[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20181001225325.GJ18567@dastard>
Date: Tue, 2 Oct 2018 08:53:25 +1000
From: Dave Chinner <david@...morbit.com>
To: "Theodore Y. Ts'o" <tytso@....edu>,
Alan Cox <gnomes@...rguk.ukuu.org.uk>,
TongZhang <ztong@...edu>, darrick.wong@...cle.com,
linux-xfs@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
linux-security-module@...r.kernel.org,
Wenbo Shen <shenwenbosmile@...il.com>
Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check)
On Mon, Oct 01, 2018 at 11:25:29AM -0400, Theodore Y. Ts'o wrote:
> On Mon, Oct 01, 2018 at 04:04:42PM +0100, Alan Cox wrote:
> > > Systems restricted by LSMs to the point where CAP_SYS_ADMIN is not
> > > trusted have exactly the same issues. i.e. there's nobody trusted by
> > > the kernel to administer the storage stack, and nobody has defined a
> > > workable security model that can prevent untrusted users from
> > > violating the existing storage trust model....
> >
> > With a proper set of LSM checks you can lock the filesystem management
> > and enforcement to a particular set of objects. You can build that model
> > where for example only an administrative login from a trusted console may
> > launch processes to do that management.
> >
> > Or you could - if things were not going around the LSM hooks.
>
> It would be useful if anyone actually *wants* to do this thing to
> define a formal security model, and detail *everything* that would
> need to be changed in order to accomplish it. Just as we don't
> speculatively add code "just in case" someone might want to use it
> someday, I don't think we should be adding random LSM hooks just
> becausre someone *might* want do something.
Yeah, that's what I was implying we needed to do - taking the
current model and slapping LSM hooks around randomly will only make
things break and cause admins to curse us....
> Let's see the use case, and let's see how horrible the changes would
> need to be, and how credible we think it is that someone will actually
> want to *use* it. I suspect the chagnes will be a really huge number
> of places, and not just in XFS....
So do I - the "in root we trust" model is pretty deeply ingrained up
and down the storage stack. I also suspect that most of our hardware
admin (not just storage) has similar assumptions about the security
model they operate in.
Cheers,
Dave.
--
Dave Chinner
david@...morbit.com
Powered by blists - more mailing lists