From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Andy Lutomirski <luto@kernel.org>
Cc: David Howells <dhowells@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Al Viro <viro@zeniv.linux.org.uk>,
John Johansen <john.johansen@canonical.com>,
Tejun Heo <tj@kernel.org>, SELinux-NSA <selinux@tycho.nsa.gov>,
Paul Moore <paul@paul-moore.com>, Li Zefan <lizefan@huawei.com>,
Linux API <linux-api@vger.kernel.org>,
apparmor@lists.ubuntu.com,
Casey Schaufler <casey@schaufler-ca.com>,
Fenghua Yu <fenghua.yu@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Eric Biggers <ebiggers@google.com>,
LSM List <linux-security-module@vger.kernel.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Johannes Weiner <hannes@cmpxchg.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
tomoyo-dev-en@lists.sourceforge.jp, open list:CONTROL GR
Subject: Re: BUG: Mount ignores mount options
Date: Fri, 10 Aug 2018 16:46:39 -0400 [thread overview]
Message-ID: <20180810204639.GI627@thunk.org> (raw)
In-Reply-To: <CALCETrXC8Z-q+PzzqMC-McA7UdmFubVcs2dVsT0Dt+GbSqjF5A@mail.gmail.com>
On Fri, Aug 10, 2018 at 01:06:54PM -0700, Andy Lutomirski wrote:
> If the same block device is visible, with rw access, in two different
> containers, I don't see any anything good can happen.
It's worse than that. I've fixed a lot of bugs which cause the kernel
to crash, and a few that might be levered into a privilege escalationh
attack, when you mount a maliciously corrupted file system using ext4.
I'm told told the security researcher filed similar reports with the
XFS community, and he was told, "that's what metadata checksums are
for; go away". Given how much time it takes to work with these
security researchers, I don't blame them.
But in light of that, I'd make a somewhat stronger statement. If you
let an untrusted container mount arbitrary block devices where they
have rw acccess to the underlying block device, nothing good can
happen. Period. :-)
Which is why I don't think the lack of being able to reject
"conflicting mount options" is really all that important. It
certainly shouldn't block the fsopen patch series. #1, it's a problem
we have today, and #2, I'm really not all sure supporting bind mounts
via specifying block device was ever a good idea to begin with. And
#3, while I've been fixing ext4 against security issues caused by
maliciously corrupted file system images, I'm still sure that allowing
untrusted containers access to mount *any* file system via a block
device for which they have r/w access is a Really Bad Idea.
> It seems to me that the current approach mostly involves crossing our fingers.
Agreed!
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: tytso@mit.edu (Theodore Y. Ts'o)
To: linux-security-module@vger.kernel.org
Subject: BUG: Mount ignores mount options
Date: Fri, 10 Aug 2018 16:46:39 -0400 [thread overview]
Message-ID: <20180810204639.GI627@thunk.org> (raw)
In-Reply-To: <CALCETrXC8Z-q+PzzqMC-McA7UdmFubVcs2dVsT0Dt+GbSqjF5A@mail.gmail.com>
On Fri, Aug 10, 2018 at 01:06:54PM -0700, Andy Lutomirski wrote:
> If the same block device is visible, with rw access, in two different
> containers, I don't see any anything good can happen.
It's worse than that. I've fixed a lot of bugs which cause the kernel
to crash, and a few that might be levered into a privilege escalationh
attack, when you mount a maliciously corrupted file system using ext4.
I'm told told the security researcher filed similar reports with the
XFS community, and he was told, "that's what metadata checksums are
for; go away". Given how much time it takes to work with these
security researchers, I don't blame them.
But in light of that, I'd make a somewhat stronger statement. If you
let an untrusted container mount arbitrary block devices where they
have rw acccess to the underlying block device, nothing good can
happen. Period. :-)
Which is why I don't think the lack of being able to reject
"conflicting mount options" is really all that important. It
certainly shouldn't block the fsopen patch series. #1, it's a problem
we have today, and #2, I'm really not all sure supporting bind mounts
via specifying block device was ever a good idea to begin with. And
#3, while I've been fixing ext4 against security issues caused by
maliciously corrupted file system images, I'm still sure that allowing
untrusted containers access to mount *any* file system via a block
device for which they have r/w access is a Really Bad Idea.
> It seems to me that the current approach mostly involves crossing our fingers.
Agreed!
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Andy Lutomirski <luto@kernel.org>
Cc: David Howells <dhowells@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Al Viro <viro@zeniv.linux.org.uk>,
John Johansen <john.johansen@canonical.com>,
Tejun Heo <tj@kernel.org>, SELinux-NSA <selinux@tycho.nsa.gov>,
Paul Moore <paul@paul-moore.com>, Li Zefan <lizefan@huawei.com>,
Linux API <linux-api@vger.kernel.org>,
apparmor@lists.ubuntu.com,
Casey Schaufler <casey@schaufler-ca.com>,
Fenghua Yu <fenghua.yu@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Eric Biggers <ebiggers@google.com>,
LSM List <linux-security-module@vger.kernel.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Johannes Weiner <hannes@cmpxchg.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
tomoyo-dev-en@lists.sourceforge.jp,
"open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: BUG: Mount ignores mount options
Date: Fri, 10 Aug 2018 16:46:39 -0400 [thread overview]
Message-ID: <20180810204639.GI627@thunk.org> (raw)
In-Reply-To: <CALCETrXC8Z-q+PzzqMC-McA7UdmFubVcs2dVsT0Dt+GbSqjF5A@mail.gmail.com>
On Fri, Aug 10, 2018 at 01:06:54PM -0700, Andy Lutomirski wrote:
> If the same block device is visible, with rw access, in two different
> containers, I don't see any anything good can happen.
It's worse than that. I've fixed a lot of bugs which cause the kernel
to crash, and a few that might be levered into a privilege escalationh
attack, when you mount a maliciously corrupted file system using ext4.
I'm told told the security researcher filed similar reports with the
XFS community, and he was told, "that's what metadata checksums are
for; go away". Given how much time it takes to work with these
security researchers, I don't blame them.
But in light of that, I'd make a somewhat stronger statement. If you
let an untrusted container mount arbitrary block devices where they
have rw acccess to the underlying block device, nothing good can
happen. Period. :-)
Which is why I don't think the lack of being able to reject
"conflicting mount options" is really all that important. It
certainly shouldn't block the fsopen patch series. #1, it's a problem
we have today, and #2, I'm really not all sure supporting bind mounts
via specifying block device was ever a good idea to begin with. And
#3, while I've been fixing ext4 against security issues caused by
maliciously corrupted file system images, I'm still sure that allowing
untrusted containers access to mount *any* file system via a block
device for which they have r/w access is a Really Bad Idea.
> It seems to me that the current approach mostly involves crossing our fingers.
Agreed!
- Ted
next prev parent reply other threads:[~2018-08-10 20:46 UTC|newest]
Thread overview: 222+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-01 15:23 [PATCH 00/33] VFS: Introduce filesystem context [ver #11] David Howells
2018-08-01 15:23 ` David Howells
2018-08-01 15:23 ` David Howells
2018-08-01 15:24 ` [PATCH 01/33] vfs: syscall: Add open_tree(2) to reference or clone a mount " David Howells
2018-08-02 17:31 ` Alan Jenkins
2018-08-02 21:29 ` Al Viro
2018-08-02 21:29 ` Al Viro
2018-08-02 21:51 ` David Howells
2018-08-02 23:46 ` Alan Jenkins
2018-08-01 15:24 ` [PATCH 02/33] vfs: syscall: Add move_mount(2) to move mounts around " David Howells
2018-08-01 15:24 ` [PATCH 03/33] teach move_mount(2) to work with OPEN_TREE_CLONE " David Howells
2018-10-12 14:25 ` Alan Jenkins
2018-08-01 15:24 ` [PATCH 04/33] vfs: Suppress MS_* flag defs within the kernel unless explicitly enabled " David Howells
2018-08-01 15:24 ` [PATCH 05/33] vfs: Introduce the basic header for the new mount API's filesystem context " David Howells
2018-08-01 15:24 ` [PATCH 06/33] vfs: Introduce logging functions " David Howells
2018-08-01 15:24 ` [PATCH 07/33] vfs: Add configuration parser helpers " David Howells
2018-08-01 15:24 ` [PATCH 08/33] vfs: Add LSM hooks for the new mount API " David Howells
2018-08-01 15:24 ` David Howells
2018-08-01 20:50 ` James Morris
2018-08-01 20:50 ` James Morris
2018-08-01 22:53 ` David Howells
2018-08-01 22:53 ` David Howells
2018-08-01 15:25 ` [PATCH 09/33] selinux: Implement the new mount API LSM hooks " David Howells
2018-08-01 15:25 ` David Howells
2018-08-01 15:25 ` [PATCH 10/33] smack: Implement filesystem context security " David Howells
2018-08-01 15:25 ` David Howells
2018-08-01 15:25 ` [PATCH 11/33] apparmor: Implement security hooks for the new mount API " David Howells
2018-08-01 15:25 ` David Howells
2018-08-01 15:25 ` [PATCH 12/33] tomoyo: " David Howells
2018-08-01 15:25 ` David Howells
2018-08-01 15:25 ` [PATCH 13/33] vfs: Separate changing mount flags full remount " David Howells
2018-08-01 15:25 ` [PATCH 14/33] vfs: Implement a filesystem superblock creation/configuration context " David Howells
2018-09-11 17:46 ` Guenter Roeck
2018-09-11 21:52 ` David Howells
2018-09-11 22:07 ` Guenter Roeck
2018-09-11 23:17 ` David Howells
2018-09-11 23:54 ` Guenter Roeck
2018-09-18 9:07 ` Sergey Senozhatsky
2018-09-18 9:40 ` Sergey Senozhatsky
2018-09-18 14:06 ` Guenter Roeck
2018-09-19 1:12 ` Sergey Senozhatsky
2018-09-19 1:26 ` Sergey Senozhatsky
2018-09-18 15:34 ` David Howells
2018-09-18 16:39 ` David Howells
2018-09-18 17:43 ` David Howells
2018-09-19 1:15 ` Sergey Senozhatsky
2018-09-18 9:54 ` Sergey Senozhatsky
2018-09-18 15:28 ` David Howells
2018-08-01 15:25 ` [PATCH 15/33] vfs: Remove unused code after filesystem context changes " David Howells
2018-08-01 15:25 ` [PATCH 16/33] procfs: Move proc_fill_super() to fs/proc/root.c " David Howells
2018-08-01 15:26 ` [PATCH 17/33] proc: Add fs_context support to procfs " David Howells
2018-08-01 15:26 ` [PATCH 18/33] ipc: Convert mqueue fs to fs_context " David Howells
2018-08-01 15:26 ` [PATCH 19/33] cpuset: Use " David Howells
2018-08-01 15:26 ` [PATCH 20/33] kernfs, sysfs, cgroup, intel_rdt: Support " David Howells
2018-08-01 15:26 ` [PATCH 21/33] hugetlbfs: Convert to " David Howells
2018-08-01 15:26 ` [PATCH 22/33] vfs: Remove kern_mount_data() " David Howells
2018-08-01 15:26 ` [PATCH 23/33] vfs: Provide documentation for new mount API " David Howells
2018-08-01 15:26 ` [PATCH 24/33] Make anon_inodes unconditional " David Howells
2018-08-01 15:26 ` [PATCH 25/33] vfs: syscall: Add fsopen() to prepare for superblock creation " David Howells
2018-08-01 15:27 ` [PATCH 26/33] vfs: Implement logging through fs_context " David Howells
2018-08-01 15:27 ` [PATCH 27/33] vfs: Add some logging to the core users of the fs_context log " David Howells
2018-08-01 15:27 ` [PATCH 28/33] vfs: syscall: Add fsconfig() for configuring and managing a context " David Howells
2018-08-06 17:28 ` Eric W. Biederman
2018-08-09 14:14 ` David Howells
2018-08-09 14:14 ` David Howells
2018-08-09 14:24 ` David Howells
2018-08-09 14:24 ` David Howells
2018-08-09 14:35 ` Miklos Szeredi
2018-08-09 16:33 ` David Howells
2018-08-11 20:20 ` David Howells
2018-08-11 23:26 ` Andy Lutomirski
2018-08-09 15:32 ` Eric W. Biederman
2018-08-01 15:27 ` [PATCH 29/33] vfs: syscall: Add fsmount() to create a mount for a superblock " David Howells
2018-08-01 15:27 ` [PATCH 30/33] vfs: syscall: Add fspick() to select a superblock for reconfiguration " David Howells
2018-08-24 14:51 ` Miklos Szeredi
2018-08-24 14:54 ` Andy Lutomirski
2018-08-01 15:27 ` [PATCH 31/33] afs: Add fs_context support " David Howells
2018-08-01 15:27 ` [PATCH 32/33] afs: Use fs_context to pass parameters over automount " David Howells
2018-08-01 15:27 ` [PATCH 33/33] vfs: Add a sample program for the new mount API " David Howells
2018-08-10 14:05 ` BUG: Mount ignores mount options Eric W. Biederman
2018-08-10 14:05 ` Eric W. Biederman
2018-08-10 14:05 ` Eric W. Biederman
2018-08-10 14:36 ` Andy Lutomirski
2018-08-10 14:36 ` Andy Lutomirski
2018-08-10 14:36 ` Andy Lutomirski
2018-08-10 15:13 ` David Howells
2018-08-10 15:13 ` David Howells
2018-08-10 15:13 ` David Howells
2018-08-10 15:17 ` Eric W. Biederman
2018-08-10 15:17 ` Eric W. Biederman
2018-08-10 15:17 ` Eric W. Biederman
2018-08-10 15:24 ` Al Viro
2018-08-10 15:24 ` Al Viro
2018-08-10 15:24 ` Al Viro
2018-08-10 15:11 ` David Howells
2018-08-10 15:11 ` David Howells
2018-08-10 15:11 ` David Howells
2018-08-10 15:39 ` Theodore Y. Ts'o
2018-08-10 15:39 ` Theodore Y. Ts'o
2018-08-10 15:39 ` Theodore Y. Ts'o
2018-08-10 15:39 ` Theodore Y. Ts'o
2018-08-10 15:53 ` David Howells
2018-08-10 15:53 ` David Howells
2018-08-10 15:53 ` David Howells
2018-08-10 16:14 ` Theodore Y. Ts'o
2018-08-10 16:14 ` Theodore Y. Ts'o
2018-08-10 16:14 ` Theodore Y. Ts'o
2018-08-10 16:14 ` Theodore Y. Ts'o
2018-08-10 20:06 ` Andy Lutomirski
2018-08-10 20:06 ` Andy Lutomirski
2018-08-10 20:06 ` Andy Lutomirski
2018-08-10 20:46 ` Theodore Y. Ts'o [this message]
2018-08-10 20:46 ` Theodore Y. Ts'o
2018-08-10 20:46 ` Theodore Y. Ts'o
2018-08-10 22:12 ` Darrick J. Wong
2018-08-10 22:12 ` Darrick J. Wong
2018-08-10 22:12 ` Darrick J. Wong
2018-08-10 23:54 ` Theodore Y. Ts'o
2018-08-10 23:54 ` Theodore Y. Ts'o
2018-08-10 23:54 ` Theodore Y. Ts'o
2018-08-10 23:54 ` Theodore Y. Ts'o
[not found] ` <20180810235447.GK627-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2018-08-11 0:38 ` Darrick J. Wong
2018-08-11 0:38 ` Darrick J. Wong
2018-08-11 0:38 ` Darrick J. Wong
2018-08-11 0:38 ` Darrick J. Wong
2018-08-11 1:32 ` Eric W. Biederman
2018-08-11 1:32 ` Eric W. Biederman
2018-08-11 1:32 ` Eric W. Biederman
2018-08-13 16:35 ` Alan Cox
2018-08-13 16:35 ` Alan Cox
2018-08-13 16:35 ` Alan Cox
2018-08-13 16:48 ` Andy Lutomirski
2018-08-13 16:48 ` Andy Lutomirski
2018-08-13 16:48 ` Andy Lutomirski
2018-08-13 17:29 ` Al Viro
2018-08-13 17:29 ` Al Viro
2018-08-13 17:29 ` Al Viro
2018-08-13 19:00 ` James Morris
2018-08-13 19:00 ` James Morris
2018-08-13 19:00 ` James Morris
2018-08-13 19:20 ` Casey Schaufler
2018-08-13 19:20 ` Casey Schaufler
2018-08-13 19:20 ` Casey Schaufler
2018-08-15 23:29 ` Serge E. Hallyn
2018-08-15 23:29 ` Serge E. Hallyn
2018-08-15 23:29 ` Serge E. Hallyn
[not found] ` <20180810161400.GA627-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2018-08-11 0:28 ` Eric W. Biederman
2018-08-11 0:28 ` Eric W. Biederman
2018-08-11 0:28 ` Eric W. Biederman
2018-08-10 15:55 ` Casey Schaufler
2018-08-10 15:55 ` Casey Schaufler
2018-08-10 15:55 ` Casey Schaufler
2018-08-10 15:55 ` Casey Schaufler
2018-08-10 16:11 ` David Howells
2018-08-10 16:11 ` David Howells
2018-08-10 16:11 ` David Howells
2018-08-10 18:00 ` Eric W. Biederman
2018-08-10 18:00 ` Eric W. Biederman
2018-08-11 1:19 ` Eric W. Biederman
2018-08-11 1:19 ` Eric W. Biederman
2018-08-11 1:19 ` Eric W. Biederman
[not found] ` <87pnyphf8i.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-08-11 7:29 ` David Howells
2018-08-11 7:29 ` David Howells
2018-08-11 7:29 ` David Howells
2018-08-11 16:31 ` Andy Lutomirski
2018-08-11 16:31 ` Andy Lutomirski
2018-08-11 16:31 ` Andy Lutomirski
[not found] ` <9B6E2781-484B-4C42-95F5-F900EA36CEA5-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2018-08-11 16:51 ` Al Viro
2018-08-11 16:51 ` Al Viro
2018-08-11 16:51 ` Al Viro
2018-08-10 15:11 ` Tetsuo Handa
2018-08-10 15:11 ` Tetsuo Handa
2018-08-10 15:16 ` Al Viro
2018-08-10 15:16 ` Al Viro
2018-08-10 15:16 ` Al Viro
[not found] ` <20180810151606.GA6515-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2018-08-11 1:05 ` Eric W. Biederman
2018-08-11 1:05 ` Eric W. Biederman
2018-08-11 1:05 ` Eric W. Biederman
[not found] ` <87pnypiufr.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-08-11 1:46 ` Theodore Y. Ts'o
2018-08-11 1:46 ` Theodore Y. Ts'o
2018-08-11 1:46 ` Theodore Y. Ts'o
2018-08-11 4:48 ` Eric W. Biederman
2018-08-11 4:48 ` Eric W. Biederman
2018-08-11 4:48 ` Eric W. Biederman
[not found] ` <8736vlo6ef.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-08-11 17:47 ` Casey Schaufler
2018-08-11 17:47 ` Casey Schaufler
2018-08-11 17:47 ` Casey Schaufler
2018-08-15 4:03 ` Eric W. Biederman
2018-08-15 4:03 ` Eric W. Biederman
2018-08-15 4:03 ` Eric W. Biederman
2018-08-11 1:58 ` Al Viro
2018-08-11 1:58 ` Al Viro
2018-08-11 1:58 ` Al Viro
2018-08-11 2:17 ` Al Viro
2018-08-11 2:17 ` Al Viro
2018-08-11 2:17 ` Al Viro
2018-08-11 4:43 ` Eric W. Biederman
2018-08-11 4:43 ` Eric W. Biederman
2018-08-11 4:43 ` Eric W. Biederman
2018-08-13 12:54 ` Miklos Szeredi
2018-08-13 12:54 ` Miklos Szeredi
2018-08-13 12:54 ` Miklos Szeredi
2018-08-15 16:31 ` Should we split the network filesystem setup into two phases? David Howells
2018-08-15 16:31 ` David Howells
2018-08-15 16:51 ` Andy Lutomirski
2018-08-15 16:51 ` Andy Lutomirski
2018-08-15 16:51 ` Andy Lutomirski
2018-08-16 3:51 ` Steve French
2018-08-16 3:51 ` Steve French
2018-08-16 5:06 ` Eric W. Biederman
2018-08-16 5:06 ` Eric W. Biederman
2018-08-16 16:24 ` Steve French
2018-08-16 16:24 ` Steve French
2018-08-16 17:21 ` Eric W. Biederman
2018-08-16 17:21 ` Eric W. Biederman
2018-08-16 17:23 ` Aurélien Aptel
2018-08-16 17:23 ` Aurélien Aptel
2018-08-16 18:36 ` Steve French
2018-08-16 18:36 ` Steve French
2018-08-16 18:36 ` Steve French
2018-08-17 23:11 ` Al Viro
2018-08-17 23:11 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180810204639.GI627@thunk.org \
--to=tytso@mit.edu \
--cc=apparmor@lists.ubuntu.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=ebiggers@google.com \
--cc=fenghua.yu@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hannes@cmpxchg.org \
--cc=john.johansen@canonical.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tj@kernel.org \
--cc=tomoyo-dev-en@lists.sourceforge.jp \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.