From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [PATCH v7 00/16] EVM Date: Mon, 18 Jul 2011 08:45:03 -0500 Message-ID: <20110718134503.GC8127@mail.hallyn.com> References: <1309377038-4550-1-git-send-email-zohar@linux.vnet.ibm.com> <1309390941.3205.22.camel@localhost.localdomain> <1310656045.3845.243.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Kyle Moffett , Mimi Zohar , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, James Morris , Andrew Morton , Greg KH , Dmitry Kasatkin To: David Safford Return-path: Content-Disposition: inline In-Reply-To: <1310656045.3845.243.camel@localhost> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Quoting David Safford (safford@watson.ibm.com): > On Wed, 2011-06-29 at 21:57 -0400, Kyle Moffett wrote: > > There have been numerous cases in the past where a corrupt or invalid > > filesystem causes kernel panics or even exploitable overflows or memory > > corruption; see the history of the "fsfuzzer" tool for more information. > > Seems to me code bugs in the kernel should be fixed, given the universal > practice of automounting of removable media, and loopback mounting > images, regardless of EVM. Hi David, yeah, this would also be nice for making people feel cozier about supporting unprivileged fs mounts in general. I wonder if a real project around the idea of strengthening the robustness of the fs code, starting with the superblock parsing for a few of the most comment filesystems, could take off. A combination of . code auditing and test (i.e. fsfuzzer) . moving parts of the code to unprivileged userspace . marking audited filesystems as unprivileged-mountable, in the way Miklos' patchset a few years ago did . so that those who want to can refuse auto-mount of any not audited filesystems. -serge