Drawing lessons from fatal SELinux bug #1054350
Josh Stone
jistone at redhat.com
Sun Jan 26 19:55:05 UTC 2014
On 01/25/2014 12:15 PM, Chris Murphy wrote:
> OK, so is the fact it's persistently available the problem? Because
> if I were to have a persistent backup of sysroot mounted, I've got
> the same attack vector available. By default for even an unprivileged
> user gnome-shell mounts with By default, gnome-shell mounts volumes
> with rw,nosuid,nodev,relatime,seclabel,uhelper=udisks2.
Right, it's having a persistent and usable copy of a vulnerability.
> So another possibility is to have a "snapshots" subvolume
> persistently mounted, with noexec, and always place snapshots in that
> subvolume.
That sounds good -- even might be just nosuid on that.
Josh
More information about the devel
mailing list