lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Apr 2022 21:35:56 -0400 From: "Theodore Ts'o" <tytso@....edu> To: Gabriel Krisman Bertazi <krisman@...labora.com> Cc: Zhang Yi <yi.zhang@...wei.com>, linux-ext4@...r.kernel.org, adilger.kernel@...ger.ca, jack@...e.cz, yukuai3@...wei.com, yebin10@...wei.com, liuzhiqiang26@...wei.com, liangyun2@...wei.com Subject: Re: [RFC PATCH] ext4: add unmount filesystem message On Tue, Apr 12, 2022 at 12:01:37PM -0400, Gabriel Krisman Bertazi wrote: > Zhang Yi <yi.zhang@...wei.com> writes: > > > Now that we have kernel message at mount time, system administrator "Now that we have...." is a bit misleading, since (at least to an English speaker) that this is something that was recently added, and that's not the case. > > could acquire the mount time, device and options easily. But we don't > > have corresponding unmounting message at umount time, so we cannot know > > if someone umount a filesystem easily. Some of the modern filesystems > > (e.g. xfs) have the umounting kernel message, so add one for ext4 > > filesystem for convenience. > > > > EXT4-fs (sdb): mounted filesystem with ordered data mode. Quota mode: none. > > EXT4-fs (sdb): unmounting filesystem. > > I don't think sysadmins should be relying on the kernel log for this, > since the information can easily be overwritten by new messages there. > Is there a reason why you can't just monitor /proc/self/mountinfo? You're right that it can be dangerous for sysadmins to be relying on the kernel log for mount and umount notifications --- but it depends on what they think it means, and the potential pitfalls are there for both the mount and unmount messages. The problem of course, is that bind mounts, and mount name spaces, so if the question is whether a file system is available at a particular mount point, then using the kernel log is definitely not going to be reliable. But if the goal is to determine whether a particular device is safe to run fsck or otherwise access directly, or for the purposes of debugging the kernel and looking at the logs to understand when the device is being accessed by the kernel and when the file system is done with the device, I can see how it might be useful. Cheers, - Ted
Powered by blists - more mailing lists