From: David Howells <dhowells@redhat.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: dhowells@redhat.com, Andy Lutomirski <luto@kernel.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
Al Viro <viro@zeniv.linux.org.uk>,
USB list <linux-usb@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
raven@themaw.net, Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
linux-block@vger.kernel.org, keyrings@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
Paul Moore <paul@paul-moore.com>
Subject: Re: [RFC][PATCH 00/13] Mount, FS, Block and Keyrings notifications [ver #4]
Date: Mon, 10 Jun 2019 23:07:46 +0100 [thread overview]
Message-ID: <29010.1560204466@warthog.procyon.org.uk> (raw)
In-Reply-To: <25d88489-9850-f092-205e-0a4fc292f41b@schaufler-ca.com>
Casey Schaufler <casey@schaufler-ca.com> wrote:
> Process A and process B both open /dev/null.
> A and B can write and read to their hearts content
> to/from /dev/null without ever once communicating.
> The mutual accessibility of /dev/null in no way implies that
> A and B can communicate. If A can set a watch on /dev/null,
> and B triggers an event, there still has to be an access
> check on the delivery of the event because delivering an event
> to A is not an action on /dev/null, but on A.
If a process has the privilege, it appears that fanotify() allows that process
to see others accessing /dev/null (FAN_ACCESS, FAN_ACCESS_PERM). There don't
seem to be any LSM checks there either.
On the other hand, the privilege required is CAP_SYS_ADMIN,
> > The mount tree can't be modified by unprivileged users, unless a
> > privileged user very carefully configured it as such.
>
> "Unless" means *is* possible. In which case access control is
> required. I will admit to being less then expert on the extent
> to which mounts can be done without privilege.
Automounts in network filesystems, for example.
The initial mount of the network filesystem requires local privilege, but then
mountpoints are managed with remote privilege as granted by things like
kerberos tickets. The local kernel has no control.
If you have CONFIG_AFS_FS enabled in your kernel, for example, and you install
the keyutils package (dnf, rpm, apt, etc.), then you should be able to do:
mount -t afs none /mnt -o dyn
ls /afs/grand.central.org/software/
for example. That will go through a couple of automount points. Assuming you
don't have a kerberos login on those servers, however, you shouldn't be able
to add new mountpoints.
Someone watching the mount topology can see events when an automount is
enacted and when it expires, the latter being an event with the system as the
subject since the expiry is done on a timeout set by the kernel.
David
next prev parent reply other threads:[~2019-06-10 22:08 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-07 14:17 [RFC][PATCH 00/13] Mount, FS, Block and Keyrings notifications [ver #4] David Howells
2019-06-07 14:17 ` [PATCH 01/13] security: Override creds in __fput() with last fputter's creds " David Howells
2019-06-07 14:17 ` [PATCH 02/13] uapi: General notification ring definitions " David Howells
2019-06-07 15:12 ` Darrick J. Wong
2019-06-07 15:30 ` David Howells
2019-06-07 15:51 ` David Howells
2019-06-09 4:35 ` Randy Dunlap
2019-06-13 13:34 ` David Howells
2019-06-13 14:49 ` Randy Dunlap
2019-06-07 14:17 ` [PATCH 03/13] security: Add hooks to rule on setting a watch " David Howells
2019-06-07 14:17 ` [PATCH 04/13] security: Add a hook for the point of notification insertion " David Howells
2019-06-07 14:18 ` [PATCH 05/13] General notification queue with user mmap()'able ring buffer " David Howells
2019-06-07 14:18 ` [PATCH 06/13] keys: Add a notification facility " David Howells
2019-06-10 17:11 ` Jonathan Corbet
2019-06-10 17:47 ` David Howells
2019-06-07 14:18 ` [PATCH 07/13] vfs: Add a mount-notification " David Howells
2019-06-07 14:18 ` [PATCH 08/13] vfs: Add superblock notifications " David Howells
2019-06-07 14:18 ` [PATCH 09/13] fsinfo: Export superblock notification counter " David Howells
2019-06-07 14:18 ` [PATCH 10/13] Add a general, global device notification watch list " David Howells
2019-06-07 14:19 ` [PATCH 11/13] block: Add block layer notifications " David Howells
2019-06-07 14:19 ` [PATCH 12/13] usb: Add USB subsystem " David Howells
2019-06-07 14:19 ` [PATCH 13/13] Add sample notification program " David Howells
2019-06-10 15:21 ` [RFC][PATCH 00/13] Mount, FS, Block and Keyrings notifications " Stephen Smalley
2019-06-10 16:33 ` Casey Schaufler
2019-06-10 16:42 ` Andy Lutomirski
2019-06-10 18:01 ` Casey Schaufler
2019-06-10 18:22 ` Andy Lutomirski
2019-06-10 19:33 ` Casey Schaufler
2019-06-10 19:53 ` Andy Lutomirski
2019-06-10 21:25 ` Casey Schaufler
2019-06-11 0:13 ` Andy Lutomirski
2019-06-11 14:32 ` Stephen Smalley
2019-06-12 8:55 ` David Howells
2019-06-10 22:07 ` David Howells [this message]
2019-06-11 14:21 ` What do LSMs *actually* need for checks on notifications? David Howells
2019-06-11 15:57 ` Stephen Smalley
2019-06-11 16:22 ` Casey Schaufler
2019-06-12 11:43 ` David Howells
2019-06-13 18:46 ` Stephen Smalley
2019-06-12 17:41 ` David Howells
2019-06-12 18:14 ` Casey Schaufler
2019-06-12 18:36 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=29010.1560204466@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=gregkh@linuxfoundation.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=raven@themaw.net \
--cc=sds@tycho.nsa.gov \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).