Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp578094imm; Fri, 10 Aug 2018 17:40:48 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyePJH/hyIIXaqwZ0lO53d+0F1ePJB12VQo4cklY1/KUlvCqN7iNfPRxOy7POVqDxsm1zvM X-Received: by 2002:a17:902:2ac3:: with SMTP id j61-v6mr7882862plb.172.1533948048390; Fri, 10 Aug 2018 17:40:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533948048; cv=none; d=google.com; s=arc-20160816; b=jEr4/JTKJ/PClxvoZuk/YemaZulatGZ2uMm6ohLqAfH0TZ1tutEEPzjGgwzslF2b1f Lubga6YRGn4GDQ9ssdStpRPekdxUk6UOTCStFpAmi2L4I1C0rBl+BnxzAF7t95aEZia8 G0d2FHlyJE7RVGDdq8R40FKb+22eOOxE4NjuWz4TKjePYkec6woK7AzpYoXK1yAHyTKN wwSQipZqR6tQ8qa+wP+f+Kc3OpL/svQ7/4qYPmDgWhLhIGk2GaeyJLzqxmxuQ8FHhjXn Ycoy4ReNLVuL7cYkoCumgGCSEoypyMNNKs9l5JJFSXGLUcjwqJpRjcU5Uxf5WWs50Mi+ pcYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date:dkim-signature:arc-authentication-results; bh=kGriiRvaEJZkhi+Lyu+MC6HbJz34ewVUpzQb2zRP+9I=; b=lY4wnbM7fd3qIor30xazM5c7Mva6ReaIFG+Fj+zLUnuUqvDDOVNESadJJ0Nci2IjRS RiS9qu22VMMEgJsbgZOpuC/1jG4aahSLHRoMZh/J5fxWJVuthJ4CQoWEPb9m9N3YNLTg gYa4rUabTvT8PVIsAXlFfb9MGyJNK+PFKAPlYuzZCPTAe6AHQIMsznZYdmY+oqW83eg+ KX0kYqKvXTf5iEsKSAOJtg46IzBr6AwuLmFxtdGPE/rf994MF6KQeyzQQXCrKUUSOhLV 6LKRNnC5lzYhARivSDySYSUMkf5PORVbAYZCM7+tCykek8x9wPlW+V1hBQ/eb2TyOGNC fIpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=JRfTZtg2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 193-v6si11403060pgh.407.2018.08.10.17.40.33; Fri, 10 Aug 2018 17:40:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=JRfTZtg2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727187AbeHKDL5 (ORCPT + 99 others); Fri, 10 Aug 2018 23:11:57 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:36340 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726903AbeHKDL5 (ORCPT ); Fri, 10 Aug 2018 23:11:57 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w7B0d0Yd178763; Sat, 11 Aug 2018 00:39:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2018-07-02; bh=kGriiRvaEJZkhi+Lyu+MC6HbJz34ewVUpzQb2zRP+9I=; b=JRfTZtg2ad5i4KaKfQ7EyJB9L+VM8BHmmfvxLpU3mOcDIrIrzEk2mhP4Bc9CLF1efLiw 5YwHJ8+yceqUOfdkSk5pKE5zBk4Ulfimn3QDWXK1Xrvn1wcrRpyCaJ+0/qjHj1j9zzk3 XCYugwZh2MQwhX9PnrsjDNrYk//qdylb3+r4wpGvwKmJR0H3km+3vEf/iABd8KJd4MsL KT9DJLTtPUf3JCrxC1IU/VotdUvHvWeEMeAUmQkrSHiwy/QreIvsCWhNWDCHS7R5Ckay BlKV48G3trFXmcFhA6IIbSRo5dtfDmMRINu/4xiw8ZSxe5HbL5pPMpODYXD3P+2uCY1p 4g== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2120.oracle.com with ESMTP id 2kn43p9b5u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 11 Aug 2018 00:39:00 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w7B0d0Q3007194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 11 Aug 2018 00:39:00 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w7B0ctwS002509; Sat, 11 Aug 2018 00:38:55 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 10 Aug 2018 17:38:55 -0700 Date: Fri, 10 Aug 2018 17:38:52 -0700 From: "Darrick J. Wong" To: "Theodore Y. Ts'o" , Andy Lutomirski , David Howells , "Eric W. Biederman" , Al Viro , John Johansen , Tejun Heo , SELinux-NSA , Paul Moore , Li Zefan , Linux API , apparmor@lists.ubuntu.com, Casey Schaufler , Fenghua Yu , Greg Kroah-Hartman , Eric Biggers , LSM List , Tetsuo Handa , Johannes Weiner , Stephen Smalley , tomoyo-dev-en@lists.sourceforge.jp, "open list:CONTROL GROUP (CGROUP)" , Linus Torvalds , Linux FS Devel , LKML , Miklos Szeredi Subject: Re: BUG: Mount ignores mount options Message-ID: <20180811003852.GA10463@magnolia> References: <20180810153902.GH21087@thunk.org> <87d0uqpba5.fsf@xmission.com> <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> <22361.1533913891@warthog.procyon.org.uk> <28045.1533916438@warthog.procyon.org.uk> <20180810161400.GA627@thunk.org> <20180810204639.GI627@thunk.org> <20180810221234.GC4211@magnolia> <20180810235447.GK627@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180810235447.GK627@thunk.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8981 signatures=668707 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808110005 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 10, 2018 at 07:54:47PM -0400, Theodore Y. Ts'o wrote: > On Fri, Aug 10, 2018 at 03:12:34PM -0700, Darrick J. Wong wrote: > > Hey now, there was a little more nuance to it than that[1][2]. The > > complaint in the first instance had much more to do with breaking > > existing V4 filesystems by adding format requirements that mkfs didn't > > know about when the filesystem was created. Yes, you can create V4 > > filesystems that will hang the system if the log was totally unformatted > > and metadata updates are made, but OTOH it's fairly obvious when that > > happens, you have to be root to mount a disk filesystem, and we try to > > avoid breaking existing users. > > I wasn't thinking about syzbot reports; I've largely written them off > as far as file system testing is concerned, but rather Wen Xu at > Georgia Tech, who is much more reasonable than Dmitry, and has helpeyd > me out a lot; and has complained that the XFS folks haven't been > engaging with him. Ahh, ok. Yes, Wen has been easier to work with, and gives out filesystem images. Hm, I'll go comb the bugzilla again... > In either case, both security researchers are fuzzing file system > images, and then fixing the checksums, and discovering that this can > lead to kernel crashes, and in a few cases, buffer overruns that can > lead to potential privilege escalations. Wen can generate reports > faster than syzbot, but at least he gives me file system images (as > opposed to having to dig them out of syzbot repro C files) and he > actually does some analysis and explains what he thinks is going on. (FWIW I tried to figure out how to add fs image dumping to syzbot and whoah that was horrifying. > I don't think anyone was claiming that format requirements should be > added to ext4 or xfs file systems. But rather, that kernel code > should be made more robust against maliciously corrupted file system > images that have valid checksums. I've been more willing to work with > Wen; Dave has expressed the opinion that these are not realistic bug > reports, and since only root can mount file systems, it's not high > priority. I don't think they're high priority either, but they're at least worth /some/ attention. > The reason why I bring this up here is that in container land, there > are those who believe that "container root" should be able to mount > file systems, and if the "container root" isn't trusted, the fact that > the "container root" can crash the host kernel, or worse, corrupt the > host kernel and break out of the container as a result, that would be > sad. > > I was pretty sure most file system developers are on the same page > that allowing untrusted "container roots" the ability to mount > arbitrary block device file systems is insanity. Agreed. > Whether or not we try to fix these sorts of bugs submitted by security > researchers. :-) and agreed. :) --D > - Ted