Re: [GIT PULL] Fsnotify changes for 6.12-rc1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon 23-09-24 11:35:00, Linus Torvalds wrote:
> On Mon, 23 Sept 2024 at 04:03, Jan Kara <jack@xxxxxxx> wrote:
> >
> >   * The implementation of the pre-content fanotify events. T
> 
> I pulled this, and then I decided to unpull.
> 
> I don't see what the permissions for this thing are, and without
> explanations for why this isn't a huge security issue, I'm not pulling
> it.
> 
> Maybe those explanations exist elsewhere, but they sure aren't in the
> pull request.

Sure, the details are in some of the commit messages but you're right I
should have summarized them in the pull request as well:

Pre-content events are restricted to global CAP_SYS_ADMIN. This is achieved
by pre-content events being restricted to FAN_CLASSS_PRE_CONTENT
notification groups which are restricted to CAP_SYS_ADMIN in
fanotify_init() by this check:

        if (!capable(CAP_SYS_ADMIN)) {
                /*
                 * An unprivileged user can setup an fanotify group with
                 * limited functionality - an unprivileged group is limited to
                 * notification events with file handles and it cannot use
                 * unlimited queue/marks.
                 */
                if ((flags & FANOTIFY_ADMIN_INIT_FLAGS) || !fid_mode)
                        return -EPERM;
		...
	}


> IOW, I want to know where the code is that says "you can't block root
> processes doing accesses to your files" etc. Or things like "oh, the
> kernel took a page fault while holding some lock, what protects this
> from being misused"?
> 
> And if that code doesn't exist, there's no way in hell we're pulling
> this. Ever.

Sure, I understand that. That would have been a huge security hole.

> IOW, where is the "we don't allow unprivileged groups to do this" code?
> 
> Because:
> 
> >   These events are
> >  sent before read / write / page fault and the execution is paused until
> >  event listener replies similarly to current fanotify permission events.
> 
> Permission events aren't allowed for unprivileged users. I want to
> make sure people have thought about this, and I need to actually see
> this talked about in the pull request.

Should I update the pull request and resend or will you update it with
paragraph above?

								Honza

-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux