On Sun, Sep 18, 2016 at 8:05 AM, Jann Horn <jann@xxxxxxxxx> wrote:
> This ensures that VFS implementations don't call ptrace_may_access() from
> VFS read or write handlers. In order for file descriptor passing to have
> its intended security properties, VFS read/write handlers must not do any
> kind of privilege checking.
Quite frankly, this smells like it should be a static check, not some
kind of runtime one. Or if runtime, it should be abstracted out so
that you can do an occasional "let's run a checking pass" rather than
enable it unconditionally and universally.
It's just too specialized. Soon you'll want to do other random context
checking, and we can't just keep adding those kinds of ad-hoc things
without it becoming a maintenance nightmare. I can well imagine
somebody ending up writing some stupid patch to take that
"in_unprivileged_vfs" thing into account for some semantics, and then
we're *really* screwed. So there are many reasons to make sure this is
*not* something that people actually expect to always be there.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
