misc: don't allow udisks to automount bcachefs filesystems with no pr…

…ompt The unending stream of syzbot bug reports and overwrought filing of CVEs for corner case handling (i.e. things that distract from actual user complaints) in XFS has generated all sorts of of overheated rhetoric about how every bug is a Serious Security Issue(tm) because anyone can craft a malicious filesystem on a USB stick, insert the stick into a victim machine, and mount will trigger a bug in the kernel driver that leads to some compromise or DoS or something. I thought that nobody would be foolish enough to automount an XFS filesystem. What a fool I was! It turns out that udisks can be told that it's okay to automount things, and then GNOME will do exactly that. Including mounting mangled XFS filesystems! Same with bcachefs! <delete angry rant about poor decisionmaking and armchair fs developers blasting us on X while not actually doing any of the work> Turn off /this/ idiocy by adding a udev rule to tell udisks not to automount bcachefs filesystems. This will not stop a logged in user from unwittingly inserting a malicious storage device and pressing [mount] and getting breached. This is not a substitute for a thorough audit. This is not a substitute for lklfuse. This does not solve the general problem of in-kernel fs drivers being a huge attack surface. I just want to give Kent a break from some of the oceans of bu******. Signed-off-by: Darrick J. Wong <[email protected]> Signed-off-by: Kent Overstreet <[email protected]>
koverstreet · Dec 5, 2023 · f407121 · f407121
1 parent f27b135
commit f407121
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -59,7 +59,7 @@ CFLAGS+=$(call cc-disable-warning, zero-length-array)
 CFLAGS+=$(call cc-disable-warning, shift-overflow)
 CFLAGS+=$(call cc-disable-warning, enum-conversion)
 
-PKGCONFIG_LIBS="blkid uuid liburcu libsodium zlib liblz4 libzstd libudev libkeyutils"
+PKGCONFIG_LIBS="blkid uuid liburcu libsodium zlib liblz4 libzstd libudev libkeyutils udev"
 ifdef BCACHEFS_FUSE
 	PKGCONFIG_LIBS+="fuse3 >= 3.7"
 	CFLAGS+=-DBCACHEFS_FUSE
@@ -73,6 +73,10 @@ PKGCONFIG_LDLIBS:=$(shell $(PKG_CONFIG) --libs   $(PKGCONFIG_LIBS))
 ifeq (,$(PKGCONFIG_LDLIBS))
     $(error pkg-config error, command: $(PKG_CONFIG) --libs $(PKGCONFIG_LIBS))
 endif
+PKGCONFIG_UDEVRULESDIR:=$(shell $(PKG_CONFIG) --variable=udev_dir udev)
+ifeq (,$(PKGCONFIG_UDEVRULESDIR))
+    $(error pkg-config error, command: $(PKG_CONFIG) --variable=udev_dir udev)
+endif
 
 CFLAGS+=$(PKGCONFIG_CFLAGS)
 LDLIBS+=$(PKGCONFIG_LDLIBS)
@@ -157,6 +161,7 @@ install: bcachefs
 	$(INSTALL) -m0644 -D bcachefs.8    -t $(DESTDIR)$(PREFIX)/share/man/man8/
 	$(INSTALL) -m0755 -D initramfs/script $(DESTDIR)$(INITRAMFS_SCRIPT)
 	$(INSTALL) -m0755 -D initramfs/hook   $(DESTDIR)$(INITRAMFS_HOOK)
+	$(INSTALL) -m0644 -D udev/bcachefs.rules -t $(DESTDIR)$(PKGCONFIG_UDEVRULESDIR)/
 	$(LN) -sfr $(DESTDIR)$(ROOT_SBINDIR)/bcachefs $(DESTDIR)$(ROOT_SBINDIR)/mkfs.bcachefs
 	$(LN) -sfr $(DESTDIR)$(ROOT_SBINDIR)/bcachefs $(DESTDIR)$(ROOT_SBINDIR)/fsck.bcachefs
 	$(LN) -sfr $(DESTDIR)$(ROOT_SBINDIR)/bcachefs $(DESTDIR)$(ROOT_SBINDIR)/mount.bcachefs

diff --git a/udev/bcachefs.rules b/udev/bcachefs.rules
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Copyright (C) 2024 Oracle.  All rights reserved.
+# Author: Darrick J. Wong <[email protected]>
+#
+# Don't let udisks automount bcachefs filesystems without even asking a user.
+# This doesn't eliminate filesystems as an attack surface; it only prevents
+# evil maid attacks when all sessions are locked.
+#
+# According to http://storaged.org/doc/udisks2-api/latest/udisks.8.html,
+# supplying UDISKS_AUTO=0 here changes the HintAuto property of the block
+# device abstraction to mean "do not automatically start" (e.g. mount).
+SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="bcachefs", ENV{UDISKS_AUTO}="0"