Re: Please read if you use x86 -current

To: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: Please read if you use x86 -current
From: Thor Lancelot Simon <tls%rek.tjls.com@localhost>
Date: Thu, 13 Nov 2008 12:01:27 -0500

On Thu, Nov 13, 2008 at 10:02:01AM -0500, der Mouse wrote:
> >>> Unfortunately, this requires giving user code access to raw disks,
> >>> which poses essentially the same set of security risks in the long
> >>> term.
> >> How exactly did you arrive at that conclusion?
> > If user code can overwrite your root filesystem by accessing the
> > wrong disk sectors [...]
> 
> If "giving...access to raw disks" is an all-or-nothing proposition,
> that is, if you can't grant access to one disk without granting access
> to all, you're right.
> 
> But I see no reason why granting access to (say) sd0* has to also grant
> access to wd* or sd1*, or why granting access to sd0e has to also grant
> access to sd0[^e].  Certainly using chmod today doesn't do either

The security model is intended to protect (some components of) the system
from persistent compromise even by a misbehaving process *with euid 0*.

The original design prohibited access to any partition "containing a
mounted filesystem".  Effectively, partitions were treated as exclusively
owned by the first thing to open them.  The issues of overlapping
partitions, non-filesystem in-kernel users of devices, and access to
the partition table itself were basically overlooked (one or two ports
disksubrs tried to do the right thing, but they all got it wrong somehow).

A simple fix would be to add a list of partitions -- or even entire disks --
that _may_ be later opened, which could only be altered at securelevel 0.
This interacts with wedges in some ways that are not entirely clear to me
at first glance, though.  The more comprehensive fix would probably be
code like what Elad offered, to actually detect which partitions overlap
one another and forbid such access.  Then the list would not be necessary.

Now, if you have a bug in a kernel filesystem, you lose no matter what we
do here, because it is running in kernel mode and can just ignore the
sort of protections I describe above.  One really nice thing about user
space filesystems is that that's not so -- even if they run as root --
except for what is essentially a disksubr bug allowing them to get access
to all raw devices if they can get access to any.

Thor

Follow-Ups:
- Re: Please read if you use x86 -current
  - From: der Mouse
- Re: Please read if you use x86 -current
  - From: Antti Kantee

References:
- Please read if you use x86 -current
  - From: Andrew Doran
- Re: Please read if you use x86 -current
  - From: vincent
- Re: Please read if you use x86 -current
  - From: Andrew Doran
- Re: Please read if you use x86 -current
  - From: vincent
- Re: Please read if you use x86 -current
  - From: Antti Kantee
- Re: Please read if you use x86 -current
  - From: Thor Lancelot Simon
- Re: Please read if you use x86 -current
  - From: Antti Kantee
- Re: Please read if you use x86 -current
  - From: Thor Lancelot Simon
- Re: Please read if you use x86 -current
  - From: der Mouse

Prev by Date: Re: Please read if you use x86 -current
Next by Date: raid and raidframe
Previous by Thread: Re: Please read if you use x86 -current
Next by Thread: Re: Please read if you use x86 -current
Indexes:

Home | Main Index | Thread Index | Old Index