Re: [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: Vasily Kulikov <segoon@openwall.com>
Cc: Kees Cook <keescook@google.com>,
	Brad Spengler <spender@grsecurity.net>,
	Linux Containers <containers@lists.linux-foundation.org>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-fsdevel@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
	PaX Team <pageexec@freemail.hu>, Dave Jones <davej@redhat.com>,
	kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules.
Date: Mon, 04 Mar 2013 10:36:01 -0800	[thread overview]
Message-ID: <87y5e3dnce.fsf@xmission.com> (raw)
In-Reply-To: <20130304173611.GA8500@cachalot> (Vasily Kulikov's message of "Mon, 4 Mar 2013 21:36:11 +0400")

Vasily Kulikov <segoon@openwall.com> writes:

> (cc'ed kernel-hardening)
>
> On Sun, Mar 03, 2013 at 23:51 -0800, Eric W. Biederman wrote:
>> Modify the request_module to prefix the file system type with "fs-"
>> and add aliases to all of the filesystems that can be built as modules
>> to match.
>> 
>> A common practice is to build all of the kernel code and leave code
>> that is not commonly needed as modules, with the result that many
>> users are exposed to any bug anywhere in the kernel.
>> 
>> Looking for filesystems with a fs- prefix limits the pool of possible
>> modules that can be loaded by mount to just filesystems trivially
>> making things safer with no real cost.
>> 
>> Using aliases means user space can control the policy of which
>> filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
>> with blacklist and alias directives.  Allowing simple, safe,
>> well understood work-arounds to known problematic software.
>> 
>> This also addresses a rare but unfortunate problem where the filesystem
>> name is not the same as it's module name and module auto-loading
>> would not work.  While writing this patch I saw a handful of such
>> cases.  The most significant being autofs that lives in the module
>> autofs4.
>> 
>> This is relevant to user namespaces because we can reach the request
>> module in get_fs_type() without having any special permissions, and
>> people get uncomfortable when a user specified string (in this case
>> the filesystem type) goes all of the way to request_module.
>> 
>> After having looked at this issue I don't think there is any
>> particular reason to perform any filtering or permission checks beyond
>> making it clear in the module request that we want a filesystem
>> module.  The common pattern in the kernel is to call request_module()
>> without regards to the users permissions.  In general all a filesystem
>> module does once loaded is call register_filesystem() and go to sleep.
>> Which means there is not much attack surface exposed by loading a
>> filesytem module unless the filesystem is mounted.  In a user
>> namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
>> which most filesystems do not set today.
>> 
>> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
>> Acked-by: Kees Cook <keescook@chromium.org>
>> Reported-by: Kees Cook <keescook@google.com>
>> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> ...
>> diff --git a/fs/filesystems.c b/fs/filesystems.c
>> index da165f6..92567d9 100644
>> --- a/fs/filesystems.c
>> +++ b/fs/filesystems.c
>> @@ -273,7 +273,7 @@ struct file_system_type *get_fs_type(const char *name)
>>  	int len = dot ? dot - name : strlen(name);
>>  
>>  	fs = __get_fs_type(name, len);
>> -	if (!fs && (request_module("%.*s", len, name) == 0))
>> +	if (!fs && (request_module("fs-%.*s", len, name) == 0))
>>  		fs = __get_fs_type(name, len);
>>  
>>  	if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
>
> Maybe we should divide request_module() into several functions regarding
> expected caller's privileges?
>
> - request_module() for CAP_SYS_MODULE in init_ns
> - request_module_relaxed() for everybody
>
> request_module_relaxed() is used in get_fs_type(), dev_load() and all
> places where the safety of module loading is manually checked.  All old
> not yet checked users of request_module() will not be triggerable from user_ns.
> That's the same scheme as with capable() and ns_capable().

User namespaces in this discussion are pretty much a red-herring.  You
can already reach most request_module callers without having any
capabilities.  And honestly that seems fine.

It never ever hurts to request a module.

It only sometimes when something else has already gone wrong hurts to
get the module.

It makes sense to add a prefix when sending the module request to make
it clear what kind of module we are looking for.  That makes it easy to
tell why we are requesting the module and makes it easy to implement
policy controls in userspace.

I don't see any reason to limit request_module to people with some
capability or other.  The filesystem module_request just happened to be
after a capable(CAP_SYS_AMDIN) in this case which is the case people
noticed was a little fishy.

But if I have overlooked something I am happy to hear it.

Eric

next prev parent reply	other threads:[~2013-03-04 18:36 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-02  1:22 user ns: arbitrary module loading Kees Cook
2013-03-03  0:57 ` Serge E. Hallyn
2013-03-03  1:18   ` Kees Cook
2013-03-03  3:56     ` Serge E. Hallyn
2013-03-03 10:14       ` [RFC][PATCH] fs: Limit sys_mount to only loading filesystem modules Eric W. Biederman
2013-03-03 15:29         ` Serge E. Hallyn
2013-03-03 18:30         ` Kees Cook
2013-03-03 17:48       ` user ns: arbitrary module loading Kees Cook
2013-03-04  8:29         ` Mathias Krause
2013-03-04 16:46           ` Kees Cook
2013-03-04 18:21             ` Eric W. Biederman
2013-03-04 18:41               ` Kees Cook
2013-03-03  4:12   ` Eric W. Biederman
2013-03-03 18:18     ` Kees Cook
2013-03-03 21:58       ` Eric W. Biederman
2013-03-04  2:35         ` Kees Cook
2013-03-04  3:54           ` Eric W. Biederman
2013-03-04  7:48           ` [PATCH 0/2] userns bug fixes for v3.9-rc2 for review Eric W. Biederman
2013-03-04  7:50             ` [PATCH 1/2] userns: Stop oopsing in key_change_session_keyring Eric W. Biederman
2013-03-04  7:51             ` [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules Eric W. Biederman
2013-03-04 17:36               ` Vasily Kulikov
2013-03-04 18:36                 ` Eric W. Biederman [this message]
2013-03-05 19:06               ` Kay Sievers
2013-03-05 19:32                 ` Kees Cook
2013-03-05 23:24                 ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y5e3dnce.fsf@xmission.com \
    --to=ebiederm@xmission.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=davej@redhat.com \
    --cc=keescook@google.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pageexec@freemail.hu \
    --cc=segoon@openwall.com \
    --cc=spender@grsecurity.net \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox