Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5318055imu;
        Tue, 29 Jan 2019 17:16:07 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5b/PKpC/ZNg1pwwcr3cU4HB5izFjvkBVAt84IM6Gg5zerXYbBkQwobQfLkTlNk4FzMMF5C
X-Received: by 2002:a62:ed0f:: with SMTP id u15mr27861805pfh.188.1548810967501;
        Tue, 29 Jan 2019 17:16:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548810967; cv=none;
        d=google.com; s=arc-20160816;
        b=KjtOPJbgkKf3Wuj2qXm8NVoq+IJ7RLjwtkh4l47v8W+GFCFZ0//nRTAIKvJ088GV/a
         5+5MhTpbch8WBOUBDw34oox132Rj5MMDPw2HQQHp8g/ZWdkhJnlMVbu/D1F7PAztb0S5
         THQGY9qi38XFiajH2N9iIaxrgteAOF3v0QUAbwHfnzcq+F2G3FVGuEpxS0Ng8d8ta0WU
         WxpUm5eW2hbaOqSMmmPramW9EOV3PmY3OSCotBmXRGzKJxHdJyfzWE1goP6f9JTWrtA4
         1GQFxIfNWCIyJcJ5QB7R13oyzlyfe/2nG8lDD0TpZ3+la2ksL/TlZcCUuaoPy6msM9Z2
         tWXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:subject:mime-version:user-agent
         :message-id:in-reply-to:date:references:cc:to:from;
        bh=jflAKlv7JyJlzsuiDaW9vyZlOryEj1Kh6Wde/HHEBeg=;
        b=tl6P/Murq/RRD8eegftDFkry5DJ/55Z+fxqepHcAY56OW5XzAW//n4zShZcPZv9k7r
         OHaAtbofQK/ngXaTFa1DWrnbN8qGmtTQGqzYCs/ki9MvX5KaEeXVg2OzEXtsTAeCIDd0
         2PDS17dJJFni4AzXUzkNA+Z64dLr/VjFK39t2SNChxnPRv7ievT96yspKT3KzrkX14of
         NMXlN/nvXxucicRKRBEkNwN9+GbuRwbCu5zVk2rCguXnx7km4scQLc/6SoJ7CNGNZoO4
         M1TmtcPtadRLRUVURsXm0gwgsqnGJzpIWD1Y8dxBLR/tiT8gWGMoKH/giEg4b8ztD0tQ
         IM6A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w24si16526pgj.582.2019.01.29.17.15.49;
        Tue, 29 Jan 2019 17:16:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727657AbfA3BPn (ORCPT <rfc822;mailist1go@gmail.com>
        + 99 others); Tue, 29 Jan 2019 20:15:43 -0500
Received: from out02.mta.xmission.com ([166.70.13.232]:58926 "EHLO
        out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727360AbfA3BPm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 Jan 2019 20:15:42 -0500
Received: from in01.mta.xmission.com ([166.70.13.51])
        by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1goeTc-0002AC-CV; Tue, 29 Jan 2019 18:15:40 -0700
Received: from ip68-227-174-240.om.om.cox.net ([68.227.174.240] helo=x220.xmission.com)
        by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.87)
        (envelope-from <ebiederm@xmission.com>)
        id 1goeTU-0001uL-3l; Tue, 29 Jan 2019 18:15:40 -0700
From:   ebiederm@xmission.com (Eric W. Biederman)
To:     Casey Schaufler <casey@schaufler-ca.com>
Cc:     linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, Al Viro <viro@ZenIV.linux.org.uk>,
        David Howells <dhowells@redhat.com>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Karel Zak <kzak@redhat.com>, util-linux@vger.kernel.org,
        Andy Lutomirski <luto@amacapital.net>,
        LSM <linux-security-module@vger.kernel.org>
References: <87va2716mh.fsf@xmission.com>
        <03e0993b-21db-1cc4-7a33-0236de7be20d@schaufler-ca.com>
Date:   Tue, 29 Jan 2019 19:15:24 -0600
In-Reply-To: <03e0993b-21db-1cc4-7a33-0236de7be20d@schaufler-ca.com> (Casey
        Schaufler's message of "Tue, 29 Jan 2019 15:01:30 -0800")
Message-ID: <87r2cvx7wz.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1goeTU-0001uL-3l;;;mid=<87r2cvx7wz.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=68.227.174.240;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX19La0tLEdMoNsFbY1kV/YcC6iakVc8jSrQ=
X-SA-Exim-Connect-IP: 68.227.174.240
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa03.xmission.com
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50,
        DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG autolearn=disabled
        version=3.4.2
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa03 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Casey Schaufler <casey@schaufler-ca.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 7930 ms - load_scoreonly_sql: 0.03 (0.0%),
        signal_user_changed: 2.3 (0.0%), b_tie_ro: 1.64 (0.0%), parse: 0.62
        (0.0%), extract_message_metadata: 9 (0.1%), get_uri_detail_list: 1.57
        (0.0%), tests_pri_-1000: 3.5 (0.0%), tests_pri_-950: 1.07 (0.0%),
        tests_pri_-900: 0.87 (0.0%), tests_pri_-90: 22 (0.3%), check_bayes: 21
        (0.3%), b_tokenize: 6 (0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob:
        2.0 (0.0%), b_tok_touch_all: 2.9 (0.0%), b_finish: 0.53 (0.0%),
        tests_pri_0: 1312 (16.5%), check_dkim_signature: 0.39 (0.0%),
        check_dkim_adsp: 2.3 (0.0%), poll_dns_idle: 6568 (82.8%),
        tests_pri_10: 2.9 (0.0%), tests_pri_500: 6573 (82.9%), rewrite_mail:
        0.00 (0.0%)
Subject: Re: [RFD] A mount api that notices previous mounts
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Casey Schaufler <casey@schaufler-ca.com> writes:

> On 1/29/2019 1:44 PM, Eric W. Biederman wrote:
>> All,
>>
>> With the existing mount API it is possible to mount a filesystem
>> like:
>>
>> mount -t ext4 /dev/sda1 -o user_xattr /some/path
>> mount -t ext4 /dev/sda1 -o nouser_xattr /some/other/path
>>
>> And have both mount commands succeed and have two mounts of the same
>> filesystem.  If the mounter is not attentive or the first mount is added
>> earlier it may not be immediately noticed that a mount option that is
>> needed for the correct operation or the security of the system is lost.
>>
>> We have seen this failure mode with both devpts and proc.  So it is not
>> theoretical, and it has resulted in CVEs.
>>
>> In some cases the existing mount API (such as a conflict between ro and
>> rw) handles this by returning -EBUSY.  So we may be able to correct this
>> in the existing mount API.  But it is always very tricky to to get
>> adequate testing for a change like that to avoid regressions, so I am
>> proposing we change this in the new mount api.
>>
>> This has been brought up before and I have been told it is technically
>> infeasible to make this work.  To counter that I have sat down and
>> implemented it.
>>
>> The basic idea is:
>>  - get a handle to a filesystem
>>    (passing enough options to uniquely identify the super block).
>>    Also capture enough state in the file handle to let you know if
>>    the file system has it's mount options changed between system calls.
>>    (essentially this is just the fs code that calls sget)
>>
>>  - If the super block has not been configured allow setting the file
>>    systems options.
>>
>>  - If the super block has already been configured require reading the
>>    file systems mount options before setting/updating the file systems
>>    mount options.
>>
>> To complement that I have functionality that:
>>  - Allows reading a file systems current mount options.
>>  - Allows reading the mount options that are needed to get a handle to
>>    the filesystem.  For most filesystems it is just the block device
>>    name.  For nfs is is essentially all mount options.  For btrfs
>>    it is the block device name, and the "devices=" mount option for
>>    secondary block device names.
>
> Are you taking the LSM specific mount options into account?

In the design yes, and I allow setting them.  It appears in the code
to retrieve the mount options I forgot to call security_sb_show_options.

For finding the super block that you are going to mount the LSM mount
options are not relevant.  Even nfs will not want to set those early as
they do not help determine the nfs super block.  So the only place where
there is anything interesting in my api is in reading back the security
options so they can be compared to the options the mounter is setting.

I will add the missing call to security_sb_show_options which is enough
to fix selinux.  Unfortunately smack does not currently implement
.sb_show_options.  Not implementing smack_sb_show_options means
/proc/mounts fails to match /etc/mtab which is a bug and it is likely
a real workd bug for the people who use smack and don't want to depend
on /etc/mtab, or are transitioning away from it.

Casey do you want to implement smack_sb_show_options or should I put it
on my todo list?

Eric