Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1441771imm; Wed, 26 Sep 2018 18:38:37 -0700 (PDT) X-Google-Smtp-Source: ACcGV61Rs+J/SKXRb5BXyJK26IHdnjmtQUM6y4VnNncjuI+9sJweyy5vepAAUIvmgraPAGVbbh+q X-Received: by 2002:a63:8442:: with SMTP id k63-v6mr7901280pgd.388.1538012317658; Wed, 26 Sep 2018 18:38:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538012317; cv=none; d=google.com; s=arc-20160816; b=0a5wpaEwzcmtEzashojFVnaQ2S9+twJvmpWG/3uwUbMOKWhmYzrz2tf+oulHqT6nXS /PFmI2Cvdq6jlQjsxbs9nXga7pGfTXS2ohH79Y4kTOzW42iJu1FywG5PaRvMyjD+S62K o2id6hoPoeSNJ3xf42BGVdvdIi/YuR6WYBBrR71pQZvBM8OdqoWX+iFNfoXI19EOklu1 4nBl9VMIiQRF9iRxs60G0Y3FQawAmWA+l0zqzCgb5/ZWQ+CmMSVkoTiTKuv/ftXjbVR4 1MgWetBVWkKHnYB+OhzQbPD7zT7NKY235mr7mA28bmRMSTgNhNot16QC+Y55Njya4QMh YPsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ZyNCKpLpIWt+xrxlLHGlSRM1jBkRcBUHHO1iinKv5sw=; b=gaThmBnwRVeSn7vHJk5nV7pFGLhzJVLf0aVSuwkBQGTXM7ajDiMt1p+41KJ/T2tDEF o4OIe00FYywDNpx/uu0k43CNpHhdJTBUADpzurkD4uVMibMfA+82yJdPrGLSRaVCOI2m /852rj4QvRScj9pEYO6DacZXGTOFzV2H6qBIB6s0UqJ3ie7+zFk1TtPf0zua1JdYz7Sz QM13oDMdXO/84rTQD46mqGVcVMRXFWo4H2gqaDzjN7YUxRBV4vVDEOjUM1aZN9bgIhrB YFaI+SFDVwc9cQZCOAaeARRFP/oN+38kxltAt8/HJb+tub/JVGpJjLPkp3TOH7sJO6vB TdsQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ba6-v6si551306plb.364.2018.09.26.18.38.22; Wed, 26 Sep 2018 18:38:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727116AbeI0HyB (ORCPT + 99 others); Thu, 27 Sep 2018 03:54:01 -0400 Received: from ipmail06.adl2.internode.on.net ([150.101.137.129]:36495 "EHLO ipmail06.adl2.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726914AbeI0HyB (ORCPT ); Thu, 27 Sep 2018 03:54:01 -0400 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail06.adl2.internode.on.net with ESMTP; 27 Sep 2018 11:08:13 +0930 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1g5LFs-00081o-32; Thu, 27 Sep 2018 11:38:12 +1000 Date: Thu, 27 Sep 2018 11:38:12 +1000 From: Dave Chinner To: Alan Cox Cc: TongZhang , darrick.wong@oracle.com, linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) Message-ID: <20180927013812.GF31060@dastard> References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180926192426.472360ea@alans-desktop> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 26, 2018 at 07:24:26PM +0100, Alan Cox wrote: > On Wed, 26 Sep 2018 11:33:29 +1000 > Dave Chinner wrote: > > > On Tue, Sep 25, 2018 at 08:51:50PM -0400, TongZhang wrote: > > > Hi, > > > > > > I'm bringing up this issue again to let of LSM developers know the situation, and would like to know your thoughts. > > > Several weeks ago I sent an email to the security list to discuss the issue where > > > XFS's ioctl interface can do things like vfs_readlink without asking LSM's > > > permission, which we think is kind of weird and this kind of operation should be > > > audited by LSM. > > > > These aren't user interfaces. They are filesystem maintenance and > > extension interfaces. They are intended for low level filesystem > > utilities that require complete, unrestricted access to the > > underlying filesystem via holding CAP_SYSADMIN in the initns. > > CAP_SYS_ADMIN is meaningless in an environment using a strong LSM set up. Sure, but there are so many CAP_SYS_ADMIN-only ioctls in the kernel that have no LSM coverage that this is not an isolated problem that people setting up such systems have to deal with. the LSM hooks are already complex enough without adding hundreds more hooks to control individual ioctl behaviour for every filesystem, device, etc. Unless you are going to add LSM hooks to all ioctls, I don't see much point in singling out one set of ioctls in a way that will break existing configurations. It's just a knee jerk reaction (like ariport security) because it doesn't meaningfully address the problem of all the other management ioctls in the kernel being completely unconstrainted by LSMs. > CAP_SYS_ADMIN is also a bit weird because low level access usually > implies you can bypass access controls so you should also check > CAP_SYS_DAC ? Do you mean CAP_DAC_READ_SEARCH as per the newer handle syscalls? But that only allows bypassing directory search operations, so maybe you mean CAP_DAC_OVERRIDE? Regardless, this horse bolted long before those syscalls were introduced. The time to address this issue was when XFS was merged into linux all those years ago, back when the apps that run in highly secure restricted environments that use these interfaces were being ported to linux. We can't change this now without breaking userspace.... Cheers, Dave. -- Dave Chinner david@fromorbit.com