| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Sep 2014 10:44:53 -0500 From: Seth Forshee <seth.forshee@...onical.com> To: Miklos Szeredi <miklos@...redi.hu> Cc: Alexander Viro <viro@...iv.linux.org.uk>, "Eric W. Biederman" <ebiederm@...ssion.com>, Serge Hallyn <serge.hallyn@...ntu.com>, fuse-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, Seth Forshee <seth.forshee@...onical.com> Subject: [PATCH v2 0/3] fuse: Add support for mounts from pid/user namespaces Here's an updated set of patches for allowing fuse mounts from pid and user namespaces. I discussed some of the issues we debated with the last patch set (and a few others) with Eric at LinuxCon, and the updates here mainly reflect the outcome of those discussions. The stickiest issue in the v1 patches was the question of where to get the user and pid namespaces from that are used for translating ids for communication with userspace. Eric told me that for user namespaces at least we need to grab a namespace at open or mount time and use only that namespace to prevent certain types of attacks. That rules out the suggestion of using the user ns of current in the read/write paths, and I think it makes sense to handle pid and user namespaces similarly. So in these patches I'm still grabbing the namespaces of current during mount, but I've added an additional check to fail the mount if the f_cred's userns for the fd to userspace doesn't match. Another issue mentioned by Eric was what to use for i_[ug]id if the ids from userspace don't map into the user namespace, which is going to be a problem for any other filesystems which become mountable from user namespaces as well. We discussed a few options for addressing this, the most promising of which seems to be either using INVALID_[UG]ID for these inodes or creating vfs-wide "nobody" ids for this purpose. After thinking about it for a while I'm favoring using the invalid ids, but I'm hoping to solicit some more feedback. For now these patches are using invalid ids if the user doesn't map into the namespace. I went through the vfs code and found one place where this could be handled better (addressed in patch 1 of the series). The only other issue I found was that currently no one, not even root, can change onwership of such inodes, but I suspect we can find a way around this. The only other change since v1 is that I now fail changing file ownership if the new uid or gid does not map into the namespace used for userspace communication. Thanks, Seth Seth Forshee (3): vfs: Check for invalid i_uid in may_follow_link() fuse: Translate pids passed to userspace into pid namespaces fuse: Add support for mounts from user namespaces fs/fuse/dev.c | 13 +++++++------ fs/fuse/dir.c | 46 +++++++++++++++++++++++++++++++++------------- fs/fuse/fuse_i.h | 8 ++++++++ fs/fuse/inode.c | 31 +++++++++++++++++++++++-------- fs/namei.c | 2 +- 5 files changed, 72 insertions(+), 28 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists