From: Eric Biggers <ebiggers@kernel.org>
To: Daniil Lunev <dlunev@chromium.org>
Cc: Zdenek Kabelac <zdenek.kabelac@gmail.com>,
Brian Geffon <bgeffon@google.com>,
Mike Snitzer <snitzer@kernel.org>,
linux-kernel@vger.kernel.org, dm-devel@redhat.com,
Mikulas Patocka <mpatocka@redhat.com>,
Alasdair Kergon <agk@redhat.com>
Subject: Re: [dm-devel] [PATCH 1/1] dm: add message command to disallow device open
Date: Wed, 3 Aug 2022 21:49:50 +0000 [thread overview]
Message-ID: <YurtfvdeYh0kLd+8@gmail.com> (raw)
In-Reply-To: <CAONX=-dCrJabyvt2S24kEJi38Pbuzj_4kvugoF_75PWV69bNJw@mail.gmail.com>
On Thu, Aug 04, 2022 at 06:44:53AM +1000, Daniil Lunev wrote:
> > Have you also considered unlinking the device node (/dev/dm-$idx) from the
> > filesystem after it has been set up for swap?
> Yes, the node can be re-linked with mknod, thus is not a suitable solution.
I thought you were trying to defend against path traversal attacks, not
arbitrary code execution? If your threat model includes arbitrary code
execution by root, you really need to be using SELinux.
- Eric
next prev parent reply other threads:[~2022-08-03 21:50 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-04 0:02 [PATCH 0/1] Signal to disallow open of a dm device Daniil Lunev
2022-07-04 0:02 ` [PATCH 1/1] dm: add message command to disallow device open Daniil Lunev
2022-07-14 20:13 ` Mike Snitzer
2022-07-14 23:42 ` Daniil Lunev
2022-07-15 9:36 ` [dm-devel] " Mikulas Patocka
2022-07-15 19:38 ` Zdenek Kabelac
2022-07-18 23:42 ` Daniil Lunev
2022-08-03 4:12 ` Daniil Lunev
2022-08-03 4:23 ` Eric Biggers
2022-08-03 4:29 ` Daniil Lunev
2022-08-03 16:30 ` Mike Snitzer
2022-08-03 20:49 ` Daniil Lunev
2022-08-03 18:25 ` [dm-devel] " Eric Biggers
2022-08-03 20:44 ` Daniil Lunev
2022-08-03 21:49 ` Eric Biggers [this message]
2022-08-03 23:38 ` Daniil Lunev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YurtfvdeYh0kLd+8@gmail.com \
--to=ebiggers@kernel.org \
--cc=agk@redhat.com \
--cc=bgeffon@google.com \
--cc=dlunev@chromium.org \
--cc=dm-devel@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=snitzer@kernel.org \
--cc=zdenek.kabelac@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox