Drawing lessons from fatal SELinux bug #1054350
jistone at redhat.com
Sat Jan 25 04:40:28 UTC 2014
On 01/24/2014 05:27 PM, Chris Murphy wrote:
> On Jan 24, 2014, at 4:16 PM, Josh Stone <jistone at redhat.com> wrote:
>> This concerns me especially in the case of security updates -- for
>> example, a vulnerable setuid-root binary should be locked up tight!
> The organization question is valid. But sudo or root could just mount
> any subvolume. However, btrfs read-only snapshots can't be written to
> even by root. Naturally root could just create a rw snapshot of a ro
> snapshot and then delete the ro snapshot, but an audit probably ought
> to show the subvolume UUIDs and creation dates involved so that we'd
> know this is what happened.
My point was not about what root can do. Suppose there's a vulnerable
'sudo' binary that gives everyone a root shell. If that binary is
available on any executable path, even readonly, that's trouble.
As you say, LVM snapshots are out of view, but with btrfs it needs to be
an inaccessible subvolume path, or mounted noexec, etc.
More information about the devel