lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8761v8os4k.fsf@tw-ebiederman.twitter.com>
Date:	Wed, 14 Aug 2013 14:54:35 -0700
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Andy Lutomirski <luto@...capital.net>
Cc:	Miklos Szeredi <miklos@...redi.hu>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	Linux-Fsdevel <linux-fsdevel@...r.kernel.org>,
	Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: DoS with unprivileged mounts

Andy Lutomirski <luto@...capital.net> writes:

> On Wed, Aug 14, 2013 at 12:53 PM, Eric W. Biederman
> <ebiederm@...ssion.com> wrote:
>> Andy Lutomirski <luto@...capital.net> writes:
>>
>>> On 08/14/2013 10:42 AM, Miklos Szeredi wrote:
>>>> There's a simple and effective way to prevent unlink(2) and rename(2)
>>>> from operating on any file or directory by simply mounting something
>>>> on it.  In any mount instance in any namespace.
>>>>
>>>> Was this considered in the unprivileged mount design?
>>>>
>>>> The solution is also theoretically simple: mounts in unpriv namespaces
>>>> are marked "volatile" and are dissolved on an unlink type operation.
>>>
>>> I'd actually prefer the reverse: unprivileged mounts don't prevent
>>> unlink and rename.  If the dentry goes away, then the mount could still
>>> exist, sans underlying file.  (This is already supported on network
>>> filesystems.)
>>
>> Of course we do this in network filesystems by pretending the
>> rename/unlink did not actually happen.  The vfs insists that it be lied
>> to instead of mirroring what actually happened.
>>
>> Again all of this is a question about efficient data structures and not
>> really one of semantics.  Can either semantic be implemented in such a
>> way that it does not slow down the vfs?
>
> Given that vfs_unlink has:
>
> 	if (d_mountpoint(dentry))
> 		error = -EBUSY;
>
> I think it's just a matter of changing / deleting that code.

Deleting the code is completely unacceptable as it generates mounts that
can never be unmounted.

Changing this code is what we were discussing.  My point is that an
efficient replacement is not immediately obvious, and a solution that
degrades the performance of the fast path of the vfs to make this case
work better is not likely to be acceptable.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ