Re: [PATCH 1/1] dm: add message command to disallow device open

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: [PATCH 1/1] dm: add message command to disallow device open
From: Eric Biggers <ebiggers@xxxxxxxxxx>
Date: Wed, 3 Aug 2022 21:49:50 +0000
Cc: Brian Geffon <bgeffon@xxxxxxxxxx>, Mike Snitzer <snitzer@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Zdenek Kabelac <zdenek.kabelac@xxxxxxxxx>, dm-devel@xxxxxxxxxx, Mikulas Patocka <mpatocka@xxxxxxxxxx>, Alasdair Kergon <agk@xxxxxxxxxx>
In-reply-to: <CAONX=-dCrJabyvt2S24kEJi38Pbuzj_4kvugoF_75PWV69bNJw@mail.gmail.com>
References: <YtB45Lte5UhlEE6y@redhat.com> <CAONX=-dEG121RQ6L-4fPMXrLXb3JeYNVNiPzHXNaRLbwRzb3bw@mail.gmail.com> <alpine.LRH.2.02.2207150528170.5197@file01.intranet.prod.int.rdu2.redhat.com> <cca5b463-a860-de8d-b7e4-a8d30aef2ff2@gmail.com> <CAONX=-fJHgfGkwR5A1MT+8FHckueehOsUS_LyHkjrgp4Y+vOgw@mail.gmail.com> <CAONX=-ft=ewFDui4jmd2fvcNr2EJc90=ZNOueDdp6HaPZmvObQ@mail.gmail.com> <Yun4LH+StcuBXRtO@sol.localdomain> <CAONX=-esLr5bGUks_a8wQBky37NnCawh2eOMemYg32HcPA7pmA@mail.gmail.com> <Yuq9jhxb+WgO55KJ@gmail.com> <CAONX=-dCrJabyvt2S24kEJi38Pbuzj_4kvugoF_75PWV69bNJw@mail.gmail.com>

On Thu, Aug 04, 2022 at 06:44:53AM +1000, Daniil Lunev wrote:
> > Have you also considered unlinking the device node (/dev/dm-$idx) from the
> > filesystem after it has been set up for swap?
> Yes, the node can be re-linked with mknod, thus is not a suitable solution.

I thought you were trying to defend against path traversal attacks, not
arbitrary code execution?  If your threat model includes arbitrary code
execution by root, you really need to be using SELinux.

- Eric

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel

Follow-Ups:
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Daniil Lunev

References:
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Mike Snitzer
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Daniil Lunev
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Mikulas Patocka
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Zdenek Kabelac
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Daniil Lunev
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Daniil Lunev
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Eric Biggers
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Daniil Lunev
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Eric Biggers
- Re: [PATCH 1/1] dm: add message command to disallow device open
  - From: Daniil Lunev

Prev by Date: Re: [PATCH 1/1] dm: add message command to disallow device open
Next by Date: Re: [PATCH 1/1] dm: add message command to disallow device open
Previous by thread: Re: [PATCH 1/1] dm: add message command to disallow device open
Next by thread: Re: [PATCH 1/1] dm: add message command to disallow device open
Index(es):
- Date
- Thread

[Index of Archives] [DM Crypt] [Fedora Desktop] [ATA RAID] [Fedora Marketing] [Fedora Packaging] [Fedora SELinux] [Yosemite Discussion] [KDE Users] [Fedora Docs]