linux-kernel April 2007 archive
Main Archive Page > Month Archives  > linux-kernel archives
linux-kernel: Re: [AppArmor 31/41] Fix __d_path() for lazy unmou

Re: [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts

From: Alan Cox <alan_at_nospam>
Date: Mon Apr 16 2007 - 21:57:48 GMT
To: Andreas Gruenbacher <agruen@suse.de>


> > That is a fairly significant and sudden change to the existing
> > kernel/user interface.
>
> Well, this is not meant for 2.6.21. I hope it is possible to change it in
> early 2.6.22; otherwise if we can't fix mistakes from the past we are pretty
> doomed.

I don't believe the existing behaviour _IS_ a mistake.

> > This is untrue. The process can get there (via fd passing with another
> > task)
>
> Process can access file descriptors which are unreachable via path name just
> fine indeed, but those fds still don't have a valid path in the context of
> that process.

Which while problematic to your name based security is just fine to everything else.

> We are only talking about mount points unreachable by a particular process;
> this does not mean that the mount point isn't reachable by other processes.
> Human operators can choose the context from which they are looking
> at /proc/mounts. If they are looking form the "real" root, the will see all
> mounts that any process can reach (in that namespace).

Ok, providing the "real" root sees them all it isn't so bad, but to assume you can filter based upon what the task can see is dodgy as an assumption.
-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html