From: email@example.com (Eric W. Biederman) To: "Theodore Y. Ts'o" <firstname.lastname@example.org> Cc: Linux Containers <email@example.com>, firstname.lastname@example.org, Seth Forshee <email@example.com>, "Serge E. Hallyn" <firstname.lastname@example.org>, Christian Brauner <email@example.com>, firstname.lastname@example.org Subject: Re: [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts Date: Thu, 24 May 2018 18:23:30 -0500 [thread overview] Message-ID: <email@example.com> (raw) In-Reply-To: <20180524214617.GG7712@thunk.org> (Theodore Y. Ts'o's message of "Thu, 24 May 2018 17:46:17 -0400") "Theodore Y. Ts'o" <firstname.lastname@example.org> writes: > On Wed, May 23, 2018 at 06:22:56PM -0500, Eric W. Biederman wrote: >> >> Very slowly the work has been progressing to ensure the vfs has the >> necessary support for mounting filesystems without privilege. > > What's the thinking behind how system administrators and/or file > systems would configure whether or not a particular file system type > will be allowed to be mounted w/o privilege? The mechanism is .fs_flags in file_system_type. If the FS_USERNS_MOUNT flag is set then root in a user namespace (AKA an unprivileged user) will be allowed to mount to mount the filesystem. There are very real concerns about attacking a filesystem with an invalid filesystem image, or by a malicious protocol speaker. So I don't want to enable anything without the file system maintainers consent and without a reasonable expecation that neither a system wide denial of service attack nor a privilege escalation attack is possible from if the filesystem is enabled. So at a practical level what we have in the vfs is the non-fuse specific bits that enable unprivileged mounts of fuse. Things like handling of unmapped uid and gids, how normally trusted xattrs are dealt with, etc. A big practical one for me is that if either the uid or gid is not mapped the vfs avoids writing to the inode. Right now my practical goal is to be able to say: "Go run your filesystem in userspace with fuse if you want stronger security guarantees." I think that will be enough to make removable media reasonably safe from privilege escalation attacks. There is enough code in most filesystems that I don't know what our chances of locking down very many of them are. But I figure a few more of them are possible. Eric
next prev parent reply other threads:[~2018-05-24 23:23 UTC|newest] Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-05-23 23:22 Eric W. Biederman 2018-05-23 23:25 ` [REVIEW][PATCH 1/6] vfs: Don't allow changing the link count of an inode with an invalid uid or gid Eric W. Biederman 2018-05-24 12:58 ` Seth Forshee 2018-05-24 22:30 ` Christian Brauner 2018-05-23 23:25 ` [REVIEW][PATCH 2/6] vfs: Allow userns root to call mknod on owned filesystems Eric W. Biederman 2018-05-24 13:55 ` Seth Forshee 2018-05-24 16:55 ` Eric W. Biederman 2018-05-24 17:22 ` Seth Forshee 2018-05-24 19:12 ` Christian Brauner 2018-05-23 23:25 ` [REVIEW][PATCH 3/6] fs: Allow superblock owner to replace invalid owners of inodes Eric W. Biederman 2018-05-23 23:41 ` [REVIEW][PATCH v2 " Eric W. Biederman 2018-05-24 22:30 ` Christian Brauner 2018-05-23 23:25 ` [REVIEW][PATCH 4/6] fs: Allow superblock owner to access do_remount_sb() Eric W. Biederman 2018-05-24 15:58 ` Christian Brauner 2018-05-24 16:45 ` Eric W. Biederman 2018-05-24 17:28 ` Christian Brauner 2018-05-23 23:25 ` [REVIEW][PATCH 5/6] capabilities: Allow privileged user in s_user_ns to set security.* xattrs Eric W. Biederman 2018-05-24 15:57 ` Christian Brauner 2018-05-23 23:25 ` [REVIEW][PATCH 6/6] fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems Eric W. Biederman 2018-05-24 15:59 ` Christian Brauner 2018-05-24 21:46 ` [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts Theodore Y. Ts'o 2018-05-24 23:23 ` Eric W. Biederman [this message] 2018-05-25 3:57 ` Dave Chinner 2018-05-25 4:06 ` Darrick J. Wong 2018-05-29 13:12 ` Eric W. Biederman 2018-05-29 22:17 ` Dave Chinner 2018-05-30 2:34 ` Eric W. Biederman 2018-05-30 4:34 ` Dave Chinner 2018-05-29 15:40 ` Dongsu Park
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [REVIEW][PATCH 0/6] Wrapping up the vfs support for unprivileged mounts' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).