Defending mounted filesystems from the root user

Posted Aug 28, 2023 0:31 UTC (Mon) by geofft (subscriber, #59789)
In reply to: Defending mounted filesystems from the root user by kmeyer
Parent article: Defending mounted filesystems from the root user

I was mostly replying to the comment talking about historical filesystems - if we need to write an ext5 that makes this sort of robustness easier, that's certainly an option. We are, in any case, mostly just talking about lockdown/secure boot configs - it seems pretty reasonable to say, the upstream kernel will only let you use a very small set of filesystems when lockdown is on, and if distros want to take the risk of filesystems that haven't been audited, they can patch this check out. A lot of people run without kernel lockdown enabled (perhaps enforcing secure boot in some other way, like verifying a signature on an entire read-only rootfs) and won't be impacted by this. The people who do run with kernel lockdown should be able to expect that the kernel isn't just writing off ring-0 escalation risks.

But also I don't think punting major filesystems to FUSE is really out of the question. It was the vision of the microkernels of the '90s, which failed not because there was anything fundamentally wrong with microkernels but because overhead was high. We've learned a lot about writing efficient software that spans multiple address spaces since then (it's in many senses similar to HPC work or GPU programming), and also the physical computers are way faster. As I mentioned, without an actual benchmark, I think saying that this just has to be done in kernelspace is premature optimization.

(We also know a lot more about software fault isolation now than we did in the '90s - we could use something like eBPF or wasm or Native Client to keep these filesystems in the kernel but limit the impact of bugs.)

We Linux folks rightly make fun of Windows for having done font rendering in the kernel for so long and having had a bunch of ring-0 privilege escalation bugs as a result. It made sense in the '90s when they cared a lot about font rendering performance and basically not at all about malicious fonts; it doesn't make sense today. I don't think filesystems are a fundamentally different story.