Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2525246ybv; Sun, 9 Feb 2020 01:14:05 -0800 (PST) X-Google-Smtp-Source: APXvYqyajricv5I9DodE7HK0PvaXFigFkAZhQf3K7fC8lsYIQJq/afG9o4oAw8wPqUCymKtaWMxF X-Received: by 2002:a05:6830:1607:: with SMTP id g7mr6130951otr.320.1581239644845; Sun, 09 Feb 2020 01:14:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581239644; cv=none; d=google.com; s=arc-20160816; b=HIBVQerJJIfQ5MRMjHZZhCCFDRSHXyc/hRe0Xm1H3RJsjWX/v7oAIouFoBOkPk45We pg/bDKmo9yR0J7RXn1tkMWdCTjdKODLvKYflKcr5MQV7nGWG+s3vyohIlJi8cTGyINSh tFJIFs6APtaHVQ5GJrNQdcLjUyXlNYDOtOTWDfoVfSC1bQI/CFCWb3koUvxGu3kHYgUW i7G0CS5YzQlAIUT+b47N9wHAC63yiuftCI7tGpEB/MNwKWuhm7JaUvkgmT8zNOEOrsIY Me/hB7YPXwPrwraKj4zxe5QSkoE0ynEDi4ObV7QvHVi3Rvtn+K9LbSPrX+/4SadKmScH x06g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=U+8RkHGgZkr7CMmY91mKYsp6ii9WvwuUyL7ZtozTf7A=; b=0a8uwQUuMSolo7amPxGJQfPwZH+Ycyrte27SxyySo6PfDuY7lEplWNbBwp+MTGum2V d1q1Tnao7lokktiqLghDhWtGBJvfCGxz84BmEG2W+vnzov0mkGcPnkVBdW+yqZt0+crH wG2QXFrjPBuOcNb527ccV85ZFl5sb9EMOZwi2h4alxnijus8qjqjX8PyoXERqkagmhD/ C+svpv4SF3mNyHUZ63qCsTc9f0lJc2/4dHf49Lglv5vCcsy4vaF4KYV16cMKwWIQ9tfh LY2p4FMoaotPbsXqXZCVKq08sXO1Mq6hacPiCmll6eR3ey/CQB7ZTvxY750AcXmJEBfe Ey+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d26si2735265otc.6.2020.02.09.01.13.35; Sun, 09 Feb 2020 01:14:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727665AbgBIJNB (ORCPT + 99 others); Sun, 9 Feb 2020 04:13:01 -0500 Received: from mout-p-102.mailbox.org ([80.241.56.152]:47324 "EHLO mout-p-102.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726078AbgBIJNB (ORCPT ); Sun, 9 Feb 2020 04:13:01 -0500 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 48FjxR4HyFzKmMG; Sun, 9 Feb 2020 10:12:59 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter02.heinlein-hosting.de (spamfilter02.heinlein-hosting.de [80.241.56.116]) (amavisd-new, port 10030) with ESMTP id nwUnxkLyPZYA; Sun, 9 Feb 2020 10:12:56 +0100 (CET) Date: Sun, 9 Feb 2020 20:12:36 +1100 From: Aleksa Sarai To: Ross Zwisler Cc: Matthew Wilcox , Ross Zwisler , linux-kernel@vger.kernel.org, Mattias Nissler , Benjamin Gordon , Raul Rangel , Micah Morton , Dmitry Torokhov , Jan Kara , David Howells , Alexander Viro , linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v4] Add a "nosymfollow" mount option. Message-ID: <20200209091236.bmozkgo6jvfiakei@yavin> References: <20200131002750.257358-1-zwisler@google.com> <20200131004558.GA6699@bombadil.infradead.org> <20200131015134.5ovxakcavk2x4diz@yavin.dot.cyphar.com> <20200131212021.GA108613@google.com> <20200201062744.fehlhq3jtetfcxuw@yavin.dot.cyphar.com> <20200203221556.GA210383@google.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="w2fwkytlxy5l6uyv" Content-Disposition: inline In-Reply-To: <20200203221556.GA210383@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --w2fwkytlxy5l6uyv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2020-02-03, Ross Zwisler wrote: > On Sat, Feb 01, 2020 at 05:27:44PM +1100, Aleksa Sarai wrote: > > On 2020-01-31, Ross Zwisler wrote: > > > On Fri, Jan 31, 2020 at 12:51:34PM +1100, Aleksa Sarai wrote: > > > If noxdev would involve a pathname traversal to make sure you don't e= ver leave > > > mounts with noxdev set, I think this could potentially cover the use = cases I'm > > > worried about. This would restrict symlink traversal to files within= the same > > > filesystem, and would restrict traversal to both normal and bind moun= ts from > > > within the restricted filesystem, correct? > >=20 > > Yes, but it would have to block all mountpoint crossings including > > bind-mounts, because the obvious way of checking for mountpoint > > crossings (vfsmount comparisons) results in bind-mounts being seen as > > different mounts. This is how LOOKUP_NO_XDEV works. Would this be a > > show-stopped for ChromeOS? > > > > I personally find "noxdev" to be a semantically clearer statement of > > intention ("I don't want any lookup that reaches this mount-point to > > leave") than "nosymfollow" (though to be fair, this is closer in > > semantics to the other "no*" mount flags). But after looking at [1] and > > thinking about it for a bit, I don't really have a problem with either > > solution. >=20 > For ChromeOS we want to protect data both on user-provided filesystems (i= =2Ee. > USB attached drives and the like) as well as on our "stateful" partition.= =20 >=20 > The noxdev mount option would resolve our concerns for user-provided > filesystems, but I don't think that we would be able to use it for statef= ul > because symlinks on stateful that point elsewhere within stable are still= a > security risk. There is more explanation on why this is the case in [1]. > Thank you for linking to that, by the way. >=20 > I think our security concerns around both use cases, user-provided filesy= stems > and the stateful partition, can be resolved in ChromeOS with the nosymfol= low > mount flag. Based on that, my current preference is for the 'nosymfollow' > mount flag. Fair enough. I can work on and send "noxdev" separately -- I only brought it up because the attack scenarios (and connection to openat2) are both fairly similar. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --w2fwkytlxy5l6uyv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCXj/NAQAKCRCdlLljIbnQ EtbUAP9JDuq/b7ffYaKS3Gp4bRaEE8IupMekUzpB87ycOwm45gEAh5As6Y7p7XbA OK6Tp8HF2Vlyq1K17ogTsFV793JOtAM= =PPVH -----END PGP SIGNATURE----- --w2fwkytlxy5l6uyv--