Re: [PATCH] fuse: enable unprivileged mounts for fuseblk

From: Miklos Szeredi
Date: Mon Nov 07 2022 - 08:30:14 EST

Next message: Dave Hansen: "Re: [PATCH 2/2] x86/tdx: Do not allow #VE due to EPT violation on the private memory"
Previous message: Damien Le Moal: "Re: [PATCH RFC v3 2/7] ata: libata-scsi: Add ata_internal_queuecommand()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 16 Oct 2022 at 19:00, Simon Thoby <work.viveris@xxxxxxxxxxxxx> wrote:
>
> Commit 4ad769f3c346ec3d458e255548dec26ca5284cf6 ("fuse: Allow fully
> unprivileged mounts") enabled mounting filesystems with the 'fuse' type for
> any user with CAP_SYS_ADMIN inside their respective user namespace, but did
> not do so for the 'fuseblk' filesystem type.
>
> Some FUSE filesystems implementations - like ntfs-3g - prefer using
> 'fuseblk' over 'fuse', which imply unprivileged users could not use these
> tools - in their "out-of-the-box" configuration, as these tools can always
> be patched to use the 'fuse' filesystem type to circumvent the problem.
>
> Enable unprivileged mounts for the 'fuseblk' type, thus uniformizing the
> behavior of the two FUSE filesystem types.
>
> Signed-off-by: Simon Thoby <work.viveris@xxxxxxxxxxxxx>

NAK in this form.

Please look at all the places where there's a difference between the
fuse and the fuseblk behavior and give proof that they won't result in
a security issue in case fuseblk is mounted unprivileged.

As a possibly much better alternative, try modifying the ntfs-3g code
to be able to work using the "fuse" fs type as well.

Thanks,
Miklos

fuseblk enables synchronouse RELEASE and DESTROY requests that are
unsuitable for unprivileged operation.

Thanks,
Miklos

Next message: Dave Hansen: "Re: [PATCH 2/2] x86/tdx: Do not allow #VE due to EPT violation on the private memory"
Previous message: Damien Le Moal: "Re: [PATCH RFC v3 2/7] ata: libata-scsi: Add ata_internal_queuecommand()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]