From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>,
Eric Biggers <ebiggers3@gmail.com>, Jann Horn <jannh@google.com>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org, Linux API <linux-api@vger.kernel.org>,
linux-man@vger.kernel.org,
linux-btrfs <linux-btrfs@vger.kernel.org>
Subject: Re: [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl
Date: Wed, 10 May 2017 13:14:37 -0700 [thread overview]
Message-ID: <20170510201437.GA9854@birch.djwong.org> (raw)
In-Reply-To: <87mvakpl5m.fsf@xmission.com>
[cc btrfs, since afaict that's where most of the dedupe tool authors hang out]
On Wed, May 10, 2017 at 02:27:33PM -0500, Eric W. Biederman wrote:
> Theodore Ts'o <tytso@mit.edu> writes:
>
> > On Tue, May 09, 2017 at 02:17:46PM -0700, Eric Biggers wrote:
> >> 1.) Privacy implications. Say the filesystem is being shared between multiple
> >> users, and one user unpacks foo.tar.gz into their home directory, which
> >> they've set to mode 700 to hide from other users. Because of this new
> >> ioctl, all users will be able to see every (inode number, size in blocks)
> >> pair that was added to the filesystem, as well as the exact layout of the
> >> physical block allocations which might hint at how the files were created.
> >> If there is a known "fingerprint" for the unpacked foo.tar.gz in this
> >> regard, its presence on the filesystem will be revealed to all users. And
> >> if any filesystems happen to prefer allocating blocks near the containing
> >> directory, the directory the files are in would likely be revealed too.
Frankly, why are container users even allowed to make unrestricted ioctl
calls? I thought we had a bunch of security infrastructure to constrain
what userspace can do to a system, so why don't ioctls fall under these
same protections? If your containers are really that adversarial, you
ought to be blacklisting as much as you can.
> > Unix/Linux has historically not been terribly concerned about trying
> > to protect this kind of privacy between users. So for example, in
> > order to do this, you would have to call GETFSMAP continously to track
> > this sort of thing. Someone who wanted to do this could probably get
> > this information (and much, much more) by continuously running "ps" to
> > see what processes are running.
> >
> > (I will note. wryly, that in the bad old days, when dozens of users
> > were sharing a one MIPS Vax/780, it was considered a *good* thing
> > that social pressure could be applied when it was found that someone
> > was running a CPU or memory hogger on a time sharing system. The
> > privacy right of someone running "xtrek" to be able to hide this from
> > other users on the system was never considered important at all. :-)
Not to mention someone running GETFSMAP in a loop will be pretty obvious
both from the high kernel cpu usage and the huge number of metadata
operations.
> > Fortunately, the days of timesharing seem to well behind us. For
> > those people who think that containers are as secure as VM's (hah,
> > hah, hah), it might be that best way to handle this is to have a mount
> > option that requires root access to this functionality. For those
> > people who really care about this, they can disable access.
Or use separate filesystems for each container so that exploitable bugs
that shut down the filesystem can't be used to kill the other
containers. You could use a torrent of metadata-heavy operations
(fallocate a huge file, punch every block, truncate file, repeat) to DoS
the other containers.
> What would be the reason for not putting this behind
> capable(CAP_SYS_ADMIN)?
>
> What possible legitimate function could this functionality serve to
> users who don't own your filesystem?
As I've said before, it's to enable dedupe tools to decide, given a set
of files with shareable blocks, roughly how many other times each of
those shareable blocks are shared so that they can make better decisions
about which file keeps its shareable blocks, and which file gets
remapped. Dedupe is not a privileged operation, nor are any of the
tools.
> I have seen several people speak up how this is a concern I don't see
> anyone saying here is a legitimate use for a non-system administrator.
/I/ said that a few emails ago.
--D
> This doesn't seem like something where abuses of time-sharing systems
> can be observed.
>
> Eric
WARNING: multiple messages have this Message-ID (diff)
From: "Darrick J. Wong" <darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: "Theodore Ts'o" <tytso-3s7WtUTddSA@public.gmane.org>,
Eric Biggers <ebiggers3-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Jann Horn <jannh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Michael Kerrisk-manpages
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
linux-xfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-ext4-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-btrfs <linux-btrfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl
Date: Wed, 10 May 2017 13:14:37 -0700 [thread overview]
Message-ID: <20170510201437.GA9854@birch.djwong.org> (raw)
In-Reply-To: <87mvakpl5m.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
[cc btrfs, since afaict that's where most of the dedupe tool authors hang out]
On Wed, May 10, 2017 at 02:27:33PM -0500, Eric W. Biederman wrote:
> Theodore Ts'o <tytso-3s7WtUTddSA@public.gmane.org> writes:
>
> > On Tue, May 09, 2017 at 02:17:46PM -0700, Eric Biggers wrote:
> >> 1.) Privacy implications. Say the filesystem is being shared between multiple
> >> users, and one user unpacks foo.tar.gz into their home directory, which
> >> they've set to mode 700 to hide from other users. Because of this new
> >> ioctl, all users will be able to see every (inode number, size in blocks)
> >> pair that was added to the filesystem, as well as the exact layout of the
> >> physical block allocations which might hint at how the files were created.
> >> If there is a known "fingerprint" for the unpacked foo.tar.gz in this
> >> regard, its presence on the filesystem will be revealed to all users. And
> >> if any filesystems happen to prefer allocating blocks near the containing
> >> directory, the directory the files are in would likely be revealed too.
Frankly, why are container users even allowed to make unrestricted ioctl
calls? I thought we had a bunch of security infrastructure to constrain
what userspace can do to a system, so why don't ioctls fall under these
same protections? If your containers are really that adversarial, you
ought to be blacklisting as much as you can.
> > Unix/Linux has historically not been terribly concerned about trying
> > to protect this kind of privacy between users. So for example, in
> > order to do this, you would have to call GETFSMAP continously to track
> > this sort of thing. Someone who wanted to do this could probably get
> > this information (and much, much more) by continuously running "ps" to
> > see what processes are running.
> >
> > (I will note. wryly, that in the bad old days, when dozens of users
> > were sharing a one MIPS Vax/780, it was considered a *good* thing
> > that social pressure could be applied when it was found that someone
> > was running a CPU or memory hogger on a time sharing system. The
> > privacy right of someone running "xtrek" to be able to hide this from
> > other users on the system was never considered important at all. :-)
Not to mention someone running GETFSMAP in a loop will be pretty obvious
both from the high kernel cpu usage and the huge number of metadata
operations.
> > Fortunately, the days of timesharing seem to well behind us. For
> > those people who think that containers are as secure as VM's (hah,
> > hah, hah), it might be that best way to handle this is to have a mount
> > option that requires root access to this functionality. For those
> > people who really care about this, they can disable access.
Or use separate filesystems for each container so that exploitable bugs
that shut down the filesystem can't be used to kill the other
containers. You could use a torrent of metadata-heavy operations
(fallocate a huge file, punch every block, truncate file, repeat) to DoS
the other containers.
> What would be the reason for not putting this behind
> capable(CAP_SYS_ADMIN)?
>
> What possible legitimate function could this functionality serve to
> users who don't own your filesystem?
As I've said before, it's to enable dedupe tools to decide, given a set
of files with shareable blocks, roughly how many other times each of
those shareable blocks are shared so that they can make better decisions
about which file keeps its shareable blocks, and which file gets
remapped. Dedupe is not a privileged operation, nor are any of the
tools.
> I have seen several people speak up how this is a concern I don't see
> anyone saying here is a legitimate use for a non-system administrator.
/I/ said that a few emails ago.
--D
> This doesn't seem like something where abuses of time-sharing systems
> can be observed.
>
> Eric
next prev parent reply other threads:[~2017-05-10 20:14 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-07 15:58 [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl Darrick J. Wong
2017-05-07 22:17 ` Jann Horn
2017-05-08 18:41 ` Darrick J. Wong
2017-05-08 18:41 ` Darrick J. Wong
2017-05-08 18:47 ` Jann Horn
2017-05-08 20:47 ` Darrick J. Wong
2017-05-08 20:47 ` Darrick J. Wong
2017-05-08 22:54 ` Jann Horn
2017-05-09 1:53 ` Darrick J. Wong
2017-05-09 1:53 ` Darrick J. Wong
2017-05-09 21:17 ` Eric Biggers
2017-05-09 21:17 ` Eric Biggers
2017-05-10 16:38 ` Theodore Ts'o
2017-05-10 19:27 ` Eric W. Biederman
2017-05-10 20:14 ` Darrick J. Wong [this message]
2017-05-10 20:14 ` Darrick J. Wong
2017-05-11 5:10 ` Eric Biggers
2017-05-11 5:10 ` Eric Biggers
2017-05-14 1:41 ` Andreas Dilger
2017-05-14 4:25 ` Darrick J. Wong
2017-05-14 4:25 ` Darrick J. Wong
2017-05-14 13:56 ` Andy Lutomirski
2017-05-14 13:56 ` Andy Lutomirski
2017-05-18 2:04 ` Darrick J. Wong
2017-05-18 2:04 ` Darrick J. Wong
-- strict thread matches above, loose matches on Subject: below --
2017-02-18 1:17 [RFC PATCH v6 0/8] vfs/xfs/ext4: GETFSMAP support Darrick J. Wong
2017-02-21 22:14 ` [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170510201437.GA9854@birch.djwong.org \
--to=darrick.wong@oracle.com \
--cc=ebiederm@xmission.com \
--cc=ebiggers3@gmail.com \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.