From mboxrd@z Thu Jan 1 00:00:00 1970 From: Serge Hallyn Subject: Re: [PATCH] fuse: Only allow read/writing user xattrs Date: Mon, 8 Oct 2012 08:47:51 -0500 Message-ID: <20121008134751.GB5351@sergelap> References: <87boggpm7r.fsf@xmission.com> <87a9vzlimm.fsf@xmission.com> <87zk3zgoc2.fsf@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Eric Paris , Miklos Szeredi , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org To: "Eric W. Biederman" Return-path: Content-Disposition: inline In-Reply-To: <87zk3zgoc2.fsf@xmission.com> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Quoting Eric W. Biederman (ebiederm@xmission.com): > Eric Paris writes: > > > Why trust uids or rwx bits. Might as well do away with those as well, > > right? > > Lying to your own userspace processes (which you can do with LD_PRELOAD) > is rather different than lying to the selinux or the smack modules. > > What I am saying with my patch is that fuse is remarkably non-nuanced > in how it interacts with extended attributes, and that it appears > very clear that there are bugs in the area of unprivileged mounts that > need to be addressed. > > I am happy to hear about better solutions. Telling me it's not a bug > and sticking your head in the sand is quite amusing. I'm not terribly familiar with the ways fuse modules can be loaded. Would it be possible to, at load time, based on the (selinux) credentials of the user loading the module, either allow the loader to specify that security.* and trusted.* xattrs may be used, or, if user is unprivileged, ignore the xattrs and use a default based on the user's credentials? -serge