linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Vivek Goyal <vgoyal@redhat.com>
To: Bruce Fields <bfields@redhat.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	virtio-fs@redhat.com, Daniel Walsh <dwalsh@redhat.com>,
	Christian Brauner <christian.brauner@ubuntu.com>,
	Casey Schaufler <casey.schaufler@intel.com>,
	LSM <linux-security-module@vger.kernel.org>,
	selinux@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
	Miklos Szeredi <miklos@szeredi.hu>,
	Giuseppe Scrivano <gscrivan@redhat.com>,
	stephen.smalley.work@gmail.com,
	Andreas Gruenbacher <agruenba@redhat.com>,
	Dave Chinner <david@fromorbit.com>
Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
Date: Tue, 14 Sep 2021 10:32:13 -0400	[thread overview]
Message-ID: <YUCybaYK/0RLvY9J@redhat.com> (raw)
In-Reply-To: <CAPL3RVHB=E_s1AW1sQMEgrLYJ8ADCdr=qaKsDrpYjVzW-Apq8w@mail.gmail.com>

On Tue, Sep 14, 2021 at 09:59:19AM -0400, Bruce Fields wrote:
> On Tue, Sep 14, 2021 at 8:52 AM Vivek Goyal <vgoyal@redhat.com> wrote:
> > Same is the requirement for regular containers and that's why
> > podman (and possibly other container managers), make top level
> > storage directory only readable and searchable by root, so that
> > unpriveleged entities on host can not access container root filesystem
> > data.
> 
> Note--if that directory is on NFS, making it readable and searchable
> by root is very weak protection, since it's often possible for an
> attacker to guess filehandles and access objects without the need for
> directory lookups.

open_by_handle_at() requires CAP_DAC_READ_SEARCH. And if you have
CAP_DAC_READ_SEARCH, you don't need to even guess file handles. You
should be able to read/search through all directories, IIUC.

So how does one make sure that shared directory on host is not
accessible to unprivileged entities. If making directory accessible
to root only is weaker security, what are the options for stronger
security.

Vivek


  reply	other threads:[~2021-09-14 14:32 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-02 15:22 [PATCH v3 0/1] Relax restrictions on user.* xattr Vivek Goyal
2021-09-02 15:22 ` [PATCH v3 1/1] xattr: Allow user.* xattr on symlink and special files Vivek Goyal
2021-09-02 15:38 ` [PATCH 2/1] man-pages: xattr.7: Update text for user extended xattr behavior change Vivek Goyal
2021-09-02 15:43 ` [PATCH v3 0/1] Relax restrictions on user.* xattr Casey Schaufler
2021-09-02 17:05   ` Vivek Goyal
2021-09-02 17:42     ` Vivek Goyal
2021-09-02 18:55       ` Casey Schaufler
2021-09-02 20:06         ` Vivek Goyal
2021-09-02 22:34           ` Casey Schaufler
2021-09-03 15:26             ` Vivek Goyal
2021-09-03 18:49               ` Casey Schaufler
2021-09-06  7:45             ` [Virtio-fs] " Sergio Lopez
2021-09-06 14:55             ` Dr. David Alan Gilbert
2021-09-13 19:05               ` Casey Schaufler
2021-09-14 12:51                 ` Vivek Goyal
2021-09-14 13:56                   ` Casey Schaufler
2021-09-14 13:59                   ` Bruce Fields
2021-09-14 14:32                     ` Vivek Goyal [this message]
2021-09-14 15:01                       ` Bruce Fields
2021-09-15 16:33                       ` Dr. Greg
2021-09-02 15:47 ` [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels Vivek Goyal
2021-09-03  4:55   ` Dave Chinner
2021-09-03  6:31   ` Andreas Gruenbacher
2021-09-03  6:56     ` Andreas Gruenbacher
2021-09-03 14:42       ` Bruce Fields
2021-09-03 15:43         ` Vivek Goyal
2021-09-03 15:50           ` Bruce Fields
2021-09-03 16:01             ` Casey Schaufler
2021-09-03 16:03             ` Vivek Goyal
2021-09-03  6:31   ` Zorro Lang
2021-09-02 15:50 ` [PATCH 4/1] xfstest: Add a new test to test xattr operations Vivek Goyal
2021-09-02 17:52 ` [PATCH v3 0/1] Relax restrictions on user.* xattr Andreas Gruenbacher
2021-09-02 18:48   ` Vivek Goyal
2021-09-02 19:19     ` Casey Schaufler
2021-09-06 14:39   ` Dr. David Alan Gilbert
2021-09-06 14:56     ` Miklos Szeredi
2021-09-07 21:40       ` Vivek Goyal
2021-09-08  7:37         ` Miklos Szeredi
2021-09-08 14:20           ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YUCybaYK/0RLvY9J@redhat.com \
    --to=vgoyal@redhat.com \
    --cc=agruenba@redhat.com \
    --cc=bfields@redhat.com \
    --cc=casey.schaufler@intel.com \
    --cc=casey@schaufler-ca.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=david@fromorbit.com \
    --cc=dgilbert@redhat.com \
    --cc=dwalsh@redhat.com \
    --cc=gscrivan@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    --cc=virtio-fs@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).