On Mon, Oct 01, 2018 at 11:25:29AM -0400, Theodore Y. Ts'o wrote: > On Mon, Oct 01, 2018 at 04:04:42PM +0100, Alan Cox wrote: > > > Systems restricted by LSMs to the point where CAP_SYS_ADMIN is not > > > trusted have exactly the same issues. i.e. there's nobody trusted by > > > the kernel to administer the storage stack, and nobody has defined a > > > workable security model that can prevent untrusted users from > > > violating the existing storage trust model.... > > > > With a proper set of LSM checks you can lock the filesystem management > > and enforcement to a particular set of objects. You can build that model > > where for example only an administrative login from a trusted console may > > launch processes to do that management. > > > > Or you could - if things were not going around the LSM hooks. > > It would be useful if anyone actually *wants* to do this thing to > define a formal security model, and detail *everything* that would > need to be changed in order to accomplish it. Just as we don't > speculatively add code "just in case" someone might want to use it > someday, I don't think we should be adding random LSM hooks just > becausre someone *might* want do something. Yeah, that's what I was implying we needed to do - taking the current model and slapping LSM hooks around randomly will only make things break and cause admins to curse us.... > Let's see the use case, and let's see how horrible the changes would > need to be, and how credible we think it is that someone will actually > want to *use* it. I suspect the chagnes will be a really huge number > of places, and not just in XFS.... So do I - the "in root we trust" model is pretty deeply ingrained up and down the storage stack. I also suspect that most of our hardware admin (not just storage) has similar assumptions about the security model they operate in. Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx
