[Virtio-fs] Securing file handles
Sergio Lopez
slp at redhat.com
Mon Mar 8 14:15:44 UTC 2021
On Mon, Mar 08, 2021 at 11:52:58AM +0100, Max Reitz wrote:
> On 08.03.21 10:06, Sergio Lopez wrote:
> > On Fri, Mar 05, 2021 at 05:22:56PM +0100, Max Reitz wrote:
> > > == Summary ==
> > >
> > > So, my current position is:
> > >
> > > - Bind mounts don’t help with restricting file handles to the exported
> > > directory.
> > >
> > > - A MAC is not very elegant, and we might encounter problems where a
> > > file may be moved outside of the shared directory, but remains
> > > accessible (because moving a file doesn’t change its handle).
> > > (If we consider that a problem. NFS evidently doesn’t, because
> > > without subtree_check, it has absolutely no protection against
> > > arbitrary file handles being opened (on the FS where the export
> > > resides), so valid file handles always remain valid.)
> > >
> > > - A solution such as NFS’s subtree_check (i.e., storing the file’s
> > > parent’s handle in addition to the file’s handle itself, then
> > > verifying that the file does still reside in that directory when the
> > > handle is opened, and then going up the tree to see whether we can
> > > trace it back to the shared directory) is interesting and can perhaps
> > > be considered elegant, but it requires iterating the directory the
> > > file resides in when it is opened, and it will result in file handles
> > > being invalidated whenever a file is moved (outside of its directory).
> > > Perhaps also other issues. In any case, there are reasons why NFS has
> > > basically deprecated this.
> > >
> > > Opinions? :)
> >
> > While the MAC option doesn't look too bad to me, I can't help but feel
> > that we're working around a kernel (mis)feature, which is something
> > that's risky and tends to backfire.
>
> Which misfeature do you mean exactly? That you can open arbitrary files by
> specifying the right magic number (i.e. its handle)?
>
> That in itself is nothing we’re really working around, but rather something
> that we actively want to pass through to the guest.
But I think those file handles should be constrained to some context
other than the backing file system. In any case, I see Miklos has
highlighted the same issue with more detail in his response, so let's
follow up this conversation there to avoid dispersion.
Sergio.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virtio-fs/attachments/20210308/709636ec/attachment.sig>
More information about the Virtio-fs
mailing list