Head Up: Prepare for dropping fuse group in the nearest future
Steve Grubb
sgrubb at redhat.com
Fri Feb 8 13:32:59 UTC 2008
On Friday 08 February 2008 07:26:53 Alexander Larsson wrote:
> On Thu, 2008-02-07 at 10:29 -0500, Steve Grubb wrote:
> > > Now, Gnome (and many other things) start using fuse because it lets you
> > > implement very desireable features.
> >
> > What are these desirable features? Just curious since I may wind up doing
> > a lot of code review.
>
> There are many cases where you as a user want to access and/or modify
> something that contains files.
Which brings up something, I spent the last 3 years getting the audit system
working everywhere. Does filesystem auditing still work under fuse? When a
user mounts a filesystem, is that auditable? Does fuse support extended
attributes & SE Linux enforcement is still working correctly?
> However most apps don't use these interfaces so they can't access files
> like this. The standard way to access files is through the syscall
> interface, and then things must be mounted, meaning the implementation
> generally lives in the kernel with all the issues related to that.
And the protection to the system enforced by the kernel. :)
> Some things like loopback mounting an iso is possible, but requires root
> access, even if the file is readable by the user. Other things are just
> not possible.
Which is sensible. Remember my fsfuzzer tool? Its found some flaws in
fliesystems that could be exploitable with some work. I have not yet had the
time to fuzz fuse since its never really be seriously considered for any of
our work.
> However, with fuse these things can be solved. The filesystem
> implementation runs as the user, and user syscalls are proxied to the
> filesystem process via a pipe.
You cannot do auditing from userspace very well. It requires CAP_AUDIT_WRITE
and maybe some other permissions.
> This means that anything "filesystem like" that can be accessed from
> userspace can be accessed by all applications. So, for instance, you can get
> things like remote filesystem access via ssh, easily mountable network
> filesystems (smb, ftp, nfs) and user-mountable loopback mounts.
But we already have things like that with auditing and security checks in
place. :)
-Steve
More information about the fedora-devel-list
mailing list