lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Oct 2017 19:15:46 -0500 From: Ram Pai <linuxram@...ibm.com> To: Dawid Ciezarkiewicz <dawid.ciezarkiewicz@...rik.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: Read-only `slaves` with shared subtrees? On Fri, Sep 29, 2017 at 04:02:42PM -0700, Dawid Ciezarkiewicz wrote: > On Fri, Sep 22, 2017 at 11:43 AM, Dawid Ciezarkiewicz > <dawid.ciezarkiewicz@...rik.com> wrote: > > On Thu, Sep 21, 2017 at 12:14 PM, Ram Pai <linuxram@...ibm.com> wrote: > >> Here is a patch that accomplishes the job. tested to work with > >> some simple use cases. check if this works for you. If it does > >> than we will have to think through all the edge cases and make it > >> acceptable. > > > > From your experiments, it looks exactly right. > > > > I'll give it a try in the upcoming week. Thank you! > > > I've reproduced your setup and results. > > I've played with it for a while, mostly checking some recursive mount scenarios. > My biggest concern is transitivity of the RO attribute. Once a root of > slave directory > is set to be RO + STICKY, it is very important that host directories > propagated there, > even recursively (rslave), or any other, are not RW. From what I was > able to test, everything > seemed OK, but I don't grok all the semantics around it, so I'm just > pointing it out, as I might > have missed something. yes it will be RO. the patch takes care of that. > > One thing that I don't plan to use, but might be worth thinking about is > `slave + RW + STICKY` combination. If `master` mounts something RO, > and `slave` > is `RW + STICKY`, should the mount appear RW inside the slave? I don't > find it particularly useful, > but still... As per the implemented semantics it will become "RW". Should it be "RO" aswell? Will that open up security holes? > > Another thing that popped into my head: Is it worth considering any > dynamic changes to `slave`'s > RO status? It complicates everything a lot (it seems to me), since it > adds a retroactive > dynamic propagation. I don't currently have any plans to use it, but I > could imagine scenarios > in which a slave mount with all it's sub-mounts is remounted from RO > to RW, in response to > some external authorization trigger. The sematics should be something like this. Check if it makes sense. a) anything mounted under stick-mount will be a sticky-mount and will inherit the mount's access-attribute;i.e RO RW attribute. b) a mount when made sticky will propagate its sticky attribute as well as its access-attribute recursively to its children c) anything mounted under non-sticky mount will not inherit the mount's access-attribute and will be non-sticky aswell. d) a mount when made non-sticky will just change itself to non-sticky. (will NOT propagate its non-sticky attribute and its access-attribue recursively to its children.) Will this work? > Regards, > Dawid Ciezarkiewicz -- Ram Pai
Powered by blists - more mailing lists