Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp626176imm; Mon, 1 Oct 2018 15:54:00 -0700 (PDT) X-Google-Smtp-Source: ACcGV62V3WSTbXmrFxcK2+rwF5pmRlcnKCwAnqNXRs+DpZFFwdc3Ou6CcUkiL2bop+ytaKvFt54x X-Received: by 2002:a65:4882:: with SMTP id n2-v6mr11506962pgs.225.1538434440646; Mon, 01 Oct 2018 15:54:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538434440; cv=none; d=google.com; s=arc-20160816; b=H4EX3C/bHD6GJHi4hAVBpux6QnlYY39FZ/q02OK/bSqR5Wb4bZyWju18aEn9b32fak DIU1ziv2A37zNLy25WR5ORYjpro7zcUBc4drfEJ/mA8Y8qyzFNE/uuAy/BYVgMWW9l8W +gO9eCnTuJ37D4iTJxtkw0RjS6Gd6uzT/gVgMx1BR88VoD/54jD/RLconLAM4yHX0e+w Jptv7wkZFBtCb22D59FcBPJQ8ptVTQ/G04qLWjGs/CNPpI5CR7K5ZycmiGGHorydWOUP /GKcasknAFbgIm+1tJPm4rRlp1ftDQBgwsum4jzIQBzQWb9SZ+CH47daM6cjNN1C+t/W CoBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date; bh=A41JNKXw8otSjEgIuJvZhdT4Wy1o2dgULoy0P+nsLos=; b=tpuW3bR1Fo626DkuJpqio56tK+vKaIJHSM9vUCglqrApNO2FkxPb3dcPAMWFqXTYNN IubwoPeutBsu7tNZUp+I5Is7EuP5OvQBQVIY06sgtyCThh8z+UNz7FzSaFr9mDsqzHUQ zRQfWV1yjiikL4zQMAUkrVmeT3lrfiei0smEdVGiA+5AguYIA/GL0T4j5z0qk1HaXdFp ognv8r+AQln778xgGgGo9bx/HgGDeLL6nI9HBhSPn0itBNbli6LxO0pLH3FR30UDTmGc Zo0D60m6CiR/OJoKlrH4bPZmjsNGW4aH+KenSYhgNid2bbGSkIufJers8LKi1c3/8ein 6B5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4-v6si12010003plp.247.2018.10.01.15.53.45; Mon, 01 Oct 2018 15:54:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726618AbeJBFde (ORCPT + 99 others); Tue, 2 Oct 2018 01:33:34 -0400 Received: from ipmail01.adl6.internode.on.net ([150.101.137.136]:49681 "EHLO ipmail01.adl6.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725936AbeJBFde (ORCPT ); Tue, 2 Oct 2018 01:33:34 -0400 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail01.adl6.internode.on.net with ESMTP; 02 Oct 2018 08:23:25 +0930 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1g7749-0006hf-6g; Tue, 02 Oct 2018 08:53:25 +1000 Date: Tue, 2 Oct 2018 08:53:25 +1000 From: Dave Chinner To: "Theodore Y. Ts'o" , Alan Cox , TongZhang , darrick.wong@oracle.com, linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) Message-ID: <20181001225325.GJ18567@dastard> References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> <20180930151652.6975610c@alans-desktop> <20181001002521.GM31060@dastard> <20181001160442.47c798bc@alans-desktop> <20181001152529.GA2549@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181001152529.GA2549@thunk.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 01, 2018 at 11:25:29AM -0400, Theodore Y. Ts'o wrote: > On Mon, Oct 01, 2018 at 04:04:42PM +0100, Alan Cox wrote: > > > Systems restricted by LSMs to the point where CAP_SYS_ADMIN is not > > > trusted have exactly the same issues. i.e. there's nobody trusted by > > > the kernel to administer the storage stack, and nobody has defined a > > > workable security model that can prevent untrusted users from > > > violating the existing storage trust model.... > > > > With a proper set of LSM checks you can lock the filesystem management > > and enforcement to a particular set of objects. You can build that model > > where for example only an administrative login from a trusted console may > > launch processes to do that management. > > > > Or you could - if things were not going around the LSM hooks. > > It would be useful if anyone actually *wants* to do this thing to > define a formal security model, and detail *everything* that would > need to be changed in order to accomplish it. Just as we don't > speculatively add code "just in case" someone might want to use it > someday, I don't think we should be adding random LSM hooks just > becausre someone *might* want do something. Yeah, that's what I was implying we needed to do - taking the current model and slapping LSM hooks around randomly will only make things break and cause admins to curse us.... > Let's see the use case, and let's see how horrible the changes would > need to be, and how credible we think it is that someone will actually > want to *use* it. I suspect the chagnes will be a really huge number > of places, and not just in XFS.... So do I - the "in root we trust" model is pretty deeply ingrained up and down the storage stack. I also suspect that most of our hardware admin (not just storage) has similar assumptions about the security model they operate in. Cheers, Dave. -- Dave Chinner david@fromorbit.com