> /* only root can play with this */ > if (!capable(CAP_SYS_ADMIN)) > return -EACCES; > > Think about it - if DM control ioctls only require CAP_SYS_ADMIN, > then if have that cap you can use DM to remap any block in a block > device to any other block. You don't need to the filesystem to move > stuff around, it can be moved around without the filesystem knowing > anything about it. Yes - I am not surprised the XFS is not the only problem area. The fact XFS also isn't going via the security hooks so security hooks can fix it just makes it worse. > > That's what people said about setuid shell scripts. > > Completely different. setuid shell scripts got abused as a hack for > the lazy to avoid setting up permissions properly and hence were > easily exploited. Sounds to me like an accurate description of the current capabilities mess in the kernel (and not just XFS and not just file systems) > Systems restricted by LSMs to the point where CAP_SYS_ADMIN is not > trusted have exactly the same issues. i.e. there's nobody trusted by > the kernel to administer the storage stack, and nobody has defined a > workable security model that can prevent untrusted users from > violating the existing storage trust model.... With a proper set of LSM checks you can lock the filesystem management and enforcement to a particular set of objects. You can build that model where for example only an administrative login from a trusted console may launch processes to do that management. Or you could - if things were not going around the LSM hooks. Alan
