Re: HFS/HFS+ are insecure
Le vendredi 21 juillet 2023, 09:49:48 UTC Bastien Roucariès a écrit :
> Le vendredi 21 juillet 2023, 08:20:12 UTC Matthew Garrett a écrit :
> Hi
> > On Thu, Jul 20, 2023 at 07:56:12PM +0200, Marco d'Itri wrote:
> > > Package: src:linux
> > > Severity: normal
> > >
> > > You are totally correct.
> > > Kernel team, please blacklist HFS/HFS+ for automounting.
> >
> > Isn't this a userland policy decision? udisks will happily trigger a
> > module load for hfsplus if udev has identified it, and I don't think
> > there's a trivial mechanism for the kernel to disable that. I believe
> > the only way for the kernel to disable automounting would be to disable
> > the drivers entirely (which we don't want to do), so this probably needs
> > to be assigned elsewhere rather than being a linux bug.
> >
> > (Or, alternatively, we could move hfs(+) support to FUSE and provide
> > extremely tight seccomp policies around them, and then drop kernel
> > support, but even though this has been talked about a bunch I haven't
> > seen anyone try to implement it)
> I vaguely remember that someone implement a fuse over uml (user space linux)
>
> I used it last time to read in user space some crappy filesystem
>
> I somebody has better memory than me, it could be an idea
Found it! I was mountlo
>
> Bastien
>
> >
> >
>
>
Reply to: