lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 3 Aug 2018 12:30:49 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Zdenek Kabelac <zkabelac@...hat.com>
Cc:     Jens Axboe <axboe@...nel.dk>, Sagi Grimberg <sagi@...mberg.me>,
        Mike Snitzer <snitzer@...hat.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-block <linux-block@...r.kernel.org>, dm-devel@...hat.com,
        Ilya Dryomov <idryomov@...il.com>, wgh@...lan.ru
Subject: Re: [dm-devel] LVM snapshot broke between 4.14 and 4.16

On Fri, Aug 3, 2018 at 12:18 PM Zdenek Kabelac <zkabelac@...hat.com> wrote:
>
>  From my userland POV - leaving kernel write to devices that are supposed to
> be read-only  'just because' it's kernel is wrong - the fact it has NOT been
> discover for so long means - there are not many users and not many testers of
> this combination.

Sure. But at the same time, the "read-only" issue from a _security_
standpoint should never be about some device state.

Why? Because the Unix security rules aren't about "read-only devices".
They are about permissions, and if you don't want your users to have
write permissions to a device, then they shouldn't have those
permissions.

So the "set_disk_ro()" interface is simply not for security. Anybody
who uses it for security is seriously confused.

No, the "set_disk_ro()" interface is so that you can say "you
physically cannot write to this medium". It's meant for things like
CD-ROM devices, or for a floppy device when you notice that the
controller reports that the floppy itself is physically
write-protected.

THAT is what the new code checks for, and that is also why ignoring
the check really shouldn't be a security issue.

Because if it turns out that somebody wrote to it, and the write
succeeded, then obviously the "set_disk_ro()" usage was simply wrong.

Now, I do agree that it 100% makes sense to have a layer like md/lvm
be able to virtually mark volumes read-only. If only exactly to
emulate the "this is like a write-protected floppy or a cd-rom"
behavior.

So the DM_READONLY_FLAG makes conceptual sense.

But at the same time, if the DM_READONLY_FLAG was _wrong_, then it
also makes a ton of sense to just say "oh, it was wrong, we'll ignore
it".

Exactly because it was never supposed to be about security, and it was
about other things.

See?

              Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ