Re: [PATCH v2] xfsprogs: don't allow udisks to automount XFS filesystems with no prompt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Aug 24, 2023 at 05:00:55PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@xxxxxxxxxx>
> 
> The unending stream of syzbot bug reports and overwrought filing of CVEs
> for corner case handling (i.e. things that distract from actual user
> complaints) in XFS has generated all sorts of of overheated rhetoric
> about how every bug is a Serious Security Issue(tm) because anyone can
> craft a malicious filesystem on a USB stick, insert the stick into a
> victim machine, and mount will trigger a bug in the kernel driver that
> leads to some compromise or DoS or something.
> 
> I thought that nobody would be foolish enough to automount an XFS
> filesystem.  What a fool I was!  It turns out that udisks can be told
> that it's okay to automount things, and then GNOME will do exactly that.
> Including mounting mangled XFS filesystems!
> 
> <delete angry rant about poor decisionmaking and armchair fs developers
> blasting us on X while not actually doing any of the work>
> 
> Turn off /this/ idiocy by adding a udev rule to tell udisks not to
> automount XFS filesystems.
> 
> This will not stop a logged in user from unwittingly inserting a
> malicious storage device and pressing [mount] and getting breached.
> This is not a substitute for a thorough audit.  This is not a substitute
> for lklfuse.  This does not solve the general problem of in-kernel fs
> drivers being a huge attack surface.  I just want a vacation from the
> sh*tstorm of bad ideas and threat models that I never agreed to support.
> 

This seems great, thanks for doing it.

Reviewed-by: Carlos Maiolino <cmaiolino@xxxxxxxxxx>

/me wonders how long until distros/users start to complain and report problems
their OS'es are not automounting xfs :)   /me runs


Carlos

> v2: Add external logs to the list too, and document the var we set
> 
> Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
> Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx>
> ---
>  configure.ac           |    1 +
>  include/builddefs.in   |    2 ++
>  m4/package_services.m4 |   42 ++++++++++++++++++++++++++++++++++++++++++
>  scrub/Makefile         |   11 +++++++++++
>  scrub/xfs.rules        |   13 +++++++++++++
>  5 files changed, 69 insertions(+)
>  create mode 100644 scrub/xfs.rules
> 
> diff --git a/configure.ac b/configure.ac
> index 58f3b8e2e90..e447121a344 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -209,6 +209,7 @@ AC_HAVE_SG_IO
>  AC_HAVE_HDIO_GETGEO
>  AC_CONFIG_SYSTEMD_SYSTEM_UNIT_DIR
>  AC_CONFIG_CROND_DIR
> +AC_CONFIG_UDEV_RULE_DIR
> 
>  if test "$enable_blkid" = yes; then
>  AC_HAVE_BLKID_TOPO
> diff --git a/include/builddefs.in b/include/builddefs.in
> index fb8e239cab2..3318e00316c 100644
> --- a/include/builddefs.in
> +++ b/include/builddefs.in
> @@ -184,6 +184,8 @@ HAVE_SYSTEMD = @have_systemd@
>  SYSTEMD_SYSTEM_UNIT_DIR = @systemd_system_unit_dir@
>  HAVE_CROND = @have_crond@
>  CROND_DIR = @crond_dir@
> +HAVE_UDEV = @have_udev@
> +UDEV_RULE_DIR = @udev_rule_dir@
>  HAVE_LIBURCU_ATOMIC64 = @have_liburcu_atomic64@
>  HAVE_MEMFD_CLOEXEC = @have_memfd_cloexec@
>  HAVE_MEMFD_NOEXEC_SEAL = @have_memfd_noexec_seal@
> diff --git a/m4/package_services.m4 b/m4/package_services.m4
> index f2d888a099a..a683ddb93e0 100644
> --- a/m4/package_services.m4
> +++ b/m4/package_services.m4
> @@ -75,3 +75,45 @@ AC_DEFUN([AC_CONFIG_CROND_DIR],
>  	AC_SUBST(have_crond)
>  	AC_SUBST(crond_dir)
>  ])
> +
> +#
> +# Figure out where to put udev rule files
> +#
> +AC_DEFUN([AC_CONFIG_UDEV_RULE_DIR],
> +[
> +	AC_REQUIRE([PKG_PROG_PKG_CONFIG])
> +	AC_ARG_WITH([udev_rule_dir],
> +	  [AS_HELP_STRING([--with-udev-rule-dir@<:@=DIR@:>@],
> +		[Install udev rules into DIR.])],
> +	  [],
> +	  [with_udev_rule_dir=yes])
> +	AS_IF([test "x${with_udev_rule_dir}" != "xno"],
> +	  [
> +		AS_IF([test "x${with_udev_rule_dir}" = "xyes"],
> +		  [
> +			PKG_CHECK_MODULES([udev], [udev],
> +			  [
> +				with_udev_rule_dir="$($PKG_CONFIG --variable=udev_dir udev)/rules.d"
> +			  ], [
> +				with_udev_rule_dir=""
> +			  ])
> +			m4_pattern_allow([^PKG_(MAJOR|MINOR|BUILD|REVISION)$])
> +		  ])
> +		AC_MSG_CHECKING([for udev rule dir])
> +		udev_rule_dir="${with_udev_rule_dir}"
> +		AS_IF([test -n "${udev_rule_dir}"],
> +		  [
> +			AC_MSG_RESULT(${udev_rule_dir})
> +			have_udev="yes"
> +		  ],
> +		  [
> +			AC_MSG_RESULT(no)
> +			have_udev="no"
> +		  ])
> +	  ],
> +	  [
> +		have_udev="disabled"
> +	  ])
> +	AC_SUBST(have_udev)
> +	AC_SUBST(udev_rule_dir)
> +])
> diff --git a/scrub/Makefile b/scrub/Makefile
> index ab9c2d14832..2b9b8d977f6 100644
> --- a/scrub/Makefile
> +++ b/scrub/Makefile
> @@ -41,6 +41,11 @@ endif
> 
>  endif	# scrub_prereqs
> 
> +UDEV_RULES = xfs.rules
> +ifeq ($(HAVE_UDEV),yes)
> +	INSTALL_SCRUB += install-udev
> +endif
> +
>  HFILES = \
>  common.h \
>  counter.h \
> @@ -180,6 +185,12 @@ install-scrub: default
>  	$(INSTALL) -m 755 $(XFS_SCRUB_ALL_PROG) $(PKG_SBIN_DIR)
>  	$(INSTALL) -m 755 -d $(PKG_STATE_DIR)
> 
> +install-udev: $(UDEV_RULES)
> +	$(INSTALL) -m 755 -d $(UDEV_RULE_DIR)
> +	for i in $(UDEV_RULES); do \
> +		$(INSTALL) -m 644 $$i $(UDEV_RULE_DIR)/64-$$i; \
> +	done
> +
>  install-dev:
> 
>  -include .dep
> diff --git a/scrub/xfs.rules b/scrub/xfs.rules
> new file mode 100644
> index 00000000000..c3f69b3ab90
> --- /dev/null
> +++ b/scrub/xfs.rules
> @@ -0,0 +1,13 @@
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +#
> +# Copyright (C) 2023 Oracle.  All rights reserved.
> +# Author: Darrick J. Wong <djwong@xxxxxxxxxx>
> +#
> +# Don't let udisks automount XFS filesystems without even asking a user.
> +# This doesn't eliminate filesystems as an attack surface; it only prevents
> +# evil maid attacks when all sessions are locked.
> +#
> +# According to http://storaged.org/doc/udisks2-api/latest/udisks.8.html,
> +# supplying UDISKS_AUTO=0 here changes the HintAuto property of the block
> +# device abstraction to mean "do not automatically start" (e.g. mount).
> +SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="xfs|xfs_external_log", ENV{UDISKS_AUTO}="0"



[Index of Archives]     [XFS Filesystem Development (older mail)]     [Linux Filesystem Development]     [Linux Audio Users]     [Yosemite Trails]     [Linux Kernel]     [Linux RAID]     [Linux SCSI]


  Powered by Linux