Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Ross Zwisler <zwisler@chromium.org>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	Mattias Nissler <mnissler@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Benjamin Gordon <bmgordon@google.com>,
	David Howells <dhowells@redhat.com>,
	Dmitry Torokhov <dtor@google.com>,
	Jesse Barnes <jsbarnes@google.com>,
	linux-fsdevel@vger.kernel.org,
	Matthew Wilcox <willy@infradead.org>,
	Micah Morton <mortonm@google.com>,
	Raul Rangel <rrangel@google.com>
Subject: Re: [PATCH v7] Add a "nosymfollow" mount option.
Date: Wed, 12 Aug 2020 11:59:13 -0600	[thread overview]
Message-ID: <CAGRrVHwQ4EpZy73n4NTLhDZNGN4Gi_FUL4BjWw7ruEoGHENZEg@mail.gmail.com> (raw)
In-Reply-To: <20200812014324.rtvlhvopifgkw4mi@yavin.dot.cyphar.com>

On Tue, Aug 11, 2020 at 7:43 PM Aleksa Sarai <cyphar@cyphar.com> wrote:
> On 2020-08-11, Ross Zwisler <zwisler@chromium.org> wrote:
> > From: Mattias Nissler <mnissler@chromium.org>
> >
> > For mounts that have the new "nosymfollow" option, don't follow symlinks
> > when resolving paths. The new option is similar in spirit to the
> > existing "nodev", "noexec", and "nosuid" options, as well as to the
> > LOOKUP_NO_SYMLINKS resolve flag in the openat2(2) syscall. Various BSD
> > variants have been supporting the "nosymfollow" mount option for a long
> > time with equivalent implementations.
> >
> > Note that symlinks may still be created on file systems mounted with
> > the "nosymfollow" option present. readlink() remains functional, so
> > user space code that is aware of symlinks can still choose to follow
> > them explicitly.
> >
> > Setting the "nosymfollow" mount option helps prevent privileged
> > writers from modifying files unintentionally in case there is an
> > unexpected link along the accessed path. The "nosymfollow" option is
> > thus useful as a defensive measure for systems that need to deal with
> > untrusted file systems in privileged contexts.
> >
> > More information on the history and motivation for this patch can be
> > found here:
> >
> > https://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data#TOC-Restricting-symlink-traversal
>
> Looks good. Did you plan to add an in-tree test for this (you could
> shove it in tools/testing/selftests/mount)?

Sure, that sounds like a good idea.  I'll take a look.

> Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>

Thank you for the review.

  reply	other threads:[~2020-08-12 17:59 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-11 22:28 Ross Zwisler
2020-08-12  1:43 ` Aleksa Sarai
2020-08-12 17:59   ` Ross Zwisler [this message]
2020-08-12 18:35 ` Matthew Wilcox
2020-08-12 19:53   ` Ross Zwisler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGRrVHwQ4EpZy73n4NTLhDZNGN4Gi_FUL4BjWw7ruEoGHENZEg@mail.gmail.com \
    --to=zwisler@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=bmgordon@google.com \
    --cc=cyphar@cyphar.com \
    --cc=dhowells@redhat.com \
    --cc=dtor@google.com \
    --cc=jsbarnes@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mnissler@chromium.org \
    --cc=mortonm@google.com \
    --cc=rrangel@google.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=willy@infradead.org \
    --subject='Re: [PATCH v7] Add a "nosymfollow" mount option.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).