Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1869349imm; Tue, 2 Oct 2018 15:43:20 -0700 (PDT) X-Google-Smtp-Source: ACcGV624PIv34qAEFI8VL26gbqYJMk5ghN4In95R/UJdSLgHrAT0k+1ADsEQeMI4LxbVuPu5HHO+ X-Received: by 2002:a65:580d:: with SMTP id g13-v6mr15668290pgr.370.1538520200194; Tue, 02 Oct 2018 15:43:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538520200; cv=none; d=google.com; s=arc-20160816; b=dxGbLONLP3RXN8x6hPcKefK0oiofmotplX0Px02SWXW3kLAevCBYptOTZSFM873ooq FVkKbd83bEgZG2Wz8ZwwH5dSxWZokKZKcXD9NrMt1i0RELLBwFRH4nEBtze3uzLkyJQ4 CeMZN1aouu+KcUZQMG7ntw267dCnJS16+A7s3Pwdraykp8iE43Zzg7kx3e96u3zafTRV Ia+o/19vPtJ3hMvKMsyGoEUHWrca5rg3AbhjXsrFUj1/hBi3dVpctwAEgBLncml0Z8o5 yrJ5Y9fbRCab/BbC8j8nGvai9w9k8eyMZsS2hqgaQp5o5euX+9DHPnjv6r7hHF/KYr0W V0hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=gx/HYg4t4iMbLdPaOJxTVKc5w6RgeHF3KSfI0pryK1Y=; b=nZCjY/keX6Ay1n8pCb8PhdDrXUhgd3l/HK669j0bx8G5/xiAnQOUEZNczgpDYNCdMl 6wR/lIZ5IJ2eiGkWIzL5LnDfQvP869TIs3Y/HuRg5ulVIZP9T3jitkppDZ8HdNUssjAP xD2c3D7sBFxwbwuBnnVNMq/6rlnQrNYVRsWtxAYB3p+sLTKf4747VKvN/Owc7H+sJiMb EGhRnfkS661TgHopjWTpeLJY7qnhz9dEek7kJRpqQGvRIPLhriRclc82g3yshXm2fxBQ ksV2suMyxX6g7z225Mx9Fo5UXWWONwKTMSF5DV4XYI/L2uEPKv8lNunOEBgBn4PRrVOg VPUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64-v6si16381892plk.257.2018.10.02.15.43.05; Tue, 02 Oct 2018 15:43:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728430AbeJCF2X (ORCPT + 99 others); Wed, 3 Oct 2018 01:28:23 -0400 Received: from ipmailnode02.adl6.internode.on.net ([150.101.137.148]:58202 "EHLO ipmailnode02.adl6.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726731AbeJCF2X (ORCPT ); Wed, 3 Oct 2018 01:28:23 -0400 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail02.adl6.internode.on.net with ESMTP; 03 Oct 2018 08:12:41 +0930 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1g7TNI-0008A7-Op; Wed, 03 Oct 2018 08:42:40 +1000 Date: Wed, 3 Oct 2018 08:42:40 +1000 From: Dave Chinner To: James Morris Cc: "Darrick J. Wong" , Alan Cox , TongZhang , linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen , Stephen Smalley , Paul Moore Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) Message-ID: <20181002224240.GP18567@dastard> References: <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> <20180930151652.6975610c@alans-desktop> <20181001002521.GM31060@dastard> <20181001160442.47c798bc@alans-desktop> <20181001154459.GB5872@magnolia> <20181001224528.GI18567@dastard> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 03, 2018 at 05:20:31AM +1000, James Morris wrote: > On Tue, 2 Oct 2018, Dave Chinner wrote: > > > On Tue, Oct 02, 2018 at 06:08:16AM +1000, James Morris wrote: > > > On Mon, 1 Oct 2018, Darrick J. Wong wrote: > > > > > > > If we /did/ replace CAP_SYS_ADMIN checking with a pile of LSM hooks, > > > > > > Not sure we'd need a pile of hooks, what about just "read" and "write" > > > storage admin? > > > > > > Or even two new capabilities along these lines, which we convert existing > > > CAP_SYS_ADMIN etc. to? > > > > So instead of having hundreds of management ioctls under > > CAP_SYS_ADMIN, we'd now have hundreds of non-storage ioctls under > > CAP_SYS_ADMIN and hundreds of storage ioctls under > > CAP_SYS_STORAGE_ADMIN? > > > > Maybe I'm missing something, but I don't see how that improves the > > situation w.r.t. locked down LSM configurations? > > I'm not sure about capabilities, but having two specific LSM hooks for > storage admin would allow SELinux et al to explicitly control privileged > access to these interfaces. Storage admin seems to be a special case of > its own which we want to be able to mediate as such. Perhaps so - as a stepping stone it would allow isolation in specific cases where no management should be allowed, but there are cases with modern filesystems where users need access to storage APIs. e.g. It's entirely plausible that /home is set up as a subvolume per user, and that subvols in a fileystem can be independently snapshotted. Hence it would be completely acceptible to allow users to have access to snapshot management APIs to be able to snapshot their home directories for backup/rollback purposes. Hence I'm not sure that black/white storage admin LSM hooks are a solution that will end up being particularly useful to the wider population... Cheers, Dave. -- Dave Chinner david@fromorbit.com