9Ma0ay1cMD R42UxatAdRv5XQErTMH/FWhgKZCpSP1cGrpQ7A5iO6tXzj9ZxRQMhQPw7ZrieZOjCGW7 0S8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=xWdgubYR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r11-v6si12432431pfc.253.2018.08.10.15.14.20; Fri, 10 Aug 2018 15:14:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=xWdgubYR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727149AbeHKApR (ORCPT + 99 others); Fri, 10 Aug 2018 20:45:17 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:34292 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726708AbeHKApQ (ORCPT ); Fri, 10 Aug 2018 20:45:16 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w7AMA7aj088828; Fri, 10 Aug 2018 22:12:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2018-07-02; bh=djArXZKJdMFL042r/VtUyGz0O3VM1QSbk/Y1/OYLPnA=; b=xWdgubYRhy50fL1QlEuxpHtHhv51V/mOWhuy8C765zWg3B/Ge4rhj+jMT2iG6+2Qllih RWv1aj9PEM38il69pWadcOElv+wE7HO87dG2PWyuzO7GjRK3ZyPdUGxkrfM8HDH9p5aI 4tJzV+g7blw75Im+PcoAVb8bGYU5b0TQ7Z7WcYtUelwwOsWYldKgHHk3ZVatrvWws1Ys prJlcFAqRmWTGur6/LUsnPvnwqC38yGT9v8tlgmvas9Ba/C9XXtCgA06WMBPD836KI9v h1aAncpNJHxhqzcyA4FSGuIkYZ/s+4wu0txEmphxsZRkGsDQDfahfIVenKpGQnTqYazl Jw== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2kn43p953s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Aug 2018 22:12:40 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w7AMCe0i028909 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 10 Aug 2018 22:12:40 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w7AMCakL028351; Fri, 10 Aug 2018 22:12:37 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 10 Aug 2018 15:12:36 -0700 Date: Fri, 10 Aug 2018 15:12:34 -0700 From: "Darrick J. Wong" To: "Theodore Y. Ts'o" , Andy Lutomirski , David Howells , "Eric W. Biederman" , Al Viro , John Johansen , Tejun Heo , SELinux-NSA , Paul Moore , Li Zefan , Linux API , apparmor@lists.ubuntu.com, Casey Schaufler , Fenghua Yu , Greg Kroah-Hartman , Eric Biggers , LSM List , Tetsuo Handa , Johannes Weiner , Stephen Smalley , tomoyo-dev-en@lists.sourceforge.jp, "open list:CONTROL GROUP (CGROUP)" , Linus Torvalds , Linux FS Devel , LKML , Miklos Szeredi Subject: Re: BUG: Mount ignores mount options Message-ID: <20180810221234.GC4211@magnolia> References: <20180810153902.GH21087@thunk.org> <87d0uqpba5.fsf@xmission.com> <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> <22361.1533913891@warthog.procyon.org.uk> <28045.1533916438@warthog.procyon.org.uk> <20180810161400.GA627@thunk.org> <20180810204639.GI627@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180810204639.GI627@thunk.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8981 signatures=668707 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808100232 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 10, 2018 at 04:46:39PM -0400, Theodore Y. Ts'o wrote: > On Fri, Aug 10, 2018 at 01:06:54PM -0700, Andy Lutomirski wrote: > > If the same block device is visible, with rw access, in two different > > containers, I don't see any anything good can happen. > > It's worse than that. I've fixed a lot of bugs which cause the kernel > to crash, and a few that might be levered into a privilege escalationh > attack, when you mount a maliciously corrupted file system using ext4. > I'm told told the security researcher filed similar reports with the > XFS community, and he was told, "that's what metadata checksums are > for; go away". Hey now, there was a little more nuance to it than that[1][2]. The complaint in the first instance had much more to do with breaking existing V4 filesystems by adding format requirements that mkfs didn't know about when the filesystem was created. Yes, you can create V4 filesystems that will hang the system if the log was totally unformatted and metadata updates are made, but OTOH it's fairly obvious when that happens, you have to be root to mount a disk filesystem, and we try to avoid breaking existing users. XFS developers have been and will continue to examine security problems when they are brought to our attention and strengthen validation as needed to minimize the risk of incorrect behaviors, but filesystems are complex machines, complex machinery is risky, and we arbitrate some of that risk by requiring administrators to elect to mount an XFS. > Given how much time it takes to work with these security researchers, > I don't blame them. > > But in light of that, I'd make a somewhat stronger statement. If you > let an untrusted container mount arbitrary block devices where they > have rw acccess to the underlying block device, nothing good can > happen. Period. :-) > > Which is why I don't think the lack of being able to reject > "conflicting mount options" is really all that important. It > certainly shouldn't block the fsopen patch series. #1, it's a problem > we have today, and #2, I'm really not all sure supporting bind mounts > via specifying block device was ever a good idea to begin with. And > #3, while I've been fixing ext4 against security issues caused by > maliciously corrupted file system images, I'm still sure that allowing > untrusted containers access to mount *any* file system via a block > device for which they have r/w access is a Really Bad Idea. > > > It seems to me that the current approach mostly involves crossing our fingers. > > Agreed! Crossing our fingers and demanding administrator intentionality when mounting filesystems off some piece of storage. --D [1] https://lkml.org/lkml/2018/5/21/649 [2] https://lkml.org/lkml/2018/4/2/572