lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <337ca572-2bfb-4bb5-b71c-daf7ac5e9d56@oracle.com>
Date: Mon, 9 Dec 2024 12:20:10 -0500
From: Chuck Lever <chuck.lever@...cle.com>
To: Jeff Layton <jlayton@...nel.org>, Amir Goldstein <amir73il@...il.com>,
        Christoph Hellwig <hch@...radead.org>
Cc: "Darrick J. Wong" <djwong@...nel.org>,
        Christian Brauner <brauner@...nel.org>,
        Erin Shepherd
 <erin.shepherd@....eu>, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-nfs@...r.kernel.org,
        stable <stable@...nel.org>, Greg KH <gregkh@...uxfoundation.org>,
        Jens Axboe <axboe@...nel.dk>, Shaohua Li <shli@...com>
Subject: Re: [PATCH 0/4] exportfs: add flag to allow marking export operations
 as only supporting file handles

On 12/9/24 12:15 PM, Jeff Layton wrote:
> On Mon, 2024-12-09 at 11:35 -0500, Chuck Lever wrote:
>> On 12/9/24 11:30 AM, Amir Goldstein wrote:
>>> On Mon, Dec 9, 2024 at 2:46 PM Christoph Hellwig <hch@...radead.org> wrote:
>>>>
>>>> On Mon, Dec 09, 2024 at 09:58:58AM +0100, Amir Goldstein wrote:
>>>>> To be clear, exporting pidfs or internal shmem via an anonymous fd is
>>>>> probably not possible with existing userspace tools, but with all the new
>>>>> mount_fd and magic link apis, I can never be sure what can be made possible
>>>>> to achieve when the user holds an anonymous fd.
>>>>>
>>>>> The thinking behind adding the EXPORT_OP_LOCAL_FILE_HANDLE flag
>>>>> was that when kernfs/cgroups was added exportfs support with commit
>>>>> aa8188253474 ("kernfs: add exportfs operations"), there was no intention
>>>>> to export cgroupfs over nfs, only local to uses, but that was never enforced,
>>>>> so we thought it would be good to add this restriction and backport it to
>>>>> stable kernels.
>>>>
>>>> Can you please explain what the problem with exporting these file
>>>> systems over NFS is?  Yes, it's not going to be very useful.  But what
>>>> is actually problematic about it?  Any why is it not problematic with
>>>> a userland nfs server?  We really need to settle that argumet before
>>>> deciding a flag name or polarity.
>>>>
>>>
>>> I agree that it is not the end of the world and users do have to explicitly
>>> use fsid= argument to be able to export cgroupfs via nfsd.
>>>
>>> The idea for this patch started from the claim that Jeff wrote that cgroups
>>> is not allowed for nfsd export, but I couldn't find where it is not allowed.
>>>
> 
> I think that must have been a wrong assumption on my part. I don't see
> anything that specifically prevents that either. If cgroupfs is mounted
> and you tell mountd to export it, I don't see what would prevent that.
> 
> To be clear, I don't see how you would trick bog-standard mountd into
> exporting a filesystem that isn't mounted into its namespace, however.
> Writing a replacement for mountd is always a possibilty.
> 
>>> I have no issue personally with leaving cgroupfs exportable via nfsd
>>> and changing restricting only SB_NOUSER and SB_KERNMOUNT fs.
>>>
>>> Jeff, Chuck, what is your opinion w.r.t exportability of cgroupfs via nfsd?
>>
>> We all seem to be hard-pressed to find a usage scenario where exporting
>> pseudo-filesystems via NFS is valuable. But maybe someone has done it
>> and has a good reason for it.
>>
>> The issue is whether such export should be consistently and actively
>> prevented.
>>
>> I'm not aware of any specific security issues with it.
>>
>>
> 
> I'm not either, but we are in new territory here. nfsd is a network
> service, so it does present more of an attack surface vs. local access.
> 
> In general, you do have to take active steps to export a filesystem,
> but if someone exports / with "crossmnt", everything mounted is
> potentially accessible. That's obviously a dumb thing to do, but people
> make mistakes, and it's possible that doing this could be part of a
> wider exploit.
> 
> I tend to think it safest to make exporting via nfsd an opt-in thing on
> a per-fs basis (along the lines of this patchset). If someone wants to
> allow access to more "exotic" filesystems, let them argue their use-
> case on the list first.

If we were starting from scratch, 100% agree.

The current situation is that these file systems appear to be exportable
(and not only via NFS). The proposal is that this facility is to be
taken away. This can easily turn into a behavior regression for someone
if we're not careful.


-- 
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ