On Mon, 2018-10-15 at 11:46 -0700, Matthew Garrett wrote: > On Sun, Oct 14, 2018 at 6:38 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Fri, 2018-10-12 at 11:31 -0700, Matthew Garrett wrote: > > > There's a couple of ways. We could extend the filesystem type matching > > > logic to also check the subtype - you'd then need to enforce that at > > > the LSM level in order to protect against untrusted filesystems > > > spoofing the filesystem type. Alternatively, we could add an > > > additional policy match type for mount point and iterate through > > > s_mounts on the superblock - if any match, we could define the policy > > > there? > > > > The first method differentiates between different subtypes of FUSE > > filesystems, while the second method allows differentiating between > > the same type and subtype on different mount points. Both criteria > > are needed, but instead of the second method based on a mount point, > > perhaps based instead on a mount flag? > > Patch 3 already requires that the allow_gethash option be passed for > this to work - I can restrict that to CAP_SYS_ADMIN? In the case of FUSE filesystems, using "gethash" should be limited to trusted mounts, not fileystems mounted with SB_I_UNTRUSTED_MOUNTER. So requiring CAP_SYS_ADMIN seems unnecessary. The difference in the approaches is that root has CAP_SYS_ADMIN, while providing a mount flag requires intention. > > > Trusted mount of permitted filesystem type and subtype, that is > > mounted with the defined mount flag. > > Ok, I'll write up a patch that allows policy matching of filesystem > subtype as well as type and try to get that posted this week so we can > discuss it in Edinburgh? Sounds good. Hopefully I'll have time to review it before Edinburgh. Mimi
