lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211211084617.axfv5fkhc5eycmac@wittgenstein>
Date:   Sat, 11 Dec 2021 09:46:17 +0100
From:   Christian Brauner <christian.brauner@...ntu.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>
Cc:     linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
        serge@...lyn.com, containers@...ts.linux.dev,
        dmitry.kasatkin@...il.com, ebiederm@...ssion.com,
        krzysztof.struczynski@...wei.com, roberto.sassu@...wei.com,
        mpeters@...hat.com, lhinds@...hat.com, lsturman@...hat.com,
        puiterwi@...hat.com, jejb@...ux.ibm.com, jamjoom@...ibm.com,
        linux-kernel@...r.kernel.org, paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v5 13/16] ima: Move some IMA policy and filesystem
 related variables into ima_namespace

On Fri, Dec 10, 2021 at 03:08:27PM -0500, Stefan Berger wrote:
> 
> On 12/10/21 06:32, Christian Brauner wrote:
> >  From ecf25d6b2b5895005d4103169bdb55d970e7a865 Mon Sep 17 00:00:00 2001
> > From: Christian Brauner<christian.brauner@...ntu.com>
> > Date: Fri, 10 Dec 2021 11:56:25 +0100
> > Subject: [PATCH 2/2] !!!! HERE BE DRAGONS - COMPLETELY UNTESTED !!!!
> > 
> > securityfs: don't allow mounting from outside the filesystem's userns
> > 
> > If we ever need to allow that we should revisit the semantics.
> > ---
> >   security/inode.c | 5 ++++-
> >   1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/security/inode.c b/security/inode.c
> > index eaccba7017d9..71f9634228f3 100644
> > --- a/security/inode.c
> > +++ b/security/inode.c
> > @@ -43,7 +43,10 @@ static int securityfs_fill_super(struct super_block *sb, struct fs_context *fc)
> >   {
> >   	static const struct tree_descr files[] = {{""}};
> >   	struct user_namespace *ns = fc->user_ns;
> > -	int error;
> > +	int error = -EINVAL;
> > +
> > +	if (WARN_ON(ns != current_user_ns()))
> > +		return error;
> >   	error = simple_fill_super(sb, SECURITYFS_MAGIC, files);
> >   	if (error)
> 
> 
> Oops, I hadn't seen this patch. How can one 'mount from outside the
> filesystem's userns'?

The new mount api is generic enough that this could be possible and it
might gain that ability explicitly at some point in the future for the
sake of delegated mounting. So that's just a good hardening measure.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ