| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201112004227.GB351@ircssh-2.c.rugged-nimbus-611.internal>
Date: Thu, 12 Nov 2020 00:42:28 +0000
From: Sargun Dhillon <sargun@...gun.me>
To: Trond Myklebust <trondmy@...merspace.com>
Cc: "linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>,
"smayhew@...hat.com" <smayhew@...hat.com>,
"dhowells@...hat.com" <dhowells@...hat.com>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"chuck.lever@...cle.com" <chuck.lever@...cle.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"schumaker.anna@...il.com" <schumaker.anna@...il.com>,
"alban.crequy@...il.com" <alban.crequy@...il.com>,
"anna.schumaker@...app.com" <anna.schumaker@...app.com>,
"mauricio@...volk.io" <mauricio@...volk.io>,
"bfields@...ldses.org" <bfields@...ldses.org>
Subject: Re: [PATCH v4 0/2] NFS: Fix interaction between fs_context and user
namespaces
On Thu, Nov 12, 2020 at 12:30:56AM +0000, Sargun Dhillon wrote:
> On Wed, Nov 11, 2020 at 08:03:18PM +0000, Trond Myklebust wrote:
> > On Wed, 2020-11-11 at 18:57 +0000, Sargun Dhillon wrote:
> > > On Wed, Nov 11, 2020 at 02:38:11PM +0000, Trond Myklebust wrote:
> > > > On Wed, 2020-11-11 at 11:12 +0000, Sargun Dhillon wrote:
> > > >
> > > > The current code for setting server->cred was developed
> > > > independently
> > > > of fsopen() (and predates it actually). I'm fine with the change to
> > > > have server->cred be the cred of the user that called fsopen().
> > > > That's
> > > > in line with what we used to do for sys_mount().
> > > >
> > > Just curious, without FS_USERNS, how were you mounting NFSv4 in an
> > > unprivileged user ns?
> >
> > The code was originally developed on a 5.1 kernel. So all my testing
> > has been with ordinary sys_mount() calls in a container that had
> > CAP_SYS_ADMIN privileges.
> >
> > > > However all the other stuff to throw errors when the user namespace
> > > > is
> > > > not init_user_ns introduces massive regressions.
> > > >
> > >
> > > I can remove that and respin the patch. How do you feel about that?
> > > I would
> > > still like to keep the log lines though because it is a uapi change.
> > > I am
> > > worried that someone might exercise this path with GSS and allow for
> > > upcalls
> > > into the main namespaces by accident -- or be confused of why they're
> > > seeing
> > > upcalls "in a different namespace".
> > >
> > > Are you okay with picking up ("NFS: NFSv2/NFSv3: Use cred from
> > > fs_context during
> > > mount") without any changes?
> >
> > Why do we need the dprintk()s? It seems to me that either they should
> > be reporting something that the user needs to know (in which case they
> > should be real printk()s) or they are telling us something that we
> > should already know. To me they seem to fit more in the latter
> > category.
> >
> > >
> > > I can respin ("NFSv4: Refactor NFS to use user namespaces") without:
> > > /*
> > > * nfs4idmap is not fully isolated by user namespaces. It is
> > > currently
> > > * only network namespace aware. If upcalls never happen, we do not
> > > * need to worry as nfs_client instances aren't shared between
> > > * user namespaces.
> > > */
> > > if (idmap_userns(server->nfs_client->cl_idmap) != &init_user_ns &&
> > > !(server->caps & NFS_CAP_UIDGID_NOMAP)) {
> > > error = -EINVAL;
> > > errorf(fc, "Mount credentials are from non init user
> > > namespace and ID mapping is enabled. This is not allowed.");
> > > goto error;
> > > }
> > >
> > > (and making it so we can call idmap_userns)
> > >
> >
> > Yes. That would be acceptable. Again, though, I'd like to see the
> > dprintk()s gone.
> >
>
> I can drop the dprintks, but given this is a uapi change, does it make sense to
> pr_info_once? Especially, because this can have security impact?
Spending 5 minutes thinking about this, I think that best go out in another patch
that I can spin, and we can discuss there.
Powered by blists - more mailing lists