lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 21 Mar 2008 19:49:31 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Miklos Szeredi <miklos@...redi.hu>
Cc:	haveblue@...ibm.com, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org, neilb@...e.de,
	akpm@...ux-foundation.org, hch@...radead.org,
	linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: r-o bind in nfsd

On Fri, Mar 21, 2008 at 07:52:35PM +0100, Miklos Szeredi wrote:
> > > > And having the vfsmount available within vfs_...() functions means,
> > > > that the mnt_want_write() check can be moved inside, which means that
> > > > callers get simpler and less likely to be buggy.  Those are all
> > > > advantages IMO, regardless of any security module issues.
> > > 
> > > Or we can introduce another set of exported functions (path_mkdir(),
> > > ...), and leave vfs_...() alone.  And then the only question is if
> > > LSM's can live with ordering change.
> > 
> > I really don't see the point of new helpers; especially since one doesn't
> > have to _have_ vfsmount to use the old ones and since we don't have a lot
> > of users of each of those to start with.
> 
> Traditionally we have syscalls, and nfsd.  Both of them want the
> security checks, and I think nfsd wants the read-only mount checking
> as well, but I'm not entirely sure.  Maybe we can handle that by just
> making nfsd acquire a write-ref on the mount and keep it while it's
> exported.
> 
> Then there's ecryptfs and unionfs, which probably need neither, but it
> wouldn't hurt to do them anyway.
> 
> Still, even if there are only two callers, then moving stuff to up
> doesn't make any sense.  Passing down a struct path is free for the
> syscall case, it doesn't consume any stack space or extra CPU.  Do
> please tell, why would that be such a bad thing?

Because we'd been that way before; see the shitpiles around ->lookup()
getting nameidata, etc.  You'll end up with some callers passing NULL
as ->mnt since they don't have anything better to pass, some stuff
called *from* the damn thing caring to check for ->mnt being NULL,
some stuff not caring about what ->mnt is at all and some assuming
that it's not NULL.  Which will lead to exploding combinations that
won't be noticed until somebody steps into such config.

As for the vfsmount-dependent checks (and any kind of MAC, while we are
at it)...  They belong to callers, exactly because different callers may
want different (amount of) checks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ