[opensuse-factory] Re: [PLEASE SPEAK UP] Disabling legacy file systems by default?

30 Jan 2019

      On 1/30/19 11:41 AM, Martin Wilck wrote:
...
SUSE will blacklist a number of legacy and/or less frequently used
file systems by default on SLES for security reasons.
The proposed list can be seen here:
https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210...
The question is now whether we should do the same for openSUSE.
I figure that while the above list is probably not controversial for
enterprise customers, openSUSE users may have objections to some
items on the list. Please speak up if you do.
In any case, note that even if we do this, you can re-enable the
filesystems you need by simply commenting out lines in the blacklist
file.
As the author of this commit, I wanted to chime in.

This list is the list of file systems which will not be subject to
module autoloading.  In an effort to be user friendly, the kernel will
respond to mount requests of a specified type by requesting to load the
module to service it.  This is generally ok, but there are a number of
file systems that are uncommon, poorly maintained, and contain security
issues that aren't worth investing the time in fixing.  We can reduce
the attack surface for most users by declining to load the modules for
those file systems automatically.

This list is intended to be sufficient for the vast majority of users.
I expect that there are users of file systems on this list but, IMO,
there needs to be a pretty big impact on the community as a whole for us
to remove one of these from the list.

That list is:
blacklist adfs
blacklist affs
blacklist bfs
blacklist befs
blacklist cramfs
blacklist efs
blacklist erofs
blacklist exofs
blacklist freevxfs
blacklist f2fs
blacklist hfs
blacklist hpfs
blacklist jffs2
blacklist jfs
blacklist minix
blacklist nilfs2
blacklist qnx4
blacklist qnx6
blacklist sysv
blacklist ubifs
blacklist ufs

You'll find Apple's HFS in the list above.  This is for the *old* HFS
that hasn't been used by Apple since the 90s.  HFS+ is serviced by the
hfsplus module which is still available to autoload.

Once f2fs is blacklisted, we can re-enable it in our builds.  f2fs
doesn't have a mechanism to determine the "version" of a file system
which can make backporting security fixes without breaking users a
challenge.

-Jeff

-- 
Jeff Mahoney
SUSE Labs
-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org