On Mon, Oct 01, 2018 at 04:04:42PM +0100, Alan Cox wrote: > > /* only root can play with this */ > > if (!capable(CAP_SYS_ADMIN)) > > return -EACCES; > > > > Think about it - if DM control ioctls only require CAP_SYS_ADMIN, > > then if have that cap you can use DM to remap any block in a block > > device to any other block. You don't need to the filesystem to move > > stuff around, it can be moved around without the filesystem knowing > > anything about it. > > Yes - I am not surprised the XFS is not the only problem area. The fact > XFS also isn't going via the security hooks so security hooks can fix it > just makes it worse. > > > > That's what people said about setuid shell scripts. > > > > Completely different. setuid shell scripts got abused as a hack for > > the lazy to avoid setting up permissions properly and hence were > > easily exploited. > > Sounds to me like an accurate description of the current capabilities > mess in the kernel (and not just XFS and not just file systems) > > > Systems restricted by LSMs to the point where CAP_SYS_ADMIN is not > > trusted have exactly the same issues. i.e. there's nobody trusted by > > the kernel to administer the storage stack, and nobody has defined a > > workable security model that can prevent untrusted users from > > violating the existing storage trust model.... > > With a proper set of LSM checks you can lock the filesystem management > and enforcement to a particular set of objects. What would a proper set look like? I /thought/ CAP_SYS_ADMIN was an (admittedly overly general) way to do that, but evidently that view is not considered correct. Looking at include/linux/security.h, I don't see any hooks that seem like an obvious fit for a lot of the XFS ioctls. Do we need to add some? How do we do that? Just looking at XFS, we let CAP_SYS_ADMIN processes do things like... - Change the size of the filesystem - Discard all post-EOF speculative preallocations - Manage reserved block pools (which help us avoid ENOSPC) - Query the filesystem for detailed space usage information - Issue DISCARDs on unused space - Set a new volume label - Check and repair metadata - Inject errors for testing - Emergency shutdowns of the FS - Bulk stat() of inodes - Deal with files (open, read xattrs, read link targets) via file handles - Read system xattrs Can we create the necessary LSM hooks to check all of those things? I could see the following new hooks: * Query filesystem space information * Manage filesystem space information * Set new filesystem label/uuid * Run metadata integrity operations * Access testing / debugging hooks * Reading filesystem internal metadata * Picking files by handle instead of path I imagine block devices probably need a few explicit hooks too: * Raw reads * Raw writes * Reconfigure block device If we /did/ replace CAP_SYS_ADMIN checking with a pile of LSM hooks, how do we make sure that we (XFS) avoid breaking existing XFS tools? I guess the default compatibility handler for all of those new hooks would be "return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;" and then other LSMs could restrict that further if so configured. Seriously, I don't know that much about how LSMs actually perform security checks -- it looks like a number of them can be active simultaneously, and we just call each of them in a chain until one of them denies permission or we run out of LSMs and allow it? FWIW I didn't have a particular security or threat model in mind when I made the above list; all I did was break up the existing CAP_SYS_ADMIN into rough functional areas. Maybe it makes sense, but maybe I'm rambling. :) --D > You can build that model where for example only an administrative > login from a trusted console may launch processes to do that > management. > > Or you could - if things were not going around the LSM hooks. > > Alan
