[RFC][PATCH 00/10] Mount, FS, Block and Keyrings notifications [ver #3]
David Howells
dhowells at redhat.com
Thu Jun 6 22:50:48 UTC 2019
Andy Lutomirski <luto at amacapital.net> wrote:
> They can call fsinfo() anyway, or just read /proc/self/mounts. As far as I’m
> concerned, if you have CAP_SYS_ADMIN over a mount namespace and LSM policy
> lets you mount things, the of course you can get information to basically
> anyone who can use that mount namespace.
And automounts? You don't need CAP_SYS_ADMIN to trigger one of those, but
they still generate events. On the other hand, you need CSA to mount
something that has automounts in the first place, and if you're particularly
concerned about security, you probably don't want the processes you might be
suspicious of having access to things that contain automounts (typically
network filesystems).
David
More information about the Linux-security-module-archive
mailing list