Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1089408imm; Wed, 26 Sep 2018 11:26:26 -0700 (PDT) X-Google-Smtp-Source: ACcGV61RdoibeyW5ojYZ9jAzbrADN15+yGxUGwBVZobi9dNwi2EvGArWu84rjt/k/Nh8SdgMTqnE X-Received: by 2002:a63:d749:: with SMTP id w9-v6mr6687967pgi.415.1537986386375; Wed, 26 Sep 2018 11:26:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537986386; cv=none; d=google.com; s=arc-20160816; b=x5Cg/EDVAzxOKbtBWlqUq13rreMwdIIxjPURvRRENurOCBiTgzmADwxQG6MQUkCW89 TaYSQuqfiancEFviFc+EOb1XpkTbrxm2l+Zn3x7sAECqch0sEWaLv0OcIw9urnKM6Bgs 3FNnM9Zan56a60wJUhx1v1fnOyiqa7iw/a0zFY8RPJJ1B6ZQsUf5NVA+2gJy7AkXRkq4 a4MoRJvJpTFDwi9QaMRIQbqtEFcrrJku4RHGRWGX1gbDmeIMdsSTR1FK+isZDUR6v/dH 8fvk7B4QqM3boIr0H8yjRyDp9UQj8h3gTT0hwwu3/HhVITxFMo4kaeaU1TLPt8aQo8LH O8fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=6Ei8jYzwX9S31yh5e9EYukaeprWn+4XoiRX1tzMK8XM=; b=e65p+R0YFIewduqIW3Ob74OcJO/w1AzQ0X+9g6/6EPBUfQcYljgKaw3WmgbOQuT3ZG vaX+uV6RUBqY9tC8eHREWb3YpHxqogJHwGmbFq3B2f35fMaKbTolLZZwRIWaLt301gTV RWZ7H+nemKqmfnioSb4RUB606sK1yLNdNCZSenIeyy7cQWfEScQGtHLs5zjAf7EX8M1S kHPqENSDQ0tyI1Cttrea6eCbWRnzxwmoJ/vmlleyVEwpFOTbeINQ1VgNm2vS7/EmsDXd j+LFcEWYtcJ8AtYWL4dSN1bRRCK1AEt/GxYPKcFPJm1N+KumRiSTPwNGYWuYNd9i7I3j 5B9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n6-v6si3921714plk.52.2018.09.26.11.26.11; Wed, 26 Sep 2018 11:26:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726528AbeI0Aiw (ORCPT + 99 others); Wed, 26 Sep 2018 20:38:52 -0400 Received: from www.llwyncelyn.cymru ([82.70.14.225]:52740 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725733AbeI0Aiv (ORCPT ); Wed, 26 Sep 2018 20:38:51 -0400 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id w8QIOR4l031575; Wed, 26 Sep 2018 19:24:27 +0100 Date: Wed, 26 Sep 2018 19:24:26 +0100 From: Alan Cox To: Dave Chinner Cc: TongZhang , darrick.wong@oracle.com, linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) Message-ID: <20180926192426.472360ea@alans-desktop> In-Reply-To: <20180926013329.GD31060@dastard> References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> Organization: Intel Corporation X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 26 Sep 2018 11:33:29 +1000 Dave Chinner wrote: > On Tue, Sep 25, 2018 at 08:51:50PM -0400, TongZhang wrote: > > Hi, > > > > I'm bringing up this issue again to let of LSM developers know the situation, and would like to know your thoughts. > > Several weeks ago I sent an email to the security list to discuss the issue where > > XFS's ioctl interface can do things like vfs_readlink without asking LSM's > > permission, which we think is kind of weird and this kind of operation should be > > audited by LSM. > > These aren't user interfaces. They are filesystem maintenance and > extension interfaces. They are intended for low level filesystem > utilities that require complete, unrestricted access to the > underlying filesystem via holding CAP_SYSADMIN in the initns. CAP_SYS_ADMIN is meaningless in an environment using a strong LSM set up. So what if I have CAP_SYS_ADMIN ? In a secure environment low level complete unrestricted access to the file system is most definitely something that should be mediated. CAP_SYS_ADMIN is also a bit weird because low level access usually implies you can bypass access controls so you should also check CAP_SYS_DAC ? Alan