Re: Leaking Path in XFS's ioctl interface(missing LSM check)
From: Alan Cox
Date: Mon Oct 01 2018 - 11:04:54 EST
> /* only root can play with this */
> if (!capable(CAP_SYS_ADMIN))
> return -EACCES;
>
> Think about it - if DM control ioctls only require CAP_SYS_ADMIN,
> then if have that cap you can use DM to remap any block in a block
> device to any other block. You don't need to the filesystem to move
> stuff around, it can be moved around without the filesystem knowing
> anything about it.
Yes - I am not surprised the XFS is not the only problem area. The fact
XFS also isn't going via the security hooks so security hooks can fix it
just makes it worse.
> > That's what people said about setuid shell scripts.
>
> Completely different. setuid shell scripts got abused as a hack for
> the lazy to avoid setting up permissions properly and hence were
> easily exploited.
Sounds to me like an accurate description of the current capabilities
mess in the kernel (and not just XFS and not just file systems)
> Systems restricted by LSMs to the point where CAP_SYS_ADMIN is not
> trusted have exactly the same issues. i.e. there's nobody trusted by
> the kernel to administer the storage stack, and nobody has defined a
> workable security model that can prevent untrusted users from
> violating the existing storage trust model....
With a proper set of LSM checks you can lock the filesystem management
and enforcement to a particular set of objects. You can build that model
where for example only an administrative login from a trusted console may
launch processes to do that management.
Or you could - if things were not going around the LSM hooks.
Alan