Re: Untrusted fs and invalid filenames

[Ludwig Nussel <ludwig.nussel () suse de>]

Stephan Mueller wrote:
> Am Samstag, 12. März 2011, um 18:03:45 schrieb Vasiliy Kulikov:
> > What I suggest is something like "-o untrusted" option to mount.  This
> > would mean that the system considers the input from such fs as a malicious
> > input.  Such mounted fs would try to consider the data on disk as
> > untrusted and to be as robust as possible, e.g. check against
> > "/"-filenames, against corrupted fs structures, etc.  I'd be happy to
> > hear opinions about the usefulness of this feature.
>
> I completely second your concerns.
>
> However, how do you propose to implement that "untrusted" option? The core 
> problem IMHO is that the physical layout and structure in a file system is 
> assumed to be correct in general by the kernel. The physical file system 
> implementations (including any depending code, like the LSMs for interpreting 
> XATTRs) have some checks for an input validation. But I highly doubt that all 
> checks necessary for an untrusted file system layout are implemented - to have 
> all such checks would cause some speed penalties nobody wants to carry.

For the hot plugged USB drive case speed of the file system
shouldn't be much of a concern. I wonder whether it would be
possible to create a wrapper API that allow to compile kernel fs
modules as user space programs for use with e.g. fuse.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)