lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+2rt423x-EiF=9x2zRTM35hzWOv=rH1urifRTCdpE_p=GO9FQ@mail.gmail.com>
Date:	Wed, 20 Jul 2016 15:28:21 -0700
From:	Sheng Yang <sheng@...ker.org>
To:	Seth Forshee <seth.forshee@...onical.com>
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Miklos Szeredi <miklos@...redi.hu>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Serge Hallyn <serge.hallyn@...onical.com>,
	Richard Weinberger <richard.weinberger@...il.com>,
	Austin S Hemmelgarn <ahferroin7@...il.com>,
	Miklos Szeredi <mszeredi@...hat.com>,
	Pavel Tikhomirov <ptikhomirov@...tuozzo.com>,
	kernel list <linux-kernel@...r.kernel.org>,
	linux-bcache@...r.kernel.org, dm-devel@...hat.com,
	linux-raid@...r.kernel.org, linux-mtd@...ts.infradead.org,
	linux-fsdevel@...r.kernel.org, fuse-devel@...ts.sourceforge.net,
	linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
	cgroups@...r.kernel.org
Subject: Re: [PATCH v4 18/21] fuse: Add support for pid namespaces

On Wed, Jul 20, 2016 at 5:52 AM, Seth Forshee
<seth.forshee@...onical.com> wrote:
> On Tue, Jul 19, 2016 at 07:44:11PM -0700, Sheng Yang wrote:
>> On Tue, Apr 26, 2016 at 12:36 PM, Seth Forshee
>> <seth.forshee@...onical.com> wrote:
>> > When the userspace process servicing fuse requests is running in
>> > a pid namespace then pids passed via the fuse fd are not being
>> > translated into that process' namespace. Translation is necessary
>> > for the pid to be useful to that process.
>> >
>> > Since no use case currently exists for changing namespaces all
>> > translations can be done relative to the pid namespace in use
>> > when fuse_conn_init() is called. For fuse this translates to
>> > mount time, and for cuse this is when /dev/cuse is opened. IO for
>> > this connection from another namespace will return errors.
>> >
>> > Requests from processes whose pid cannot be translated into the
>> > target namespace are not permitted, except for requests
>> > allocated via fuse_get_req_nofail_nopages. For no-fail requests
>> > in.h.pid will be 0 if the pid translation fails.
>>
>> Hi Seth,
>>
>> This patch caused a regression in our major container use case with
>> FUSE in Ubuntu 16.04, as patch was checked in as Ubuntu Sauce in
>> Ubuntu 4.4.0-6.21 kernel.
>>
>> The use case is:
>> 1. Create a Docker container.
>> 2. Inside the container, start the FUSE backend, and mounted fs.
>> 3. Following step 2 in the container, create a loopback device to map
>> a file in the mounted fuse to create a block device, which will be
>> available to the whole system.
>>
>> It works well before this commit.
>>
>> The use case is broken because no matter which namespace losetup runs,
>> the real request from loopback device seems always come from init ns,
>> thus it will be in different ns running fuse backend. So the request
>> will got denied, because the ns running fuse won't able to see the
>> things from higher level(level 0 in fact) pid namespace.
>>
>> I think since init pid ns has ability to access any process in the
>> system, it should able to access the fuse mounted by any pid namespace
>> process as well.
>>
>> What you think?
>
> It sounds like we need to remove the restriction on accessing the
> filesystem from a different pid namespace. I don't think this poses a
> security problem. However there's no pid mapping that is usable by the
> userspace fuse process, so what do we put in the fuse request? Probably
> the only candidates are 0 and 0xffffffff.

Thanks Seth, I don't think it will be a security problem either, if we
remove the restriction.

>
> So a question for the fuse developers - is one value or the other
> preferrable for fuse_in_header.pid when the pid cannot be mapped, and is
> this going to cause problems for any fuse filesystems? I suspect that
> few filesystems actually look at the pid anyway, and already for a
> filesystem mounted in a pid namespace the values being given to
> userspace won't be correct for the namespace of the fuse process.
>

At least in our system we're not looking into the pid at all.

--Sheng

> Seth
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ