Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp621084imm; Mon, 1 Oct 2018 15:47:07 -0700 (PDT) X-Google-Smtp-Source: ACcGV63Ppo3KfxCVHebFWaFoBRuQQDcBH6IQQsTuHdu+/l5/NJHMr0g3XnTrvmkTB62D7gzdGdUw X-Received: by 2002:a17:902:848d:: with SMTP id c13-v6mr13261970plo.303.1538434027520; Mon, 01 Oct 2018 15:47:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538434027; cv=none; d=google.com; s=arc-20160816; b=o7qlZIV2sTr78xynAHMXRtZi3/fSnkAWSHbPEvXaiv9AS2w117fWygmJfFig/tvVAP WEdA6ae/U4I0ujaY5X4dbWcXZbQSPWiOcczPaicAlJ228G5ziUuHgQXYcsY62YhBD6Ci 5HdGJnEzMYoohUaGwPXIY8iPvYn1QvCuVNZgv5815XyZgo2HzjfqBHuszlyXM1Iyo2N2 Bb/Wb3wADLeI+5x8ExAVMpwis/T+CvQrTs4xsX8DXbeBdhUwodzRai0SKUWRdTD7qHWT 6lM8f94u4oRX0kTsFXSRjSztUWfJyQGWBkdGTw8g/2DJzH9Ad8I5EU1ltgkQy6raqY7T jbWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=KhNN8FV3fHllSOy9QwBnQqnNEBKEhSj9geydW9y9To8=; b=l7WywmSGHCJAL6QnOwM1SuYvY3j3WE6ZkyLs7GCPAHdB1Fsw9pu88wbSK95p2iCmLD hydAKiuq8TmSifU55E9BQrT5+sVzVB/M6X3x67BwyE75rf3zVKIAmyYhvEMskdFh94Wn mwG60zBA4ehAKeFPHpDaoWRUMDuiQ8vkhc0zzjPkOFe1Tg2GmnDGZgUG4rZpmmh3/pqe C6xmkAfOmhWZPFP1L51dXblY4AM8tMgyz6WGJG8Y0tIO3kuYTq9T7CkYUyi3BSCvQ6uu 1QCCoKLSH27fN3NWVKzIQaOCHHM9e06dqWgx4xR9TeaDt60T/fB/8/bRvR3mvMAMtub3 BkxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 62-v6si14354177plc.96.2018.10.01.15.46.52; Mon, 01 Oct 2018 15:47:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726670AbeJBFZf (ORCPT + 99 others); Tue, 2 Oct 2018 01:25:35 -0400 Received: from ipmail01.adl2.internode.on.net ([150.101.137.133]:10454 "EHLO ipmail01.adl2.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725878AbeJBFZf (ORCPT ); Tue, 2 Oct 2018 01:25:35 -0400 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail01.adl2.internode.on.net with ESMTP; 02 Oct 2018 08:15:29 +0930 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1g76wS-0006gk-Cq; Tue, 02 Oct 2018 08:45:28 +1000 Date: Tue, 2 Oct 2018 08:45:28 +1000 From: Dave Chinner To: James Morris Cc: "Darrick J. Wong" , Alan Cox , TongZhang , linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) Message-ID: <20181001224528.GI18567@dastard> References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> <20180930151652.6975610c@alans-desktop> <20181001002521.GM31060@dastard> <20181001160442.47c798bc@alans-desktop> <20181001154459.GB5872@magnolia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 02, 2018 at 06:08:16AM +1000, James Morris wrote: > On Mon, 1 Oct 2018, Darrick J. Wong wrote: > > > If we /did/ replace CAP_SYS_ADMIN checking with a pile of LSM hooks, > > Not sure we'd need a pile of hooks, what about just "read" and "write" > storage admin? > > Or even two new capabilities along these lines, which we convert existing > CAP_SYS_ADMIN etc. to? So instead of having hundreds of management ioctls under CAP_SYS_ADMIN, we'd now have hundreds of non-storage ioctls under CAP_SYS_ADMIN and hundreds of storage ioctls under CAP_SYS_STORAGE_ADMIN? Maybe I'm missing something, but I don't see how that improves the situation w.r.t. locked down LSM configurations? Cheers, Dave. -- Dave Chinner david@fromorbit.com