Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > (3) Letting users see events they shouldn't be able to see. > > How are you handling namespaces then? Are they determined by the > namespace of the process that opened the original device handle, or the > namespace that made the new syscall for the events to "start flowing"? So far I haven't had to deal directly with namespaces. mount_notify() requires you to have access to the mountpoint you want to watch - and the entire tree rooted there is in one namespace, so your event sources are restricted to that namespace. Further, mount objects don't themselves have any other namespaces, not even a user_ns. sb_notify() requires you to have access to the superblock you want to watch. superblocks aren't directly namespaced as a class, though individual superblocks may participate in particular namespaces (ipc, net, etc.). I'm thinking some of these should be marked unwatchable (all pseudo superblocks, kernfs-class, proc, for example). Superblocks, however, do each have a user_ns - but you were allowed to access the superblock by pathwalk, so you must have some access to the user_ns - I think. KEYCTL_NOTIFY requires you to have View access on the key you're watching. Currently, keys have no real namespace restrictions, though I have patches to include a namespace tag in the lookup criteria. block_notify() doesn't require any direct access since you're watching a global queue and there is no blockdev namespacing. LSMs are given the option to filter events, though. The thought here is that if you can access dmesg, you should be able to watch for blockdev events. Actually, thinking further on this, restricting access to events is trickier than I thought and than perhaps Casey was suggesting. Say you're watching a mount object and someone in a different user_ns namespace or with a different security label mounts on it. What governs whether you are allowed to see the event? You're watching the object for changes - and it *has* changed. Further, you might be able to see the result of this change by other means (/proc/mounts, for instance). Should you be denied the event based on the security model? On the other hand, if you're watching a tree of mount objects, it could be argued that you should be denied access to events on any mount object you can't reach by pathwalk. On the third hand, if you can see it in /proc/mounts or by fsinfo(), you should get an event for it. > How are you handling namespaces then? So to go back to the original question. At the moment they haven't impinged directly and I haven't had to deal with them directly. There are indirect namespace restrictions that I get for free just due to pathwalk, for instance. David
