[prev in list] [next in list] [prev in thread] [next in thread] 

List:       v9fs-developer
Subject:    Re: [V9fs-developer] marking 9p as safe for user mounts, wdyt?
From:       Dominique Martinet <asmadeus () codewreck ! org>
Date:       2024-05-16 12:01:59
Message-ID: ZkX1t9LL68wZsfMh () codewreck ! org
[Download RAW message or body]

Hi Ron,

sorry for the slow reply, I didn't see this mail for some reason.

ron minnich wrote on Sun, Apr 14, 2024 at 11:03:44AM -0700:
> we would like to make 9p safe, in the sense that FUSE is safe, for user
> mounts.
> 
> This would add FS_USERNS_MOUNT to the .fs_flags in v9fs_fs_type.
> 
> This would be very helpful for those who wish to mount 9p without a FUSE
> middleman.
> 
> Any thoughts on whether this can happen?

Hmm, while I understand where this come from and how it can be useful,
we have a dozen of syzcaller bugs open:
https://syzkaller.appspot.com/upstream/s/v9fs

If we make 9p user-mountable, that'd be free for all for anyone to
badger on, so I'm not really comfortable opening this box as things
stand.

Filesystem syzcaller bugs have always been a problem when we allow users
to mount arbitrary filesystem images (especially if the user can modify
the image while the kernel accesses it), but in 9p case it's even one
step further with mount-by-fd, so any exploit would immediately become
very easy to use...
Perhaps if we could limit that to a few protocols (virtio, tcp with port
< 1024?), but that wouldn't help you would it?

So if someone can find time to investigate these fuzz reports so we can
either fix them or ensure they're harmless then I'd be game for it,
but as things stand I don't think it's safe.

-- 
Dominique Martinet | Asmadeus


_______________________________________________
V9fs-developer mailing list
V9fs-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/v9fs-developer
[prev in list] [next in list] [prev in thread] [next in thread]