[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <29010.1560204466@warthog.procyon.org.uk>
Date: Mon, 10 Jun 2019 23:07:46 +0100
From: David Howells <dhowells@...hat.com>
To: Casey Schaufler <casey@...aufler-ca.com>
Cc: dhowells@...hat.com, Andy Lutomirski <luto@...nel.org>,
Stephen Smalley <sds@...ho.nsa.gov>,
Al Viro <viro@...iv.linux.org.uk>,
USB list <linux-usb@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
raven@...maw.net, Linux FS Devel <linux-fsdevel@...r.kernel.org>,
Linux API <linux-api@...r.kernel.org>,
linux-block@...r.kernel.org, keyrings@...r.kernel.org,
LKML <linux-kernel@...r.kernel.org>,
Paul Moore <paul@...l-moore.com>
Subject: Re: [RFC][PATCH 00/13] Mount, FS, Block and Keyrings notifications [ver #4]
Casey Schaufler <casey@...aufler-ca.com> wrote:
> Process A and process B both open /dev/null.
> A and B can write and read to their hearts content
> to/from /dev/null without ever once communicating.
> The mutual accessibility of /dev/null in no way implies that
> A and B can communicate. If A can set a watch on /dev/null,
> and B triggers an event, there still has to be an access
> check on the delivery of the event because delivering an event
> to A is not an action on /dev/null, but on A.
If a process has the privilege, it appears that fanotify() allows that process
to see others accessing /dev/null (FAN_ACCESS, FAN_ACCESS_PERM). There don't
seem to be any LSM checks there either.
On the other hand, the privilege required is CAP_SYS_ADMIN,
> > The mount tree can't be modified by unprivileged users, unless a
> > privileged user very carefully configured it as such.
>
> "Unless" means *is* possible. In which case access control is
> required. I will admit to being less then expert on the extent
> to which mounts can be done without privilege.
Automounts in network filesystems, for example.
The initial mount of the network filesystem requires local privilege, but then
mountpoints are managed with remote privilege as granted by things like
kerberos tickets. The local kernel has no control.
If you have CONFIG_AFS_FS enabled in your kernel, for example, and you install
the keyutils package (dnf, rpm, apt, etc.), then you should be able to do:
mount -t afs none /mnt -o dyn
ls /afs/grand.central.org/software/
for example. That will go through a couple of automount points. Assuming you
don't have a kerberos login on those servers, however, you shouldn't be able
to add new mountpoints.
Someone watching the mount topology can see events when an automount is
enacted and when it expires, the latter being an event with the system as the
subject since the expiry is done on a timeout set by the kernel.
David
Powered by blists - more mailing lists