Re: [Lsf-pc] [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	Seth Forshee <seth.forshee@canonical.com>,
	lsf-pc@lists.linux-foundation.org,
	Lukasz Pawelczyk <l.pawelczyk@samsung.com>,
	Richard Weinberger <richard@nod.at>
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping
Date: Sun, 22 Feb 2015 09:12:35 -0800	[thread overview]
Message-ID: <1424625155.2146.85.camel@HansenPartnership.com> (raw)
In-Reply-To: <87r3whmmiy.fsf@x220.int.ebiederm.org>

On Tue, 2014-12-02 at 21:37 -0600, Eric W. Biederman wrote:
> Andy Lutomirski <luto@amacapital.net> writes:
> 
> > This should hopefully be a short topic, and it's possible that it'll
> > be settled by the time LSF/MM comes around, but:
> >
> > There's a fair amount of interest from different directions for
> > allowing filesystems with a backing store to be mounted (in the
> > mount-from-scratch sense, not the bind-mount sense) in a user
> > namespace.  For example, Seth has patches to allow unprivileged FUSE
> > mounts.  There are a few issues here, for example:
> >
> >  - What happens to device nodes in those filesystems?
> >
> >  - If a FUSE backend is in a user namespace, how should UIDs be
> > translated to/from that backend?
> >
> >  - How should LSM security labels be translated?
> >
> >  - Should a struct super_block be associated with a user namespace?
> > (Answer: probably, I think.)  If so, what should the semantics be?
> >
> > There are also some remapping cases that aren't directly user
> > namespace-related.  For example, I'd like to be able to insert
> > removable media and create files owned by uid 0 (or any other uid)
> > without actually being root.
> 
> And there is the longer term question that may be more appropriate when
> we get all of the id problems settled, about what kind of
> testing, auditing, review we want in place before we believe an
> unprivileged mount is actually safe to perform, when we can assume
> hostile intent by the mounter.

Realistically, we can't rely on auditing the data: a hostile user will
be injecting a specific data pattern to exploit a bug in the filesystem
code.  We can't audit for this if we don't know the bug (which we mostly
don't otherwise they'd be fixed).

What we can do is audit for specific operations.  Looking at what the
use cases are, users mostly either want to create a pristine filesystem
or use an existing template.  Mkfs is a particular nasty because it's
all in userspace and sprays data down on to the device making it really
hard to audit.  One of the approaches we've experimented with in
Parallels is the bit bucket one, where we create a device that looks
read/write in the container, but really it throws away the writes from
the user and performs in the host the operation we believe the user is
trying to do.  It protects against most injection attacks, but trips up
when the user tries to do some operation we haven't anticipated.

James

next prev parent reply	other threads:[~2015-02-22 17:12 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-02 23:47 [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping Andy Lutomirski
2014-12-03  3:37 ` Eric W. Biederman
2015-02-22 17:12   ` James Bottomley [this message]
2015-02-23 12:38     ` [Lsf-pc] " Jan Kara
2014-12-03 14:48 ` Seth Forshee
2014-12-05 18:01 ` David Howells
2014-12-08 21:59   ` Eric W. Biederman
2014-12-09 18:51     ` [Lsf-pc] " Jeff Layton
2015-02-22 16:52     ` James Bottomley
2015-02-22 23:51       ` Jeff Layton
2015-02-22 17:01 ` James Bottomley
2015-02-23 15:54   ` Andy Lutomirski
2015-02-23 16:16     ` James Bottomley
2015-03-02 22:34       ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1424625155.2146.85.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=ebiederm@xmission.com \
    --cc=l.pawelczyk@samsung.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=lsf-pc@lists.linux-foundation.org \
    --cc=luto@amacapital.net \
    --cc=richard@nod.at \
    --cc=seth.forshee@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).