Re: [dm-devel] [PATCH 1/1] dm: add message command to disallow device open

[Zdenek Kabelac]

Dne 15. 07. 22 v 11:36 Mikulas Patocka napsal(a):
> On Fri, 15 Jul 2022, Daniil Lunev wrote:
>
> > Hi Mike,
> > Thank you for your response. I should have probably added more context
> > to the commit message that I specified in the cover letter. The idea is to
> > prohibit access of all userspace, including the root. The main concern here
> > is potential system applications' vulnerabilities that can trick the system to
> > operate on non-intended files with elevated permissions. While those could
> > also be exploited to get more access to the regular file systems, those firstly
> > has to be useable by userspace for normal system operation (e.g. to store
> > user data), secondly, never contain plain text secrets. Swap content is a
> > different story - access to it can leak very sensitive information, which
> > otherwise is never available as plaintext on any persistent media - e.g. raw
> > user secrets, raw disk encryption keys etc, other security related tokens.
> > Thus we propose a mechanism to enable such a lockdown after necessary
> > configuration has been done to the device at boot time.
> > --Daniil
> If someone gains root, he can do anything on the system.
>
> I'm quite skeptical about these attempts; protecting the system from the
> root user is never-ending whack-a-mole game.


It's in fact a 'design feature' of whole DM  that root can always open any 
device in device stack (although cause some troubles to i.e. some lvm2 logic) 
such feature is useful i.e. for debugging device problems. There was never an 
intention to prohibit root user from 'seeing' all stacked devices.

Regards

Zdenek