Re: [PATCH v3 0/1] Relax restrictions on user.* xattr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Vivek Goyal <vgoyal@xxxxxxxxxx>
Subject: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
From: Bruce Fields <bfields@xxxxxxxxxx>
Date: Tue, 14 Sep 2021 09:59:19 -0400
Cc: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>, "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>, Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>, linux-fsdevel <linux-fsdevel@xxxxxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, virtio-fs@xxxxxxxxxx, Daniel Walsh <dwalsh@xxxxxxxxxx>, Christian Brauner <christian.brauner@xxxxxxxxxx>, Casey Schaufler <casey.schaufler@xxxxxxxxx>, LSM <linux-security-module@xxxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxxxx, "Theodore Ts'o" <tytso@xxxxxxx>, Miklos Szeredi <miklos@xxxxxxxxxx>, Giuseppe Scrivano <gscrivan@xxxxxxxxxx>, stephen.smalley.work@xxxxxxxxx, Andreas Gruenbacher <agruenba@xxxxxxxxxx>, Dave Chinner <david@xxxxxxxxxxxxx>
In-reply-to: <YUCa6pWpr5cjCNrU@redhat.com>
References: <20210902152228.665959-1-vgoyal@redhat.com> <79dcd300-a441-cdba-e523-324733f892ca@schaufler-ca.com> <YTEEPZJ3kxWkcM9x@redhat.com> <YTENEAv6dw9QoYcY@redhat.com> <3bca47d0-747d-dd49-a03f-e0fa98eaa2f7@schaufler-ca.com> <YTEur7h6fe4xBJRb@redhat.com> <1f33e6ef-e896-09ef-43b1-6c5fac40ba5f@schaufler-ca.com> <YTYr4MgWnOgf/SWY@work-vm> <496e92bf-bf9e-a56b-bd73-3c1d0994a064@schaufler-ca.com> <YUCa6pWpr5cjCNrU@redhat.com>

On Tue, Sep 14, 2021 at 8:52 AM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> Same is the requirement for regular containers and that's why
> podman (and possibly other container managers), make top level
> storage directory only readable and searchable by root, so that
> unpriveleged entities on host can not access container root filesystem
> data.

Note--if that directory is on NFS, making it readable and searchable
by root is very weak protection, since it's often possible for an
attacker to guess filehandles and access objects without the need for
directory lookups.

--b.

Follow-Ups:
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Vivek Goyal

References:
- [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Vivek Goyal
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Casey Schaufler
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Vivek Goyal
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Vivek Goyal
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Casey Schaufler
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Vivek Goyal
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Casey Schaufler
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Dr. David Alan Gilbert
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Casey Schaufler
- Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
  - From: Vivek Goyal

Prev by Date: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
Next by Date: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
Previous by thread: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
Next by thread: Re: [PATCH v3 0/1] Relax restrictions on user.* xattr
Index(es):
- Date
- Thread

[Index of Archives] [Selinux Refpolicy] [Linux SGX] [Fedora Users] [Fedora Desktop] [Yosemite Photos] [Yosemite Camping] [Yosemite Campsites] [KDE Users] [Gnome Users]