Leaking Path in XFS's ioctl interface(missing LSM check)
TongZhang
ztong at vt.edu
Wed Sep 26 00:51:50 UTC 2018
Hi,
I'm bringing up this issue again to let of LSM developers know the situation, and would like to know your thoughts.
Several weeks ago I sent an email to the security list to discuss the issue where
XFS's ioctl interface can do things like vfs_readlink without asking LSM's
permission, which we think is kind of weird and this kind of operation should be
audited by LSM.
see the original post below:
>We noticed a use of vfs_readlink() in xfs_file_ioctl(), which should have been checked by
>security_inode_readlink().
>The callgraph is:
> xfs_file_ioctl()->xfs_readlink_by_handle()->vfs_readlink()
>
>This path allows user to do things similar to SyS_readlinkat(), and the parameters
>are user controllable.
security_inode_readlink() is not used inside vfs_readlink()
- Tong
More information about the Linux-security-module-archive
mailing list