lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87boax8m78.fsf@xmission.com>
Date:	Tue, 05 Mar 2013 15:24:11 -0800
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Kay Sievers <kay@...y.org>
Cc:	Kees Cook <keescook@...gle.com>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	LKML <linux-kernel@...r.kernel.org>,
	Serge Hallyn <serge.hallyn@...onical.com>,
	Brad Spengler <spender@...ecurity.net>,
	Al Viro <viro@...iv.linux.org.uk>,
	PaX Team <pageexec@...email.hu>, linux-fsdevel@...r.kernel.org,
	Linux Containers <containers@...ts.linux-foundation.org>,
	Dave Jones <davej@...hat.com>
Subject: Re: [PATCH 2/2] fs: Limit sys_mount to only request filesystem modules.

Kay Sievers <kay@...y.org> writes:

> On Mon, Mar 4, 2013 at 8:51 AM, Eric W. Biederman <ebiederm@...ssion.com> wrote:
>>
>> Modify the request_module to prefix the file system type with "fs-"
>> and add aliases to all of the filesystems that can be built as modules
>> to match.
>>
>> A common practice is to build all of the kernel code and leave code
>> that is not commonly needed as modules, with the result that many
>> users are exposed to any bug anywhere in the kernel.
>>
>> Looking for filesystems with a fs- prefix limits the pool of possible
>> modules that can be loaded by mount to just filesystems trivially
>> making things safer with no real cost.
>
> '-' is a commonly used part of a module name, and does not mix well
> with ramdom user provided names.

The symbols '-' and '_' occur in 2382 out of 3968 modules from an
allmodconfig build, and modprobe ignores the difference between the two.
However only three of those modules begin with fs and none of them begin
with fs-.

Furthermore if it actually becomes a concern to ensure we are talking
about an alias rather than a real module name, the solution is to
change how we call modprobe.  As long as we are in the same namespace
something can go wrong.

fs- seems sufficiently unique for the purpose.

> We usually use ':' as the prefix separator for modaliases, when
> user-supplied strings are prefixed with the subsystem.

There are at least two different conventions in use.  For software
subsystems like the networking stack '-' is the commonly used
to separate the prefix.  For hardware specific subsystems ':' is
commonly used.  What I really don't want to load here are hardware
modules so using a hardware module style convention does not seem like
the right way to go.

> I think it would be nicer to change that, and I'm sure some creative
> guy calls the next filesystem of the month fs-$something :)

If it is a filesystem it simply does not matter.  The goal is to
only load filesystems.

If it is not a filesystem someone has choosen a confusing naming
convention.

If it turns out I am wrong it is a two line change.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ