From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751194AbdJCS64 (ORCPT <rfc822;w@1wt.eu>);
        Tue, 3 Oct 2017 14:58:56 -0400
Received: from imap.thunk.org ([74.207.234.97]:59422 "EHLO imap.thunk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750787AbdJCS6y (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Oct 2017 14:58:54 -0400
Date: Tue, 3 Oct 2017 14:58:52 -0400
From: "Theodore Ts'o" <tytso@mit.edu>
To: Adam Borowski <kilobyte@angband.pl>
Cc: Al Viro <viro@ZenIV.linux.org.uk>, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] vfs: hard-ban creating files with control characters in
 the name
Message-ID: <20171003185852.2o7w4tst6q7xchfe@thunk.org>
Mail-Followup-To: Theodore Ts'o <tytso@mit.edu>,
        Adam Borowski <kilobyte@angband.pl>,
        Al Viro <viro@ZenIV.linux.org.uk>, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <20171003005042.16470-1-kilobyte@angband.pl>
 <20171003020724.GH21978@ZenIV.linux.org.uk>
 <20171003164012.r4qnn5cr5kzmnft6@thunk.org>
 <20171003173215.axcwmd4ynmvgkyym@angband.pl>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171003173215.axcwmd4ynmvgkyym@angband.pl>
User-Agent: NeoMutt/20170609 (1.8.3)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Oct 03, 2017 at 07:32:15PM +0200, Adam Borowski wrote:
> 
> But Al has a good point that if most people were protected, they won't
> bother escaping badness anymore -- leaving those whose systems allow control
> chars vulnerable if they run a script that doesn't do quoting.

If we look at the attitude used by the kernel-hardening efforts, it's
all about adding layers of protection.  We can optionally enable
features like KASLR, but does that mean that people can afford to be
careless with pointers?  Not hardly!

And that's a pretty good worked example where adding various classes
of kernel-hardening protections has *not* resulted in people saying,
"Great!  I can be careless in the patches we submit to LKML".

> I went bold and submitted 1-31,127, as those have very low cost to block;
> but if that's not conservative enough, blocking just \n has both very low
> cost and a high benefit (special burdensome quoting required).

I would have suggested 1-31, since that's in line with what Windows
has banned.  But whether we include DEL is my mind not a big deal.

The argument for making it be configurable is that if it does break
things in way we can't foresee, it's a lot easier to back it out.  And
like what we've done with relatime, if the distro's all run with it as
the default for a couple of years, it then becomes easier to make the
case for making it be the default.

> Discussing a configurable policy (perhaps here in vfs, perhaps as a LSM, a
> seccomp hack or even LD_PRELOAD) would be interesting, but for the above
> reason I'd want \n hard-banned.

Perhaps doing this as an LSM makes the most amount of sense.  That
makes it be configurable/optional, and I think the security folks will
be much more willing to accept the functionality, if we decide we
don't want to make it a core VFS restriction.

      	      	      	     	 - Ted