On Wed, May 30, 2018 at 1:42 PM Dave Chinner <[email protected]> wrote: > We've learnt this lesson the hard way over and over again: don't > parse untrusted input in privileged contexts. How many times do we > have to make the same mistakes before people start to learn from > them?
You're not wrong, but we haven't considered root to be fundamentally trustworthy for years - there are multiple kernel features that can be configured such that root is no longer able to do certain things (the one-way trap for requiring module signatures is the most obvious, but IMA in appraisal mode will also restrict root), and as a result it's not reasonable to be worried only about users - it's also necessary to prevent root form being able to deliberately mount a filesystem that results in arbitrary code execution in the kernel.
