From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: [PATCH] fuse: Only allow read/writing user xattrs Date: Mon, 8 Oct 2012 10:02:28 -0400 Message-ID: References: <87boggpm7r.fsf@xmission.com> <87a9vzlimm.fsf@xmission.com> <87zk3zgoc2.fsf@xmission.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: Miklos Szeredi , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org To: "Eric W. Biederman" Return-path: Received: from mail-we0-f174.google.com ([74.125.82.174]:36615 "EHLO mail-we0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750933Ab2JHOCa (ORCPT ); Mon, 8 Oct 2012 10:02:30 -0400 Received: by mail-we0-f174.google.com with SMTP id t9so2577495wey.19 for ; Mon, 08 Oct 2012 07:02:28 -0700 (PDT) In-Reply-To: <87zk3zgoc2.fsf@xmission.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Sat, Oct 6, 2012 at 7:42 PM, Eric W. Biederman wrote: > Eric Paris writes: > >> Why trust uids or rwx bits. Might as well do away with those as well, >> right? > > Lying to your own userspace processes (which you can do with LD_PRELOAD) > is rather different than lying to the selinux or the smack modules. > > What I am saying with my patch is that fuse is remarkably non-nuanced > in how it interacts with extended attributes, and that it appears > very clear that there are bugs in the area of unprivileged mounts that > need to be addressed. > > I am happy to hear about better solutions. Telling me it's not a bug > and sticking your head in the sand is quite amusing. I'm not sure how to fix it. But breaking things that do work today for untrusted user mounts isn't right or acceptable. Maybe serge is onto something. Or maybe the best solution is to require LSM policy to just disallow all unpriv (from init namespace PoV) mounts.