From: gnomes@lxorguk.ukuu.org.uk (Alan Cox)
To: linux-security-module@vger.kernel.org
Subject: Leaking Path in XFS's ioctl interface(missing LSM check)
Date: Wed, 26 Sep 2018 19:24:26 +0100 [thread overview]
Message-ID: <20180926192426.472360ea@alans-desktop> (raw)
In-Reply-To: <20180926013329.GD31060@dastard>
On Wed, 26 Sep 2018 11:33:29 +1000
Dave Chinner <david@fromorbit.com> wrote:
> On Tue, Sep 25, 2018 at 08:51:50PM -0400, TongZhang wrote:
> > Hi,
> >
> > I'm bringing up this issue again to let of LSM developers know the situation, and would like to know your thoughts.
> > Several weeks ago I sent an email to the security list to discuss the issue where
> > XFS's ioctl interface can do things like vfs_readlink without asking LSM's
> > permission, which we think is kind of weird and this kind of operation should be
> > audited by LSM.
>
> These aren't user interfaces. They are filesystem maintenance and
> extension interfaces. They are intended for low level filesystem
> utilities that require complete, unrestricted access to the
> underlying filesystem via holding CAP_SYSADMIN in the initns.
CAP_SYS_ADMIN is meaningless in an environment using a strong LSM set up.
So what if I have CAP_SYS_ADMIN ? In a secure environment low level
complete unrestricted access to the file system is most definitely
something that should be mediated.
CAP_SYS_ADMIN is also a bit weird because low level access usually
implies you can bypass access controls so you should also check
CAP_SYS_DAC ?
Alan
next prev parent reply other threads:[~2018-09-26 18:24 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-26 0:51 Leaking Path in XFS's ioctl interface(missing LSM check) TongZhang
2018-09-26 1:33 ` Dave Chinner
2018-09-26 13:23 ` Stephen Smalley
2018-09-27 2:08 ` Dave Chinner
2018-09-26 18:24 ` Alan Cox [this message]
2018-09-27 1:38 ` Dave Chinner
2018-09-27 21:23 ` James Morris
2018-09-27 22:19 ` Dave Chinner
2018-09-27 23:12 ` Tetsuo Handa
2018-09-30 14:16 ` Alan Cox
2018-10-01 0:25 ` Dave Chinner
[not found] ` <20181001160442.47c798bc@alans-desktop>
[not found] ` <20181001154459.GB5872@magnolia>
2018-10-01 20:08 ` James Morris
2018-10-01 22:45 ` Dave Chinner
2018-10-02 19:20 ` James Morris
2018-10-02 22:42 ` Dave Chinner
[not found] ` <20181001152529.GA2549@thunk.org>
2018-10-01 22:53 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180926192426.472360ea@alans-desktop \
--to=gnomes@lxorguk.ukuu.org.uk \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).