Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp480381imm; Mon, 1 Oct 2018 13:08:42 -0700 (PDT) X-Google-Smtp-Source: ACcGV63eZzB9gfRSXPbThWvgWec493uT936zV7qTBV5tU+W4bM+naj7gysiyQU+cnbKPBuyTTPtO X-Received: by 2002:a17:902:b03:: with SMTP id 3-v6mr13647876plq.156.1538424522444; Mon, 01 Oct 2018 13:08:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538424522; cv=none; d=google.com; s=arc-20160816; b=Shy4LQZTPT9xdCFDT6y9KulcC5akgYPYxn6WhSKvaCFQZn9nFz0BX8lpfxPpjjBzn1 dHalsMSpwHz6IZeF+5su5yl/bZpAbKNA+kRSIyvVxiQa7QNgeG/z1LaAa2caXLRwSxKH HwHRR1jbL3rlCEBicFCtROoEonlx314+lninUbKEAb++IaR4htyWYo/Emv2bFauy4PE/ 7ZGRWwHMTfgwenrpzEEU9BCaPzOGqKIGKb3JdItzagNfi7RI3+BOIOf3yofwQRuuYUmU dSJHrq8nMEF4Y9v3Sr7D/gfCmLZPdGJAL8n9qovK6vp3+Z1URwJ7xRBppGPCeaRahXKg fIKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=GpbtIZPpmVEVfeAmbQGsdRZ9h5IDiX8GkPwGoWpL2e8=; b=nA7SGZzlJaERmmAaxCYSdhSZGm64S2jHwz2RNUqPM9vFokWDIIMtSN/wn9cu0dow22 l1O4vbt7AldT87Rd2L9DrBcT31bpsG6BBXzm/OFX1Kq0v88Oh49RWlhtk25rrxUUL5+J jjfcd9jSVlpmMVL437rjn5csXLOsGAczVIOyyeVMYKQutBLDjkXYQdr5xkieSFLSP0iG BGwaXSiEdrZ/PBWkABs68WlBNs/dARFG7WzFG0zo03rAJKP0tcTnYONJHYX/iQak2UJY ops2It/r1w8VoXUFS85/VGKWbNBPD+rwSoTfAR1BEbeiDgNLs0Wq31GLuB73T9L/nCnU B+dg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 97-v6si14985163plb.495.2018.10.01.13.08.26; Mon, 01 Oct 2018 13:08:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726313AbeJBCrt (ORCPT + 99 others); Mon, 1 Oct 2018 22:47:49 -0400 Received: from namei.org ([65.99.196.166]:34604 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726149AbeJBCrt (ORCPT ); Mon, 1 Oct 2018 22:47:49 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w91K8GDP015566; Mon, 1 Oct 2018 20:08:16 GMT Date: Tue, 2 Oct 2018 06:08:16 +1000 (AEST) From: James Morris To: "Darrick J. Wong" cc: Alan Cox , Dave Chinner , TongZhang , linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) In-Reply-To: <20181001154459.GB5872@magnolia> Message-ID: References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> <20180930151652.6975610c@alans-desktop> <20181001002521.GM31060@dastard> <20181001160442.47c798bc@alans-desktop> <20181001154459.GB5872@magnolia> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 1 Oct 2018, Darrick J. Wong wrote: > If we /did/ replace CAP_SYS_ADMIN checking with a pile of LSM hooks, Not sure we'd need a pile of hooks, what about just "read" and "write" storage admin? Or even two new capabilities along these lines, which we convert existing CAP_SYS_ADMIN etc. to? > how do we make sure that we (XFS) avoid breaking existing XFS tools? I > guess the default compatibility handler for all of those new hooks would > be "return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;" and then other LSMs > could restrict that further if so configured. > > Seriously, I don't know that much about how LSMs actually perform > security checks -- it looks like a number of them can be active > simultaneously, and we just call each of them in a chain until one of > them denies permission or we run out of LSMs and allow it? > Correct. > FWIW I didn't have a particular security or threat model in mind when I > made the above list; all I did was break up the existing CAP_SYS_ADMIN > into rough functional areas. Maybe it makes sense, but maybe I'm > rambling. :) > > --D > > > You can build that model where for example only an administrative > > login from a trusted console may launch processes to do that > > management. > > > > Or you could - if things were not going around the LSM hooks. > > > > Alan > -- James Morris