Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

do not automatically mount unmaintained file systems #1239

Open
mbiebl opened this issue Jan 10, 2024 · 3 comments
Open

do not automatically mount unmaintained file systems #1239

mbiebl opened this issue Jan 10, 2024 · 3 comments

Comments

@mbiebl
Copy link
Contributor

mbiebl commented Jan 10, 2024

Hi,

there is this downstream discussion which you might be interested in and for which I'd appreciate your feedback as upstream.
In that issue, it is requested that udisks (downstream) ships this udev rule /usr/lib/udev/rules.d/75-insecure-fs.rules:

# Do not automatically mount these file systems because their drivers are
# marked as "orphan" or "odd fixes" in the kernel MAINTAINERS file and so
# are more at risk of having security-sensitive defects which could be
# exploited by a crafted file system.
SUBSYSTEM!="block", GOTO="udisks_insecure_fs_end"

ENV{ID_FS_TYPE}=="affs", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="ecryptfs", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="efs", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="hfs", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="hfsplus", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="jffs2", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="jfs", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="qnx6", ENV{UDISKS_AUTO}="0"
ENV{ID_FS_TYPE}=="sysv", ENV{UDISKS_AUTO}="0"

LABEL="udisks_insecure_fs_end"
@tbzatek
Copy link
Member

tbzatek commented Jan 10, 2024

I think it's mostly similar to #1094, just an inverted logic.

@mbiebl
Copy link
Contributor Author

mbiebl commented Mar 11, 2024

Do you have any concerns/objections if I (for now) ship this udev rule in the Debian/Ubuntu package?
I'll certainly keep an eye on #1094

@tbzatek
Copy link
Member

tbzatek commented Mar 13, 2024

Do you have any concerns/objections if I (for now) ship this udev rule in the Debian/Ubuntu package? I'll certainly keep an eye on #1094

Well, it's still a valid and supported use case, just on a larger scale.

The only potential effect on upstream I can think of might be to remember there's something custom in place when dealing with bugreports, though we typically ask for udevadm info that would quickly reveal an extra udev rule in place. Sometimes it's not obvious where the problem is and we'd like to minimize the time spent on bugreport investigation as developers' time on this project is currently very limited.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants