From: ebiederm@xmission.com (Eric W. Biederman)
To: Kay Sievers <kay@vrfy.org>
Cc: Kees Cook <keescook@google.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
LKML <linux-kernel@vger.kernel.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
Brad Spengler <spender@grsecurity.net>,
Al Viro <viro@zeniv.linux.org.uk>,
PaX Team <pageexec@freemail.hu>,
linux-fsdevel@vger.kernel.org,
Linux Containers <containers@lists.linux-foundation.org>,
Dave Jones <davej@redhat.com>
Subject: Re: [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules.
Date: Tue, 05 Mar 2013 15:24:11 -0800 [thread overview]
Message-ID: <87boax8m78.fsf@xmission.com> (raw)
In-Reply-To: <CAPXgP11AB7=2oeXtxb0so4a8hms7-_UWJDVE=6kndU062tGycQ@mail.gmail.com> (Kay Sievers's message of "Tue, 5 Mar 2013 20:06:45 +0100")
Kay Sievers <kay@vrfy.org> writes:
> On Mon, Mar 4, 2013 at 8:51 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
>>
>> Modify the request_module to prefix the file system type with "fs-"
>> and add aliases to all of the filesystems that can be built as modules
>> to match.
>>
>> A common practice is to build all of the kernel code and leave code
>> that is not commonly needed as modules, with the result that many
>> users are exposed to any bug anywhere in the kernel.
>>
>> Looking for filesystems with a fs- prefix limits the pool of possible
>> modules that can be loaded by mount to just filesystems trivially
>> making things safer with no real cost.
>
> '-' is a commonly used part of a module name, and does not mix well
> with ramdom user provided names.
The symbols '-' and '_' occur in 2382 out of 3968 modules from an
allmodconfig build, and modprobe ignores the difference between the two.
However only three of those modules begin with fs and none of them begin
with fs-.
Furthermore if it actually becomes a concern to ensure we are talking
about an alias rather than a real module name, the solution is to
change how we call modprobe. As long as we are in the same namespace
something can go wrong.
fs- seems sufficiently unique for the purpose.
> We usually use ':' as the prefix separator for modaliases, when
> user-supplied strings are prefixed with the subsystem.
There are at least two different conventions in use. For software
subsystems like the networking stack '-' is the commonly used
to separate the prefix. For hardware specific subsystems ':' is
commonly used. What I really don't want to load here are hardware
modules so using a hardware module style convention does not seem like
the right way to go.
> I think it would be nicer to change that, and I'm sure some creative
> guy calls the next filesystem of the month fs-$something :)
If it is a filesystem it simply does not matter. The goal is to
only load filesystems.
If it is not a filesystem someone has choosen a confusing naming
convention.
If it turns out I am wrong it is a two line change.
Eric
prev parent reply other threads:[~2013-03-05 23:24 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-02 1:22 user ns: arbitrary module loading Kees Cook
2013-03-03 0:57 ` Serge E. Hallyn
2013-03-03 1:18 ` Kees Cook
2013-03-03 3:56 ` Serge E. Hallyn
2013-03-03 10:14 ` [RFC][PATCH] fs: Limit sys_mount to only loading filesystem modules Eric W. Biederman
2013-03-03 15:29 ` Serge E. Hallyn
2013-03-03 18:30 ` Kees Cook
2013-03-03 17:48 ` user ns: arbitrary module loading Kees Cook
2013-03-04 8:29 ` Mathias Krause
2013-03-04 16:46 ` Kees Cook
2013-03-04 18:21 ` Eric W. Biederman
2013-03-04 18:41 ` Kees Cook
2013-03-03 4:12 ` Eric W. Biederman
2013-03-03 18:18 ` Kees Cook
2013-03-03 21:58 ` Eric W. Biederman
2013-03-04 2:35 ` Kees Cook
2013-03-04 3:54 ` Eric W. Biederman
2013-03-04 7:48 ` [PATCH 0/2] userns bug fixes for v3.9-rc2 for review Eric W. Biederman
2013-03-04 7:50 ` [PATCH 1/2] userns: Stop oopsing in key_change_session_keyring Eric W. Biederman
2013-03-04 7:51 ` [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules Eric W. Biederman
2013-03-04 17:36 ` Vasily Kulikov
2013-03-04 18:36 ` Eric W. Biederman
2013-03-05 19:06 ` Kay Sievers
2013-03-05 19:32 ` Kees Cook
2013-03-05 23:24 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87boax8m78.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=davej@redhat.com \
--cc=kay@vrfy.org \
--cc=keescook@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=spender@grsecurity.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox