Re: [PATCH] private mounts

> > > the ability to change the layout underneath, you might trigger bugs in
> > > root programs: Are they really capable of seeing the same filename
> > > twice, or can you throw them into a deep recursion by simulating
> > > infinitely deep directories/circular hardlinks...?
> > Circular or otherwise hardlinked directories are not allowed since it
> > would not only confuse applications but the VFS as well.
> 
> Right, that you can catch. But can you prevent a user fs module from
> creating an infinitely deep directory structure out of thin air? Do you
> limit the maximum path length / depth?

No. 

> (Sending this privately and not to LKML, because I first wanted to check
> the facts ;-)

OK, CC restored.  You shouldn't be afraid to send to LKML.  It's the
ultimate spam list ;)

> > > Certainly a useful tool for hardening applications, but I can see the
> > > point of not wanting to let unwary applications run into a namespace
> > > controlled by a user. Of course, this is sort-of similar to "find
> > > -xdev", but I'm not sure whether it is not indeed new behaviour.
> > 
> > A trivial DoS against any process entering the userspace filesystem is
> > just not to answer the filesystem request.
> > 
> > So it's not just information leak, but also a fine way to _control_
> > certain behavior of applications.
> 
> Yes. I first thought the check was superfluous, because hey, why
> shouldn't root be able to access everything... But then it struck me
> that that might actually be a good idea for all those reasons. root's
> tools don't expect that the namespace they are traversing is
> _completely_ controlled by a user.

Exactly.

Thanks,
Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • Re: [PATCH] private mounts
    • From: Miklos Szeredi <[email protected]>
  • Re: [PATCH] private mounts
    • From: Pavel Machek <[email protected]>
  • Re: [PATCH] private mounts
    • From: Miklos Szeredi <[email protected]>
  • Re: [PATCH] private mounts
    • From: Pavel Machek <[email protected]>
  • Re: [PATCH] private mounts
    • From: Miklos Szeredi <[email protected]>
  • Re: [PATCH] private mounts
    • From: Miklos Szeredi <[email protected]>
  • Re: [PATCH] private mounts
    • From: Martin Mares <[email protected]>
  • Re: [PATCH] private mounts
    • From: Lars Marowsky-Bree <[email protected]>
  • Re: [PATCH] private mounts
    • From: Miklos Szeredi <[email protected]>

• Prev by Date: Re: any way to find out kernel memory usage?
• Next by Date: Re: [PATCH] private mounts
• Previous by thread: Re: [PATCH] private mounts
• Next by thread: Re: [PATCH] private mounts
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]