[dm-devel] [PATCH 1/1] dm: add message command to disallow device open
Zdenek Kabelac
zdenek.kabelac at gmail.com
Fri Jul 15 19:38:35 UTC 2022
Dne 15. 07. 22 v 11:36 Mikulas Patocka napsal(a):
>
> On Fri, 15 Jul 2022, Daniil Lunev wrote:
>
>> Hi Mike,
>> Thank you for your response. I should have probably added more context
>> to the commit message that I specified in the cover letter. The idea is to
>> prohibit access of all userspace, including the root. The main concern here
>> is potential system applications' vulnerabilities that can trick the system to
>> operate on non-intended files with elevated permissions. While those could
>> also be exploited to get more access to the regular file systems, those firstly
>> has to be useable by userspace for normal system operation (e.g. to store
>> user data), secondly, never contain plain text secrets. Swap content is a
>> different story - access to it can leak very sensitive information, which
>> otherwise is never available as plaintext on any persistent media - e.g. raw
>> user secrets, raw disk encryption keys etc, other security related tokens.
>> Thus we propose a mechanism to enable such a lockdown after necessary
>> configuration has been done to the device at boot time.
>> --Daniil
> If someone gains root, he can do anything on the system.
>
> I'm quite skeptical about these attempts; protecting the system from the
> root user is never-ending whack-a-mole game.
It's in fact a 'design feature' of whole DM that root can always open any
device in device stack (although cause some troubles to i.e. some lvm2 logic)
such feature is useful i.e. for debugging device problems. There was never an
intention to prohibit root user from 'seeing' all stacked devices.
Regards
Zdenek
More information about the dm-devel
mailing list