On Fri, 2023-07-21 at 18:35 +0100, Matthew Garrett wrote: > On Fri, Jul 21, 2023 at 10:55:39AM +0200, Marco d'Itri wrote: > > > Unless somebody has a better idea then then my plan is to ship in the > > next upload of kmod a file in /etc/modprobe.d/ which uses the blacklist > > directive to prevent automatically loading some file system modules. > > I think this would break any existing fstab entries that reference hfs > and hfsplus, and the convenient way to integrate Linux boot with x86 > Macs is certainly to have an hfsplus EFI partition so this may be a > legitimate use-case. It also means that anyone who has a need to use one > of these filesystems in a static manner is vulnerable to automount > attacks using them.
Right, auto-loading of filesystems has to keep working. And since
mount() of arbitrary filesystems is restricted to root (CAP_NET_ADMIN
in the initial namespace), we should let the callers apply a block- or
allow-list.
The reason we have to disable auto-loading of network protocols is that
socket creation is generally an unprivileged operation, so there's no
trusted user-space that can apply the policy (besides kmod).
> Completely untested, but I think something along the lines of:
>
> SUBSYSTEM!="block", GOTO="udisks_insecure_fs_end"
> ENV{ID_FS_TYPE}=="hfs", ENV{UDISKS_AUTO}="0"
> ENV{ID_FS_TYPE}=="hfsplus", ENV{UDISKS_AUTO}="0"
> LABEL="udisks_insecure_fs_end"
>
> in a udev fragment should work? Any static fstab or mount units should
> still work, but it should disable udisks automounting regardless of the
> desktop agent involved, even if the fs modules are already loaded.
I agree we should not have UDisks probing for any of the (many) kernel
filesystems that aren't being actively maintained including responding
to security issues.
Beyond that, I would also like to see libmount limiting the filesystems
that it will probe when the fstab type is "auto". But since UDisks
normally handles mounting for unprivileged users, that's probably less
of a concern.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
signature.asc
Description: This is a digitally signed message part
