On 1/30/19 11:41 AM, Martin Wilck wrote:
SUSE will blacklist a number of legacy and/or less frequently used file systems by default on SLES for security reasons.
The proposed list can be seen here:
The question is now whether we should do the same for openSUSE. I figure that while the above list is probably not controversial for enterprise customers, openSUSE users may have objections to some items on the list. Please speak up if you do.
In any case, note that even if we do this, you can re-enable the filesystems you need by simply commenting out lines in the blacklist file.
As the author of this commit, I wanted to chime in.
This list is the list of file systems which will not be subject to module autoloading. In an effort to be user friendly, the kernel will respond to mount requests of a specified type by requesting to load the module to service it. This is generally ok, but there are a number of file systems that are uncommon, poorly maintained, and contain security issues that aren't worth investing the time in fixing. We can reduce the attack surface for most users by declining to load the modules for those file systems automatically.
This list is intended to be sufficient for the vast majority of users. I expect that there are users of file systems on this list but, IMO, there needs to be a pretty big impact on the community as a whole for us to remove one of these from the list.
That list is: blacklist adfs blacklist affs blacklist bfs blacklist befs blacklist cramfs blacklist efs blacklist erofs blacklist exofs blacklist freevxfs blacklist f2fs blacklist hfs blacklist hpfs blacklist jffs2 blacklist jfs blacklist minix blacklist nilfs2 blacklist qnx4 blacklist qnx6 blacklist sysv blacklist ubifs blacklist ufs
You'll find Apple's HFS in the list above. This is for the *old* HFS that hasn't been used by Apple since the 90s. HFS+ is serviced by the hfsplus module which is still available to autoload.
Once f2fs is blacklisted, we can re-enable it in our builds. f2fs doesn't have a mechanism to determine the "version" of a file system which can make backporting security fixes without breaking users a challenge.