From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Theodore Y. Ts'o" Subject: Re: BUG: Mount ignores mount options Date: Fri, 10 Aug 2018 19:54:47 -0400 Message-ID: <20180810235447.GK627@thunk.org> References: <20180810153902.GH21087@thunk.org> <87d0uqpba5.fsf@xmission.com> <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> <22361.1533913891@warthog.procyon.org.uk> <28045.1533916438@warthog.procyon.org.uk> <20180810161400.GA627@thunk.org> <20180810204639.GI627@thunk.org> <20180810221234.GC4211@magnolia> Mime-Version: 1.0 Content-Transfer-Encoding: base64 Return-path: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vZlSeZFflTSzguhVUHJRZPvf4xFZPzVEyKyltvJUbDQ=; b=DUc0CABf8M3gFmRcb72ptNhodT zWr2duq5R0juV8u8FFnyUzNAajKttShvboElxWwbfY3UE0dLYwuP4b6JnmwLeoiLUjViByHffVZGy h2xwpvM+x9I3x6ZX0exsgHkysw2X75Fj+FcDrnhj7XANCD87H/FpYZ9PKEsklfUcIaIc=; Content-Disposition: inline In-Reply-To: <20180810221234.GC4211@magnolia> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: apparmor-bounces-nLRlyDuq1AZFpShjVBNYrg@public.gmane.org Sender: "AppArmor" Content-Type: text/plain; charset="us-ascii" To: "Darrick J. Wong" Cc: Eric Biggers , Tetsuo Handa , LKML , David Howells , SELinux-NSA , tomoyo-dev-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS@public.gmane.org, Paul Moore , Miklos Szeredi , Stephen Smalley , Fenghua Yu , apparmor-nLRlyDuq1AZFpShjVBNYrg@public.gmane.org, Tejun Heo , Al Viro , Andy Lutomirski , "open list:CONTROL GROUP (CGROUP)" , Linux API , Greg Kroah-Hartman , LSM List , Li Zefan , "Eric W. Biederman" , Johannes Weiner , Linux FS Devel , Linus Torvalds T24gRnJpLCBBdWcgMTAsIDIwMTggYXQgMDM6MTI6MzRQTSAtMDcwMCwgRGFycmljayBKLiBXb25n IHdyb3RlOgo+IEhleSBub3csIHRoZXJlIHdhcyBhIGxpdHRsZSBtb3JlIG51YW5jZSB0byBpdCB0 aGFuIHRoYXRbMV1bMl0uICBUaGUKPiBjb21wbGFpbnQgaW4gdGhlIGZpcnN0IGluc3RhbmNlIGhh ZCBtdWNoIG1vcmUgdG8gZG8gd2l0aCBicmVha2luZwo+IGV4aXN0aW5nIFY0IGZpbGVzeXN0ZW1z IGJ5IGFkZGluZyBmb3JtYXQgcmVxdWlyZW1lbnRzIHRoYXQgbWtmcyBkaWRuJ3QKPiBrbm93IGFi b3V0IHdoZW4gdGhlIGZpbGVzeXN0ZW0gd2FzIGNyZWF0ZWQuICBZZXMsIHlvdSBjYW4gY3JlYXRl IFY0Cj4gZmlsZXN5c3RlbXMgdGhhdCB3aWxsIGhhbmcgdGhlIHN5c3RlbSBpZiB0aGUgbG9nIHdh cyB0b3RhbGx5IHVuZm9ybWF0dGVkCj4gYW5kIG1ldGFkYXRhIHVwZGF0ZXMgYXJlIG1hZGUsIGJ1 dCBPVE9IIGl0J3MgZmFpcmx5IG9idmlvdXMgd2hlbiB0aGF0Cj4gaGFwcGVucywgeW91IGhhdmUg dG8gYmUgcm9vdCB0byBtb3VudCBhIGRpc2sgZmlsZXN5c3RlbSwgYW5kIHdlIHRyeSB0bwo+IGF2 b2lkIGJyZWFraW5nIGV4aXN0aW5nIHVzZXJzLgoKSSB3YXNuJ3QgdGhpbmtpbmcgYWJvdXQgc3l6 Ym90IHJlcG9ydHM7IEkndmUgbGFyZ2VseSB3cml0dGVuIHRoZW0gb2ZmCmFzIGZhciBhcyBmaWxl IHN5c3RlbSB0ZXN0aW5nIGlzIGNvbmNlcm5lZCwgYnV0IHJhdGhlciBXZW4gWHUgYXQKR2Vvcmdp YSBUZWNoLCB3aG8gaXMgbXVjaCBtb3JlIHJlYXNvbmFibGUgdGhhbiBEbWl0cnksIGFuZCBoYXMg aGVscGV5ZAptZSBvdXQgYSBsb3Q7IGFuZCBoYXMgY29tcGxhaW5lZCB0aGF0IHRoZSBYRlMgZm9s a3MgaGF2ZW4ndCBiZWVuCmVuZ2FnaW5nIHdpdGggaGltLgoKSW4gZWl0aGVyIGNhc2UsIGJvdGgg c2VjdXJpdHkgcmVzZWFyY2hlcnMgYXJlIGZ1enppbmcgZmlsZSBzeXN0ZW0KaW1hZ2VzLCBhbmQg dGhlbiBmaXhpbmcgdGhlIGNoZWNrc3VtcywgYW5kIGRpc2NvdmVyaW5nIHRoYXQgdGhpcyBjYW4K bGVhZCB0byBrZXJuZWwgY3Jhc2hlcywgYW5kIGluIGEgZmV3IGNhc2VzLCBidWZmZXIgb3ZlcnJ1 bnMgdGhhdCBjYW4KbGVhZCB0byBwb3RlbnRpYWwgcHJpdmlsZWdlIGVzY2FsYXRpb25zLiAgV2Vu IGNhbiBnZW5lcmF0ZSByZXBvcnRzCmZhc3RlciB0aGFuIHN5emJvdCwgYnV0IGF0IGxlYXN0IGhl IGdpdmVzIG1lIGZpbGUgc3lzdGVtIGltYWdlcyAoYXMKb3Bwb3NlZCB0byBoYXZpbmcgdG8gZGln IHRoZW0gb3V0IG9mIHN5emJvdCByZXBybyBDIGZpbGVzKSBhbmQgaGUKYWN0dWFsbHkgZG9lcyBz b21lIGFuYWx5c2lzIGFuZCBleHBsYWlucyB3aGF0IGhlIHRoaW5rcyBpcyBnb2luZyBvbi4KCkkg ZG9uJ3QgdGhpbmsgYW55b25lIHdhcyBjbGFpbWluZyB0aGF0IGZvcm1hdCByZXF1aXJlbWVudHMg c2hvdWxkIGJlCmFkZGVkIHRvIGV4dDQgb3IgeGZzIGZpbGUgc3lzdGVtcy4gIEJ1dCByYXRoZXIs IHRoYXQga2VybmVsIGNvZGUKc2hvdWxkIGJlIG1hZGUgbW9yZSByb2J1c3QgYWdhaW5zdCBtYWxp Y2lvdXNseSBjb3JydXB0ZWQgZmlsZSBzeXN0ZW0KaW1hZ2VzIHRoYXQgaGF2ZSB2YWxpZCBjaGVj a3N1bXMuICBJJ3ZlIGJlZW4gbW9yZSB3aWxsaW5nIHRvIHdvcmsgd2l0aApXZW47IERhdmUgaGFz IGV4cHJlc3NlZCB0aGUgb3BpbmlvbiB0aGF0IHRoZXNlIGFyZSBub3QgcmVhbGlzdGljIGJ1Zwpy ZXBvcnRzLCBhbmQgc2luY2Ugb25seSByb290IGNhbiBtb3VudCBmaWxlIHN5c3RlbXMsIGl0J3Mg bm90IGhpZ2gKcHJpb3JpdHkuCgpUaGUgcmVhc29uIHdoeSBJIGJyaW5nIHRoaXMgdXAgaGVyZSBp cyB0aGF0IGluIGNvbnRhaW5lciBsYW5kLCB0aGVyZQphcmUgdGhvc2Ugd2hvIGJlbGlldmUgdGhh dCAiY29udGFpbmVyIHJvb3QiIHNob3VsZCBiZSBhYmxlIHRvIG1vdW50CmZpbGUgc3lzdGVtcywg YW5kIGlmIHRoZSAiY29udGFpbmVyIHJvb3QiIGlzbid0IHRydXN0ZWQsIHRoZSBmYWN0IHRoYXQK dGhlICJjb250YWluZXIgcm9vdCIgY2FuIGNyYXNoIHRoZSBob3N0IGtlcm5lbCwgb3Igd29yc2Us IGNvcnJ1cHQgdGhlCmhvc3Qga2VybmVsIGFuZCBicmVhayBvdXQgb2YgdGhlIGNvbnRhaW5lciBh cyBhIHJlc3VsdCwgdGhhdCB3b3VsZCBiZQpzYWQuCgpJIHdhcyBwcmV0dHkgc3VyZSBtb3N0IGZp bGUgc3lzdGVtIGRldmVsb3BlcnMgYXJlIG9uIHRoZSBzYW1lIHBhZ2UKdGhhdCBhbGxvd2luZyB1 bnRydXN0ZWQgImNvbnRhaW5lciByb290cyIgdGhlIGFiaWxpdHkgdG8gbW91bnQKYXJiaXRyYXJ5 IGJsb2NrIGRldmljZSBmaWxlIHN5c3RlbXMgaXMgaW5zYW5pdHkuICBXaGV0aGVyIG9yIG5vdCB3 ZQp0cnkgdG8gZml4IHRoZXNlIHNvcnRzIG9mIGJ1Z3Mgc3VibWl0dGVkIGJ5IHNlY3VyaXR5IHJl c2VhcmNoZXJzLiAgOi0pCgoJICAJICAgICAgIAkgICAgCSAgICAgICAJCSAgLSBUZWQKCi0tIApB cHBBcm1vciBtYWlsaW5nIGxpc3QKQXBwQXJtb3JAbGlzdHMudWJ1bnR1LmNvbQpNb2RpZnkgc2V0 dGluZ3Mgb3IgdW5zdWJzY3JpYmUgYXQ6IGh0dHBzOi8vbGlzdHMudWJ1bnR1LmNvbS9tYWlsbWFu L2xpc3RpbmZvL2FwcGFybW9yCg== From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Theodore Y. Ts'o" Subject: Re: BUG: Mount ignores mount options Date: Fri, 10 Aug 2018 19:54:47 -0400 Message-ID: <20180810235447.GK627@thunk.org> References: <20180810153902.GH21087@thunk.org> <87d0uqpba5.fsf@xmission.com> <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> <22361.1533913891@warthog.procyon.org.uk> <28045.1533916438@warthog.procyon.org.uk> <20180810161400.GA627@thunk.org> <20180810204639.GI627@thunk.org> <20180810221234.GC4211@magnolia> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: <20180810221234.GC4211@magnolia> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: apparmor-bounces-nLRlyDuq1AZFpShjVBNYrg@public.gmane.org Sender: "AppArmor" To: "Darrick J. Wong" Cc: Eric Biggers , Tetsuo Handa , LKML , David Howells , SELinux-NSA , tomoyo-dev-en-5NWGOfrQmneRv+LV9MX5uooqe+aC9MnS@public.gmane.org, Paul Moore , Miklos Szeredi , Stephen Smalley , Fenghua Yu , apparmor-nLRlyDuq1AZFpShjVBNYrg@public.gmane.org, Tejun Heo , Al Viro , Andy Lutomirski , "open list:CONTROL GROUP (CGROUP)" , Linux API , Greg Kroah-Hartman , LSM List , Li Zefan , "Eric W. Biederman" , Johannes Weiner , Linux FS Devel Linus Torvalds List-Id: linux-api@vger.kernel.org T24gRnJpLCBBdWcgMTAsIDIwMTggYXQgMDM6MTI6MzRQTSAtMDcwMCwgRGFycmljayBKLiBXb25n IHdyb3RlOgo+IEhleSBub3csIHRoZXJlIHdhcyBhIGxpdHRsZSBtb3JlIG51YW5jZSB0byBpdCB0 aGFuIHRoYXRbMV1bMl0uICBUaGUKPiBjb21wbGFpbnQgaW4gdGhlIGZpcnN0IGluc3RhbmNlIGhh ZCBtdWNoIG1vcmUgdG8gZG8gd2l0aCBicmVha2luZwo+IGV4aXN0aW5nIFY0IGZpbGVzeXN0ZW1z IGJ5IGFkZGluZyBmb3JtYXQgcmVxdWlyZW1lbnRzIHRoYXQgbWtmcyBkaWRuJ3QKPiBrbm93IGFi b3V0IHdoZW4gdGhlIGZpbGVzeXN0ZW0gd2FzIGNyZWF0ZWQuICBZZXMsIHlvdSBjYW4gY3JlYXRl IFY0Cj4gZmlsZXN5c3RlbXMgdGhhdCB3aWxsIGhhbmcgdGhlIHN5c3RlbSBpZiB0aGUgbG9nIHdh cyB0b3RhbGx5IHVuZm9ybWF0dGVkCj4gYW5kIG1ldGFkYXRhIHVwZGF0ZXMgYXJlIG1hZGUsIGJ1 dCBPVE9IIGl0J3MgZmFpcmx5IG9idmlvdXMgd2hlbiB0aGF0Cj4gaGFwcGVucywgeW91IGhhdmUg dG8gYmUgcm9vdCB0byBtb3VudCBhIGRpc2sgZmlsZXN5c3RlbSwgYW5kIHdlIHRyeSB0bwo+IGF2 b2lkIGJyZWFraW5nIGV4aXN0aW5nIHVzZXJzLgoKSSB3YXNuJ3QgdGhpbmtpbmcgYWJvdXQgc3l6 Ym90IHJlcG9ydHM7IEkndmUgbGFyZ2VseSB3cml0dGVuIHRoZW0gb2ZmCmFzIGZhciBhcyBmaWxl IHN5c3RlbSB0ZXN0aW5nIGlzIGNvbmNlcm5lZCwgYnV0IHJhdGhlciBXZW4gWHUgYXQKR2Vvcmdp YSBUZWNoLCB3aG8gaXMgbXVjaCBtb3JlIHJlYXNvbmFibGUgdGhhbiBEbWl0cnksIGFuZCBoYXMg aGVscGV5ZAptZSBvdXQgYSBsb3Q7IGFuZCBoYXMgY29tcGxhaW5lZCB0aGF0IHRoZSBYRlMgZm9s a3MgaGF2ZW4ndCBiZWVuCmVuZ2FnaW5nIHdpdGggaGltLgoKSW4gZWl0aGVyIGNhc2UsIGJvdGgg c2VjdXJpdHkgcmVzZWFyY2hlcnMgYXJlIGZ1enppbmcgZmlsZSBzeXN0ZW0KaW1hZ2VzLCBhbmQg dGhlbiBmaXhpbmcgdGhlIGNoZWNrc3VtcywgYW5kIGRpc2NvdmVyaW5nIHRoYXQgdGhpcyBjYW4K bGVhZCB0byBrZXJuZWwgY3Jhc2hlcywgYW5kIGluIGEgZmV3IGNhc2VzLCBidWZmZXIgb3ZlcnJ1 bnMgdGhhdCBjYW4KbGVhZCB0byBwb3RlbnRpYWwgcHJpdmlsZWdlIGVzY2FsYXRpb25zLiAgV2Vu IGNhbiBnZW5lcmF0ZSByZXBvcnRzCmZhc3RlciB0aGFuIHN5emJvdCwgYnV0IGF0IGxlYXN0IGhl IGdpdmVzIG1lIGZpbGUgc3lzdGVtIGltYWdlcyAoYXMKb3Bwb3NlZCB0byBoYXZpbmcgdG8gZGln IHRoZW0gb3V0IG9mIHN5emJvdCByZXBybyBDIGZpbGVzKSBhbmQgaGUKYWN0dWFsbHkgZG9lcyBz b21lIGFuYWx5c2lzIGFuZCBleHBsYWlucyB3aGF0IGhlIHRoaW5rcyBpcyBnb2luZyBvbi4KCkkg ZG9uJ3QgdGhpbmsgYW55b25lIHdhcyBjbGFpbWluZyB0aGF0IGZvcm1hdCByZXF1aXJlbWVudHMg c2hvdWxkIGJlCmFkZGVkIHRvIGV4dDQgb3IgeGZzIGZpbGUgc3lzdGVtcy4gIEJ1dCByYXRoZXIs IHRoYXQga2VybmVsIGNvZGUKc2hvdWxkIGJlIG1hZGUgbW9yZSByb2J1c3QgYWdhaW5zdCBtYWxp Y2lvdXNseSBjb3JydXB0ZWQgZmlsZSBzeXN0ZW0KaW1hZ2VzIHRoYXQgaGF2ZSB2YWxpZCBjaGVj a3N1bXMuICBJJ3ZlIGJlZW4gbW9yZSB3aWxsaW5nIHRvIHdvcmsgd2l0aApXZW47IERhdmUgaGFz IGV4cHJlc3NlZCB0aGUgb3BpbmlvbiB0aGF0IHRoZXNlIGFyZSBub3QgcmVhbGlzdGljIGJ1Zwpy ZXBvcnRzLCBhbmQgc2luY2Ugb25seSByb290IGNhbiBtb3VudCBmaWxlIHN5c3RlbXMsIGl0J3Mg bm90IGhpZ2gKcHJpb3JpdHkuCgpUaGUgcmVhc29uIHdoeSBJIGJyaW5nIHRoaXMgdXAgaGVyZSBp cyB0aGF0IGluIGNvbnRhaW5lciBsYW5kLCB0aGVyZQphcmUgdGhvc2Ugd2hvIGJlbGlldmUgdGhh dCAiY29udGFpbmVyIHJvb3QiIHNob3VsZCBiZSBhYmxlIHRvIG1vdW50CmZpbGUgc3lzdGVtcywg YW5kIGlmIHRoZSAiY29udGFpbmVyIHJvb3QiIGlzbid0IHRydXN0ZWQsIHRoZSBmYWN0IHRoYXQK dGhlICJjb250YWluZXIgcm9vdCIgY2FuIGNyYXNoIHRoZSBob3N0IGtlcm5lbCwgb3Igd29yc2Us IGNvcnJ1cHQgdGhlCmhvc3Qga2VybmVsIGFuZCBicmVhayBvdXQgb2YgdGhlIGNvbnRhaW5lciBh cyBhIHJlc3VsdCwgdGhhdCB3b3VsZCBiZQpzYWQuCgpJIHdhcyBwcmV0dHkgc3VyZSBtb3N0IGZp bGUgc3lzdGVtIGRldmVsb3BlcnMgYXJlIG9uIHRoZSBzYW1lIHBhZ2UKdGhhdCBhbGxvd2luZyB1 bnRydXN0ZWQgImNvbnRhaW5lciByb290cyIgdGhlIGFiaWxpdHkgdG8gbW91bnQKYXJiaXRyYXJ5 IGJsb2NrIGRldmljZSBmaWxlIHN5c3RlbXMgaXMgaW5zYW5pdHkuICBXaGV0aGVyIG9yIG5vdCB3 ZQp0cnkgdG8gZml4IHRoZXNlIHNvcnRzIG9mIGJ1Z3Mgc3VibWl0dGVkIGJ5IHNlY3VyaXR5IHJl c2VhcmNoZXJzLiAgOi0pCgoJICAJICAgICAgIAkgICAgCSAgICAgICAJCSAgLSBUZWQKCi0tIApB cHBBcm1vciBtYWlsaW5nIGxpc3QKQXBwQXJtb3JAbGlzdHMudWJ1bnR1LmNvbQpNb2RpZnkgc2V0 dGluZ3Mgb3IgdW5zdWJzY3JpYmUgYXQ6IGh0dHBzOi8vbGlzdHMudWJ1bnR1LmNvbS9tYWlsbWFu L2xpc3RpbmZvL2FwcGFybW9yCg== From mboxrd@z Thu Jan 1 00:00:00 1970 From: tytso@mit.edu (Theodore Y. Ts'o) Date: Fri, 10 Aug 2018 19:54:47 -0400 Subject: BUG: Mount ignores mount options In-Reply-To: <20180810221234.GC4211@magnolia> References: <20180810153902.GH21087@thunk.org> <87d0uqpba5.fsf@xmission.com> <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> <22361.1533913891@warthog.procyon.org.uk> <28045.1533916438@warthog.procyon.org.uk> <20180810161400.GA627@thunk.org> <20180810204639.GI627@thunk.org> <20180810221234.GC4211@magnolia> Message-ID: <20180810235447.GK627@thunk.org> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Fri, Aug 10, 2018 at 03:12:34PM -0700, Darrick J. Wong wrote: > Hey now, there was a little more nuance to it than that[1][2]. The > complaint in the first instance had much more to do with breaking > existing V4 filesystems by adding format requirements that mkfs didn't > know about when the filesystem was created. Yes, you can create V4 > filesystems that will hang the system if the log was totally unformatted > and metadata updates are made, but OTOH it's fairly obvious when that > happens, you have to be root to mount a disk filesystem, and we try to > avoid breaking existing users. I wasn't thinking about syzbot reports; I've largely written them off as far as file system testing is concerned, but rather Wen Xu at Georgia Tech, who is much more reasonable than Dmitry, and has helpeyd me out a lot; and has complained that the XFS folks haven't been engaging with him. In either case, both security researchers are fuzzing file system images, and then fixing the checksums, and discovering that this can lead to kernel crashes, and in a few cases, buffer overruns that can lead to potential privilege escalations. Wen can generate reports faster than syzbot, but at least he gives me file system images (as opposed to having to dig them out of syzbot repro C files) and he actually does some analysis and explains what he thinks is going on. I don't think anyone was claiming that format requirements should be added to ext4 or xfs file systems. But rather, that kernel code should be made more robust against maliciously corrupted file system images that have valid checksums. I've been more willing to work with Wen; Dave has expressed the opinion that these are not realistic bug reports, and since only root can mount file systems, it's not high priority. The reason why I bring this up here is that in container land, there are those who believe that "container root" should be able to mount file systems, and if the "container root" isn't trusted, the fact that the "container root" can crash the host kernel, or worse, corrupt the host kernel and break out of the container as a result, that would be sad. I was pretty sure most file system developers are on the same page that allowing untrusted "container roots" the ability to mount arbitrary block device file systems is insanity. Whether or not we try to fix these sorts of bugs submitted by security researchers. :-) - Ted From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Fri, 10 Aug 2018 19:54:47 -0400 From: "Theodore Y. Ts'o" To: "Darrick J. Wong" Cc: Andy Lutomirski , David Howells , "Eric W. Biederman" , Al Viro , John Johansen , Tejun Heo , SELinux-NSA , Paul Moore , Li Zefan , Linux API , apparmor@lists.ubuntu.com, Casey Schaufler , Fenghua Yu , Greg Kroah-Hartman , Eric Biggers , LSM List , Tetsuo Handa , Johannes Weiner , Stephen Smalley , tomoyo-dev-en@lists.sourceforge.jp, "open list:CONTROL GROUP (CGROUP)" , Linus Torvalds , Linux FS Devel , LKML , Miklos Szeredi Message-ID: <20180810235447.GK627@thunk.org> References: <20180810153902.GH21087@thunk.org> <87d0uqpba5.fsf@xmission.com> <153313703562.13253.5766498657900728120.stgit@warthog.procyon.org.uk> <22361.1533913891@warthog.procyon.org.uk> <28045.1533916438@warthog.procyon.org.uk> <20180810161400.GA627@thunk.org> <20180810204639.GI627@thunk.org> <20180810221234.GC4211@magnolia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <20180810221234.GC4211@magnolia> Subject: Re: BUG: Mount ignores mount options List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Fri, Aug 10, 2018 at 03:12:34PM -0700, Darrick J. Wong wrote: > Hey now, there was a little more nuance to it than that[1][2]. The > complaint in the first instance had much more to do with breaking > existing V4 filesystems by adding format requirements that mkfs didn't > know about when the filesystem was created. Yes, you can create V4 > filesystems that will hang the system if the log was totally unformatted > and metadata updates are made, but OTOH it's fairly obvious when that > happens, you have to be root to mount a disk filesystem, and we try to > avoid breaking existing users. I wasn't thinking about syzbot reports; I've largely written them off as far as file system testing is concerned, but rather Wen Xu at Georgia Tech, who is much more reasonable than Dmitry, and has helpeyd me out a lot; and has complained that the XFS folks haven't been engaging with him. In either case, both security researchers are fuzzing file system images, and then fixing the checksums, and discovering that this can lead to kernel crashes, and in a few cases, buffer overruns that can lead to potential privilege escalations. Wen can generate reports faster than syzbot, but at least he gives me file system images (as opposed to having to dig them out of syzbot repro C files) and he actually does some analysis and explains what he thinks is going on. I don't think anyone was claiming that format requirements should be added to ext4 or xfs file systems. But rather, that kernel code should be made more robust against maliciously corrupted file system images that have valid checksums. I've been more willing to work with Wen; Dave has expressed the opinion that these are not realistic bug reports, and since only root can mount file systems, it's not high priority. The reason why I bring this up here is that in container land, there are those who believe that "container root" should be able to mount file systems, and if the "container root" isn't trusted, the fact that the "container root" can crash the host kernel, or worse, corrupt the host kernel and break out of the container as a result, that would be sad. I was pretty sure most file system developers are on the same page that allowing untrusted "container roots" the ability to mount arbitrary block device file systems is insanity. Whether or not we try to fix these sorts of bugs submitted by security researchers. :-) - Ted