lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0f24065ec6aaf654602f03e241747efa4fbe73fd.camel@themaw.net>
Date:   Mon, 24 Feb 2020 10:45:47 +0800
From:   Ian Kent <raven@...maw.net>
To:     "Serge E. Hallyn" <serge@...lyn.com>,
        Miklos Szeredi <miklos@...redi.hu>
Cc:     "Eric W . Biederman" <ebiederm@...ssion.com>,
        overlayfs <linux-unionfs@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 0/5] allow unprivileged overlay mounts

On Tue, 2019-10-29 at 12:01 -0500, Serge E. Hallyn wrote:
> On Fri, Oct 25, 2019 at 01:35:20PM +0200, Miklos Szeredi wrote:
> > On Fri, Oct 25, 2019 at 1:30 PM Miklos Szeredi <mszeredi@...hat.com
> > > wrote:
> > > Hi Eric,
> > > 
> > > Can you please have a look at this patchset?
> > > 
> > > The most interesting one is the last oneliner adding
> > > FS_USERNS_MOUNT;
> > > whether I'm correct in stating that this isn't going to introduce
> > > any
> > > holes, or not...
> > 
> > Forgot the git tree:
> > 
> > git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git#ovl-
> > unpriv
> > 
> > Thanks,
> > Miklos
> 
> I've looked through it, seemed sensible to me.

Seems sensible to me too but I'm not sure what I'm looking for.

Perhaps a bit more on how this is secure to give an idea what's been
checked and where to focus so the the survey can be broadened from
there... I'm not sure.

For example, from my simple minded view I wonder about the posix acl
code.

In ovl_posix_acl_xattr_set() there is a call to posix_acl_from_xattr()
that uses init_user_ns. I wonder if that should be the current user ns
in this case but I'm not sure?

Ian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ