All of lore.kernel.org
 help / color / mirror / Atom feed
From: ebiederm@xmission.com (Eric W. Biederman)
To: Jann Horn <jann@thejh.net>
Cc: Dave Chinner <david@fromorbit.com>, Jan Kara <jack@suse.cz>,
	Linux Containers <containers@lists.linux-foundation.org>,
	Seth Forshee <seth.forshee@canonical.com>,
	linux-fsdevel@vger.kernel.org,
	Linux API <linux-api@vger.kernel.org>,
	James Bottomley <James.Bottomley@HansenPartnership.com>,
	Djalal Harouni <tixxdz@gmail.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Andy Lutomirski <luto@amacapital.net>,
	Michael Kerrisk <mtk.manpages@gmail.com>
Subject: Re: [PATCH review 08/12] quota: Ensure qids map to the filesystem
Date: Thu, 14 Jul 2016 12:03:19 -0500	[thread overview]
Message-ID: <87oa60cfu0.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20160713054358.GB28635@pc.thejh.net> (Jann Horn's message of "Wed, 13 Jul 2016 07:43:59 +0200")

Jann Horn <jann@thejh.net> writes:

> On Wed, Jul 13, 2016 at 11:34:36AM +1000, Dave Chinner wrote:
>> On Mon, Jul 11, 2016 at 01:12:49PM -0500, Eric W. Biederman wrote:
>> > The place where I am concerned about thorough review and testing is
>> > someone poisoning quota files and then the kernel trying to use them.
>> > In the preliminary work we have done in other places in the kernel and
>> > for other filesystems there almost always winds up being some way to
>> > confuse the kernel and get it to misbave if you can poison the disk
>> > based inputs.  As poison disk based inputs is not something filesystems
>> > are stronlgy concerned about.  In most cases the disk the filesystem
>> > resides on is in the box and therefore under control of the OS at all
>> > times.  Dave Chinner has even said he will never consider handling
>> > poisoned disk based inputs for XFS as the run time cost is too high.
>> 
>> I didn't say that. I said that comprehensive checks to catch all
>> possible malicious inputs is too expensive to consider a viable
>> solution for allowing user-mounts of arbitrary filesystem images
>> through the kernel.

Dave you said that speaking as the XFS maintainer.  So I take that to be
your position and to refer to XFS.

> [...]
>> 
>> To bring this back to quota files, the only way to validate that a
>> quota file has not been tampered with is to run a quotacheck on the
>> filesystem once it has been mounted. This requires visiting every
>> inode in the filesystem, so it an expensive operation. Only XFS has
>> this functionality in kernel, so for untrusted mounts we could
>> simply run it on every mount that has quotas enabled. Of course,
>> users won't care that mounting their filesystem now takes several
>> minutes (hours, even, when we have millions of inodes in the fs)
>> while these checks are run...
>>
>> Detecting malicious corruptions that specifically manipulate the
>> on-disk structure within the bounds of format validity are difficult
>> to detect and costly to protect against. We'd need to move large
>> parts of fsck into the kernel and run it to validate every piece of
>> metadata read into the kernel. Then we've got a much larger attack
>> surface in the kernel (all the validity checking code needs to be
>> robust against invalid structures, too!), a lot more complexity
>> (more bugs!) and a lot of additional runtime overhead (slow
>> filesystem = unhappy users!). It's just not a practical solution to
>> the problem.

This critiqute as I read it confuses data integrity and safety from
privilege escalation.  If a filesystem image or it's backing store are
malicious there is no need to be concerned about data integrity.

> And ideally, you'd want to also guard against an evil disk that
> suddenly changes its contents after you've run fsck on it, and you
> can't easily do that without making things complicated.

I agree an evil disk definitely should be part of any threat analysis.

I also agree that anything that is complicated is not a practical
as complicated means lots of code, and bugs are in general a function
of the amount of code.

At the same time my only concern when analyzing something for safety
against a malicious filesystem is can the malicious data cause the
kernel to misbehave.  This includes things like stack overflows,
and memory corruption.

In the specific case of a quota file, if there is a quota file that has
little to no resemblence to reality but the kernel doesn't misbehave, I
don't think that is a problem from an unprivileged mount perspective.
On the flip side if a malicious quota file allows an in kernel quota
variable to go negative and that causes the kernel to misbehave that is
a show stopper for allowing an unprivileged mount.

Personally I see the quantity of code in current filesystems as making
it hard to have a low enough probability of problems to allow
unprivileged mounts.

Changes for all of the weird cases a backing store for unprivileged
mounts brings with it have been added to the VFS because that is the
right place to implement them.  Working at a filesystem independent
level allows all of the right people involved in the review, and it
allows clean and general solutions to the weird cases that come up
with a uid or gid does not map into the kernel.


All of that said the only filesystem with backing store that I see as a
reasonable target to support right now is fuse.  As fuse was designed
from the get go to support filesystems from unprivileged users.

Will fuse someday support quotas?  I don't know.  But the there is no
extra cost to support that case in fs/quota/quota.c so I have added the
necessary code.

Eric


  parent reply	other threads:[~2016-07-14 17:03 UTC|newest]

Thread overview: 134+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-02 17:18 [PATCH review 0/11] General unprivileged mount support Eric W. Biederman
2016-07-02 17:18 ` Eric W. Biederman
2016-07-02 17:20 ` [PATCH review 01/11] fs: Refuse uid/gid changes which don't map into s_user_ns Eric W. Biederman
2016-07-02 17:20   ` [PATCH review 03/11] vfs: Verify acls are valid within superblock's s_user_ns Eric W. Biederman
     [not found]   ` <20160702172035.19568-1-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-07-02 17:20     ` [PATCH review 02/11] userns: Handle -1 in k[ug]id_has_mapping when !CONFIG_USER_NS Eric W. Biederman
2016-07-02 17:20       ` Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 03/11] vfs: Verify acls are valid within superblock's s_user_ns Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 04/11] fs: Check for invalid i_uid in may_follow_link() Eric W. Biederman
2016-07-02 17:20     ` Eric W. Biederman
2016-07-02 17:20       ` Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 05/11] cred: Reject inodes with invalid ids in set_create_file_as() Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 06/11] vfs: Don't modify inodes with a uid or gid unknown to the vfs Eric W. Biederman
2016-07-02 17:20     ` Eric W. Biederman
2016-07-02 17:20       ` Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 07/11] vfs: Don't create " Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 08/11] quota: Ensure qids map to the filesystem Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 09/11] quota: Handle quota data stored in s_user_ns Eric W. Biederman
2016-07-02 17:20       ` Eric W. Biederman
     [not found]       ` <20160702172035.19568-9-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-07-02 17:33         ` [PATCH v2 " Eric W. Biederman
2016-07-02 17:33         ` Eric W. Biederman
2016-07-02 17:33           ` Eric W. Biederman
     [not found]           ` <87mvm03pxy.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-04  9:11             ` Jan Kara
2016-07-04  9:11             ` Jan Kara
2016-07-04  9:11               ` Jan Kara
2016-07-05 14:48               ` Seth Forshee
     [not found]               ` <20160704091100.GD5200-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-05 14:48                 ` Seth Forshee
2016-07-05 15:34                 ` Eric W. Biederman
2016-07-05 15:34               ` Eric W. Biederman
     [not found]                 ` <87d1msumhy.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-05 20:57                   ` Dave Chinner
2016-07-05 20:57                     ` Dave Chinner
2016-07-05 21:28                     ` Eric W. Biederman
2016-07-05 21:28                       ` Eric W. Biederman
     [not found]                       ` <8737nnrcyy.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-06  6:35                         ` Dave Chinner
2016-07-06  6:35                           ` Dave Chinner
2016-07-06  8:25                           ` Jan Kara
2016-07-06  8:25                             ` Jan Kara
2016-07-06 17:51                             ` Eric W. Biederman
     [not found]                             ` <20160706082545.GC14067-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-06 17:51                               ` Eric W. Biederman
2016-07-05 21:28                     ` Eric W. Biederman
2016-07-05 20:57                   ` Dave Chinner
2016-07-02 17:20     ` [PATCH " Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 10/11] evm: Translate user/group ids relative to s_user_ns when computing HMAC Eric W. Biederman
2016-07-02 17:20     ` [PATCH review 11/11] fs: Update i_[ug]id_(read|write) to translate relative to s_user_ns Eric W. Biederman
2016-07-02 17:20       ` Eric W. Biederman
2016-07-02 17:20   ` [PATCH review 05/11] cred: Reject inodes with invalid ids in set_create_file_as() Eric W. Biederman
2016-07-02 17:20   ` [PATCH review 07/11] vfs: Don't create inodes with a uid or gid unknown to the vfs Eric W. Biederman
     [not found]     ` <20160702172035.19568-7-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-07-04  7:59       ` Jan Kara
2016-07-04  7:59         ` Jan Kara
     [not found]         ` <20160704075919.GA5200-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-05 14:55           ` Eric W. Biederman
2016-07-05 14:55             ` Eric W. Biederman
     [not found]             ` <87zipwxhgp.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-06  9:07               ` Jan Kara
2016-07-06  9:07                 ` Jan Kara
     [not found]                 ` <20160706090705.GE14067-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-06 15:37                   ` Eric W. Biederman
2016-07-06 15:37                     ` Eric W. Biederman
2016-07-06 15:37                   ` Eric W. Biederman
2016-07-04  7:59       ` Jan Kara
2016-07-02 17:20   ` [PATCH review 08/11] quota: Ensure qids map to the filesystem Eric W. Biederman
2016-07-02 17:20   ` [PATCH review 10/11] evm: Translate user/group ids relative to s_user_ns when computing HMAC Eric W. Biederman
2016-07-04  8:52 ` [PATCH review 0/11] General unprivileged mount support Jan Kara
     [not found]   ` <20160704085220.GC5200-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-04 16:27     ` Eric W. Biederman
2016-07-04 16:27     ` Eric W. Biederman
2016-07-04 16:27       ` Eric W. Biederman
     [not found]       ` <87h9c52wsd.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-06  8:54         ` Jan Kara
2016-07-06  8:54           ` Jan Kara
     [not found]           ` <20160706085440.GD14067-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-06 13:54             ` Seth Forshee
2016-07-06 13:54           ` Seth Forshee
2016-07-06 14:22             ` Jan Kara
2016-07-06 14:22             ` Jan Kara
2016-07-06 14:22               ` Jan Kara
2016-07-06 14:46               ` Seth Forshee
     [not found]               ` <20160706142255.GB21164-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-06 14:46                 ` Seth Forshee
2016-07-06 15:01                 ` Eric W. Biederman
2016-07-06 15:23                 ` James Bottomley
2016-07-06 15:01               ` Eric W. Biederman
2016-07-06 15:23               ` James Bottomley
     [not found]                 ` <1467818630.2369.21.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-07-06 16:35                   ` Eric W. Biederman
2016-07-06 16:35                     ` Eric W. Biederman
     [not found] ` <87ziq03qnj.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-02 17:20   ` [PATCH review 01/11] fs: Refuse uid/gid changes which don't map into s_user_ns Eric W. Biederman
2016-07-04  8:52   ` [PATCH review 0/11] General unprivileged mount support Jan Kara
2016-07-06 13:44   ` Andy Lutomirski
2016-07-06 13:44     ` Andy Lutomirski
     [not found]     ` <CALCETrVof174gPCZnD2Z-RMjR-P=NcA0mYCU9ki6=o9hpFL-BA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-06 15:21       ` Eric W. Biederman
2016-07-06 15:21         ` Eric W. Biederman
2016-07-06 13:44   ` Andy Lutomirski
2016-07-06 14:01   ` Andy Lutomirski
2016-07-06 14:01   ` Andy Lutomirski
2016-07-06 14:01     ` Andy Lutomirski
2016-07-06 15:19     ` Eric W. Biederman
2016-07-06 15:19       ` Eric W. Biederman
2016-07-06 18:10   ` [PATCH review 0/12] General unprivileged mount support v2 Eric W. Biederman
2016-07-06 18:10     ` Eric W. Biederman
     [not found]     ` <874m82bptc.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-06 18:12       ` [PATCH review 01/12] fs: Refuse uid/gid changes which don't map into s_user_ns Eric W. Biederman
2016-07-06 18:12         ` Eric W. Biederman
2016-07-06 18:12         ` [PATCH review 02/12] userns: Handle -1 in k[ug]id_has_mapping when !CONFIG_USER_NS Eric W. Biederman
2016-07-06 18:12         ` [PATCH review 03/12] vfs: Verify acls are valid within superblock's s_user_ns Eric W. Biederman
2016-07-06 18:12         ` [PATCH review 04/12] fs: Check for invalid i_uid in may_follow_link() Eric W. Biederman
2016-07-06 18:12         ` [PATCH review 05/12] cred: Reject inodes with invalid ids in set_create_file_as() Eric W. Biederman
2016-07-06 18:12         ` [PATCH review 08/12] quota: Ensure qids map to the filesystem Eric W. Biederman
     [not found]           ` <20160706181212.16267-8-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-07-11 10:14             ` Jan Kara
2016-07-11 10:14               ` Jan Kara
     [not found]               ` <20160711101424.GH12410-4I4JzKEfoa/jFM9bn6wA6Q@public.gmane.org>
2016-07-11 18:12                 ` Eric W. Biederman
2016-07-11 18:12                   ` Eric W. Biederman
     [not found]                   ` <878tx8dowu.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-07-13  1:34                     ` Dave Chinner
2016-07-13  1:34                       ` Dave Chinner
2016-07-13  3:45                       ` Dave Chinner
2016-07-13  3:45                         ` Dave Chinner
2016-07-13  5:43                       ` Jann Horn
2016-07-13  5:43                         ` Jann Horn
     [not found]                         ` <20160713054358.GB28635-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-07-14 17:03                           ` Eric W. Biederman
2016-07-14 17:03                         ` Eric W. Biederman [this message]
2016-07-11 18:12                 ` Eric W. Biederman
2016-07-06 18:12         ` [PATCH review 09/12] quota: Handle quota data stored in s_user_ns in quota_setxquota Eric W. Biederman
     [not found]         ` <20160706181212.16267-1-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-07-06 18:12           ` [PATCH review 02/12] userns: Handle -1 in k[ug]id_has_mapping when !CONFIG_USER_NS Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 03/12] vfs: Verify acls are valid within superblock's s_user_ns Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 04/12] fs: Check for invalid i_uid in may_follow_link() Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 05/12] cred: Reject inodes with invalid ids in set_create_file_as() Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 06/12] vfs: Don't modify inodes with a uid or gid unknown to the vfs Eric W. Biederman
2016-07-06 18:12             ` Eric W. Biederman
2016-07-06 18:12           ` Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 07/12] vfs: Don't create " Eric W. Biederman
2016-07-06 18:12           ` Eric W. Biederman
2016-07-06 18:12             ` Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 08/12] quota: Ensure qids map to the filesystem Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 09/12] quota: Handle quota data stored in s_user_ns in quota_setxquota Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 10/12] dquot: For now explicitly don't support filesystems outside of init_user_ns Eric W. Biederman
2016-07-06 18:12             ` Eric W. Biederman
2016-07-11 10:09             ` Jan Kara
     [not found]             ` <20160706181212.16267-10-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-07-11 10:09               ` Jan Kara
2016-07-06 18:12           ` Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 11/12] evm: Translate user/group ids relative to s_user_ns when computing HMAC Eric W. Biederman
2016-07-06 18:12           ` Eric W. Biederman
2016-07-06 18:12             ` Eric W. Biederman
2016-07-06 18:12           ` [PATCH review 12/12] fs: Update i_[ug]id_(read|write) to translate relative to s_user_ns Eric W. Biederman
2016-07-06 18:12         ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87oa60cfu0.fsf@x220.int.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=david@fromorbit.com \
    --cc=jack@suse.cz \
    --cc=jann@thejh.net \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mtk.manpages@gmail.com \
    --cc=serge@hallyn.com \
    --cc=seth.forshee@canonical.com \
    --cc=tixxdz@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.