Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp161642imm; Mon, 1 Oct 2018 08:06:46 -0700 (PDT) X-Google-Smtp-Source: ACcGV62UC6uMzs1a7/c+sUEz9DtpUEoB0pm9mU0RCz2De4srzGnBR9617jYB6pQQSdOVJL00R54k X-Received: by 2002:a17:902:bb96:: with SMTP id m22-v6mr12189269pls.117.1538406406553; Mon, 01 Oct 2018 08:06:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538406406; cv=none; d=google.com; s=arc-20160816; b=JfWEDYuH3voY+22pq7GXaqvWUm2r+bo8v2kZ4cjISBr7zO9Snw08YU2bXO2I1ErehA Ay3O9nUEww50Fbm7CixN4d+33i5BWCR+3D7u/3HOwqLqpsHANHTIL3QJfHhJM+ANnZw1 ghPvYZar3T+GCBbBsIDVJ/+ZBaXcOlqRt6ecOapyDg2PGNCxxtehofNEup/mkweDRx2T OgYFAGTkfpBN2onyRLwkjnmIG29zoPhvqOwO77QfC6gJQJcP2hIMCz+kTkw237U9PAg+ 8xvICTQgyTW3DjXq8v7ELggJJokhsEhbTaqHUyVUrfM1B3AEcprL01YlMbNiKzqUv1aw taoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=js3pPw7ddGc8pw6DaEHc9dPKlFZmOn1dmbtk3+pNTsU=; b=ic2HgPYjKm0rBqr+HonSMh0UY75k0aukgW3AQek9Lf4xeQy2eKepFzeLisePSzj5d7 d935Y4KcImtZa4Gq+/pZiWP+SmGr/hHacJ3bEachTGaLh4oV0kB4meuN+EYF09vaAzhP rNa3rVr3SDXf2MrKRWhw5jDO4QImrSU4bxRw3wbl52+nS7xUpGxuzVcXXcJn5WlrtOl6 E9ytbU4vnv8neYu449Fz1XRpd8oRWUUi4/bPRY5iEXv3lno8NUf/oWAxwVeFicEyti31 VvRGxkXqV+nJqNDGpy4qV9G2GeRJAOM1JrKWUpONAxlTZoRmw3bHOvlOjwZAOy/nUsPA 1drQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z11-v6si8807850pgs.323.2018.10.01.08.06.31; Mon, 01 Oct 2018 08:06:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729593AbeJAVnF (ORCPT + 99 others); Mon, 1 Oct 2018 17:43:05 -0400 Received: from www.llwyncelyn.cymru ([82.70.14.225]:44932 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729439AbeJAVnF (ORCPT ); Mon, 1 Oct 2018 17:43:05 -0400 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id w91F4h89002432; Mon, 1 Oct 2018 16:04:43 +0100 Date: Mon, 1 Oct 2018 16:04:42 +0100 From: Alan Cox To: Dave Chinner Cc: TongZhang , darrick.wong@oracle.com, linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) Message-ID: <20181001160442.47c798bc@alans-desktop> In-Reply-To: <20181001002521.GM31060@dastard> References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> <20180930151652.6975610c@alans-desktop> <20181001002521.GM31060@dastard> Organization: Intel Corporation X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > /* only root can play with this */ > if (!capable(CAP_SYS_ADMIN)) > return -EACCES; > > Think about it - if DM control ioctls only require CAP_SYS_ADMIN, > then if have that cap you can use DM to remap any block in a block > device to any other block. You don't need to the filesystem to move > stuff around, it can be moved around without the filesystem knowing > anything about it. Yes - I am not surprised the XFS is not the only problem area. The fact XFS also isn't going via the security hooks so security hooks can fix it just makes it worse. > > That's what people said about setuid shell scripts. > > Completely different. setuid shell scripts got abused as a hack for > the lazy to avoid setting up permissions properly and hence were > easily exploited. Sounds to me like an accurate description of the current capabilities mess in the kernel (and not just XFS and not just file systems) > Systems restricted by LSMs to the point where CAP_SYS_ADMIN is not > trusted have exactly the same issues. i.e. there's nobody trusted by > the kernel to administer the storage stack, and nobody has defined a > workable security model that can prevent untrusted users from > violating the existing storage trust model.... With a proper set of LSM checks you can lock the filesystem management and enforcement to a particular set of objects. You can build that model where for example only an administrative login from a trusted console may launch processes to do that management. Or you could - if things were not going around the LSM hooks. Alan