All of lore.kernel.org
 help / color / mirror / Atom feed
From: Theodore Ts'o <tytso@mit.edu>
To: Seth Forshee <seth.forshee@canonical.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	linux-bcache@vger.kernel.org, dm-devel@redhat.com,
	linux-raid@vger.kernel.org, linux-mtd@lists.infradead.org,
	linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
	Serge Hallyn <serge.hallyn@canonical.com>,
	Andy Lutomirski <luto@amacapital.net>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 0/7] User namespace mount updates
Date: Wed, 18 Nov 2015 14:10:45 -0500	[thread overview]
Message-ID: <20151118191045.GB3434@thunk.org> (raw)
In-Reply-To: <20151117183444.GB108807@ubuntu-hedt>

On Tue, Nov 17, 2015 at 12:34:44PM -0600, Seth Forshee wrote:
> On Tue, Nov 17, 2015 at 05:55:06PM +0000, Al Viro wrote:
> > On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
> > 
> > > Shortly after that I plan to follow with support for ext4. I've been
> > > fuzzing ext4 for a while now and it has held up well, and I'm currently
> > > working on hand-crafted attacks. Ted has commented privately (to others,
> > > not to me personally) that he will fix bugs for such attacks, though I
> > > haven't seen any public comments to that effect.
> > 
> > _Static_ attacks, or change-image-under-mounted-fs attacks?
> 
> Right now only static attacks, change-image-under-mounted-fs attacks
> will be next.

I will fix bugs about static attacks.  That is, it's interesting to me
that a buggy file system (no matter how it is created), not cause the
kernel to crash --- and privilege escalation attacks tend to be
strongly related to those bugs where we're not doing strong enough
checking.

Protecting against a malicious user which changes the image under the
file system is a whole other kettle of fish.  I am not at all user you
can do this without completely sacrificing performance or making the
code impossible to maintain.  So my comments do *not* extend to
protecting against a malicious user who is changing the block device
underneath the kernel.

If you want to submit patches to make the kernel more robust against
these attacks, I'm certainly willing to look at the patches.  But I'm
certainly not guaranteeing that they will go in, and I'm certainly not
promising to fix all vulnerabilities that you might find that are
caused by a malicious block device.  Sorry, that's too much buying a
pig in a poke....

						- Ted
				

  parent reply	other threads:[~2015-11-18 19:10 UTC|newest]

Thread overview: 66+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-17 16:39 [PATCH v3 0/7] User namespace mount updates Seth Forshee
2015-11-17 16:39 ` [PATCH v3 1/7] block_dev: Support checking inode permissions in lookup_bdev() Seth Forshee
2015-11-17 16:39 ` [PATCH v3 2/7] block_dev: Check permissions towards block device inode when mounting Seth Forshee
2015-11-17 16:39 ` [PATCH v3 3/7] mtd: Check permissions towards mtd " Seth Forshee
2015-11-17 16:39 ` [PATCH v3 4/7] fs: Treat foreign mounts as nosuid Seth Forshee
2015-11-18  0:00   ` James Morris
2015-11-17 16:39 ` [PATCH v3 5/7] selinux: Add support for unprivileged mounts from user namespaces Seth Forshee
2015-11-18  0:02   ` James Morris
2015-11-17 16:39 ` [PATCH v3 6/7] userns: Replace in_userns with current_in_userns Seth Forshee
2015-11-18  0:03   ` James Morris
2015-11-17 16:39 ` [PATCH v3 7/7] Smack: Handle labels consistently in untrusted mounts Seth Forshee
2015-11-17 18:24   ` Casey Schaufler
2015-11-17 18:24     ` Casey Schaufler
2015-11-18  0:12   ` James Morris
2015-11-18  0:50     ` Seth Forshee
2015-11-17 17:05 ` [PATCH v3 0/7] User namespace mount updates Al Viro
2015-11-17 17:25   ` Seth Forshee
2015-11-17 17:45     ` Serge E. Hallyn
2015-11-17 17:55     ` Al Viro
2015-11-17 18:34       ` Seth Forshee
2015-11-17 19:12         ` Richard Weinberger
2015-11-17 19:21           ` Seth Forshee
2015-11-17 19:25             ` Octavian Purdila
2015-11-17 20:12               ` Richard Weinberger
2015-11-17 22:00                 ` Octavian Purdila
2015-11-19 15:23                   ` Seth Forshee
2015-11-19 16:19                     ` Octavian Purdila
2015-11-19 16:31                       ` Seth Forshee
2015-11-20 17:33                       ` Serge E. Hallyn
2015-11-17 19:26             ` Richard Weinberger
2015-11-18 19:10         ` Theodore Ts'o [this message]
2015-11-18 19:28           ` Seth Forshee
2015-11-18 19:32           ` Serge Hallyn
2015-11-17 19:02       ` Austin S Hemmelgarn
2015-11-17 19:16         ` Seth Forshee
2015-11-17 19:16           ` Seth Forshee
2015-11-17 20:54           ` Austin S Hemmelgarn
2015-11-17 21:32             ` Seth Forshee
2015-11-18 12:23               ` Austin S Hemmelgarn
2015-11-18 14:22                 ` Seth Forshee
2015-11-18 14:58                   ` Al Viro
2015-11-18 15:05                     ` Seth Forshee
2015-11-18 15:05                       ` Seth Forshee
2015-11-18 15:13                       ` Al Viro
2015-11-18 15:19                         ` Richard Weinberger
2015-11-19  7:47                           ` James Morris
2015-11-19  7:53                             ` Richard Weinberger
2015-11-19 14:21                               ` Serge E. Hallyn
2015-11-19 15:04                                 ` Richard Weinberger
2015-11-19 14:37                               ` Colin Walters
2015-11-19 14:49                                 ` Richard Weinberger
2015-11-19 15:17                                   ` Richard W.M. Jones
2015-11-19 14:58                         ` Serge E. Hallyn
2015-11-18 15:34                     ` Austin S Hemmelgarn
2015-11-18 15:36                     ` Nikolay Borisov
2015-11-17 19:30         ` Al Viro
2015-11-17 20:39           ` Austin S Hemmelgarn
2015-11-17 21:05             ` Al Viro
2015-11-17 22:01               ` Seth Forshee
2015-11-18 12:46                 ` Austin S Hemmelgarn
2015-11-18 14:30                   ` Seth Forshee
2015-11-18 15:38                     ` Austin S Hemmelgarn
     [not found]                       ` <564C9B92.5080107-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-11-18 18:33                         ` Daniel J Walsh
2015-11-18 18:33                           ` Daniel J Walsh
2015-11-18 18:33                           ` Daniel J Walsh
2015-11-18 18:44           ` J. Bruce Fields

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151118191045.GB3434@thunk.org \
    --to=tytso@mit.edu \
    --cc=dm-devel@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=linux-bcache@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mtd@lists.infradead.org \
    --cc=linux-raid@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=selinux@tycho.nsa.gov \
    --cc=serge.hallyn@canonical.com \
    --cc=seth.forshee@canonical.com \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.