From: ebiederm@xmission.com (Eric W. Biederman)
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "Theodore Y. Ts'o" <tytso@mit.edu>,
Al Viro <viro@ZenIV.linux.org.uk>,
David Howells <dhowells@redhat.com>,
John Johansen <john.johansen@canonical.com>,
Tejun Heo <tj@kernel.org>,
selinux@tycho.nsa.gov, Paul Moore <paul@paul-moore.com>,
Li Zefan <lizefan@huawei.com>,
linux-api@vger.kernel.org, apparmor@lists.ubuntu.com,
fenghua.yu@intel.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Eric Biggers <ebiggers@google.com>,
linux-security-module@vger.kernel.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Johannes Weiner <hannes@cmpxchg.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
tomoyo-dev-en@lists.sourceforge.jp, cgroups@vger.kernel.org,
torvalds@linux-foundation.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, Miklos Szeredi <miklo>
Subject: Re: BUG: Mount ignores mount options
Date: Tue, 14 Aug 2018 23:03:17 -0500 [thread overview]
Message-ID: <87d0ukjmyi.fsf@xmission.com> (raw)
In-Reply-To: <001a1608-d0fa-84c1-9c54-ae36df95fd89@schaufler-ca.com> (Casey Schaufler's message of "Sat, 11 Aug 2018 10:47:50 -0700")
Casey Schaufler <casey@schaufler-ca.com> writes:
> Don't blame the filesystems for behaving as documented.
No. This behavior is not documented. At least I certainly don't see a
word about this in any of the man pages. Where does it say mounting a
filesystem will not honor it's mount options?
It is also rare enough in practice it is something it is reasonable to
expect people to be surprised by.
> The problem is not in the mount mechanism, it's in the way you want to
> abuse it.
I am not asking for this behavior. I am pointing out this behavior
exists. I am pointing out this behavior is harmful. I am asking we
stop doing this harmful thing in the new API where we don't have a
chance of breaking anything.
The place where this has bitten the hardest is someone wrote a script to
do something for Xen in a chroot. That script involved a chroot that
mounted devpts and in doing so happend to change the options of the main
/dev/pts. Which resulted in ptys created with /dev/ptmx outside the
chroot with the wrong permissions. That in turn caused several distros
to retain the ancient suid pt_chown binary from libc that the devpts
filesystem was built to make obsolete. As the world turned that
pt_chown binary could be confused into chowning the wrong pty if a pty
from a container was used.
The fix was to mount a new instance of devpts every time mount of devpts
is called. That simplified the code, and allowed pt_chown to be removed
permanently. The tricky bit was figuring out how keep /dev/ptmx
working. I wound up testing on every distribution I could think of to
ensure no one would notice the slightly changed behavior of the devpts
filesystem.
The behavior in other filesystems of ignoring the options instead of
changing them on the filesystem isn't quite as bad. But it still has
the potential for a lot of mischief.
Eric
next prev parent reply other threads:[~2018-08-15 4:03 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-01 15:23 [PATCH 00/33] VFS: Introduce filesystem context [ver #11] David Howells
2018-08-01 15:26 ` [PATCH 20/33] kernfs, sysfs, cgroup, intel_rdt: Support fs_context " David Howells
2018-08-10 14:05 ` BUG: Mount ignores mount options Eric W. Biederman
2018-08-10 14:36 ` Andy Lutomirski
2018-08-10 15:13 ` David Howells
2018-08-10 15:17 ` Eric W. Biederman
2018-08-10 15:24 ` Al Viro
2018-08-10 15:11 ` David Howells
2018-08-10 15:39 ` Theodore Y. Ts'o
2018-08-10 15:53 ` David Howells
2018-08-10 16:14 ` Theodore Y. Ts'o
2018-08-10 20:06 ` Andy Lutomirski
2018-08-10 20:46 ` Theodore Y. Ts'o
[not found] ` <20180810221234.GC4211@magnolia>
2018-08-10 23:54 ` Theodore Y. Ts'o
[not found] ` <20180810235447.GK627-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2018-08-11 0:38 ` Darrick J. Wong
2018-08-11 1:32 ` Eric W. Biederman
2018-08-13 16:35 ` Alan Cox
2018-08-13 16:48 ` Andy Lutomirski
2018-08-13 17:29 ` Al Viro
2018-08-13 19:00 ` James Morris
2018-08-13 19:20 ` Casey Schaufler
2018-08-15 23:29 ` Serge E. Hallyn
[not found] ` <20180810161400.GA627-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2018-08-11 0:28 ` Eric W. Biederman
2018-08-10 15:55 ` Casey Schaufler
2018-08-10 16:11 ` David Howells
2018-08-10 18:00 ` Eric W. Biederman
2018-08-11 1:19 ` Eric W. Biederman
[not found] ` <87pnyphf8i.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-08-11 7:29 ` David Howells
2018-08-11 16:31 ` Andy Lutomirski
[not found] ` <9B6E2781-484B-4C42-95F5-F900EA36CEA5-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2018-08-11 16:51 ` Al Viro
2018-08-10 15:11 ` Tetsuo Handa
2018-08-10 15:16 ` Al Viro
[not found] ` <20180810151606.GA6515-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2018-08-11 1:05 ` Eric W. Biederman
[not found] ` <87pnypiufr.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-08-11 1:46 ` Theodore Y. Ts'o
2018-08-11 4:48 ` Eric W. Biederman
[not found] ` <8736vlo6ef.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-08-11 17:47 ` Casey Schaufler
2018-08-15 4:03 ` Eric W. Biederman [this message]
2018-08-11 1:58 ` Al Viro
2018-08-11 2:17 ` Al Viro
2018-08-11 4:43 ` Eric W. Biederman
2018-08-13 12:54 ` Miklos Szeredi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d0ukjmyi.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=apparmor@lists.ubuntu.com \
--cc=casey@schaufler-ca.com \
--cc=cgroups@vger.kernel.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@google.com \
--cc=fenghua.yu@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hannes@cmpxchg.org \
--cc=john.johansen@canonical.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tj@kernel.org \
--cc=tomoyo-dev-en@lists.sourceforge.jp \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).