From owner-freebsd-fs@freebsd.org Thu Mar 21 16:00:07 2019 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9DCA21546752 for ; Thu, 21 Mar 2019 16:00:07 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E64C46B01E for ; Thu, 21 Mar 2019 16:00:06 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt1-x82e.google.com with SMTP id s1so7154767qte.5 for ; Thu, 21 Mar 2019 09:00:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=TEWAgNycW0InnZkIyIEwEEQrHn0LDohEwzm9u926L8M=; b=kEY95Xt/QFo9itvopEZhv6E+wwQGlnSSsex6JmRIyAr2AhRAZYBRILb+dTzkL9Fxws wsJauIoIQ5uc7RYOkSC9mAWJTwfAt2Gp06wZVGDKNlFrDF81ELONlOi/MBP3Ko6XG24M jbFp9rC7cXAB6m448diW5H4xPtMlwfdhXYIFyh80uCE6LXdbt7Ziv3oB7QO4sDm+zy3T rGBLhr+itXFwl69Za3m+5xVcSBziKC9FTA8bnQk4b0q3jlOTOBFeq/3YIU1lLALTJ/wD dTMSb8UN/ztUD/oRSFm0KBnCGoWco4cWCC05XjNTQUQhpvVK62bLFmnoz2gUXVQ2+xlm RAzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=TEWAgNycW0InnZkIyIEwEEQrHn0LDohEwzm9u926L8M=; b=Zx84Udp5p1yxoFlA4jEqOlpnTSvcoMiXO+JiIc2dU9QWMcP14NYyUqpLeLaqOJkvaU jNF/xwpBDv4yfb67JWZuy9fA4cB99ZTODqWe0SLrIgKqQ0NgUywvycJJkN0Qgxy0ktwu PZxmZ5cSVa+bAijzFqA9U8u66OKCr+jqfbFH9UrbhTD2iI/+Sppbi+BI2bl28mu7KgJJ vCqQJEl/CwRW07aTQg06sF9OamT4dYM98brMhdPEvoe6lmnhJXDmDiq3WRoMNbKlNCZ+ q+E2QRQqeT+PADThh1I5cfOttw+CxYgmW7Vrj1PX7lhwGZ9qoYuZw0q+dDTkre3bh1Fg uTwg== X-Gm-Message-State: APjAAAVIGqagztq3ID9kTkoBcznbvVzjKLI1SN0LDZELa17rCJvOB9QB EylNEDlsohviplcxMaZxklf1zA== X-Google-Smtp-Source: APXvYqyr9sji/MasdwxX0E1LEgf+JvCe2J3TzoVEkgoRBlyaiyu4j6E5Ggx3+aQJz0qJgse5OeG8fg== X-Received: by 2002:a0c:c950:: with SMTP id v16mr3670783qvj.204.1553184006419; Thu, 21 Mar 2019 09:00:06 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.108]) by smtp.gmail.com with ESMTPSA id u66sm2846562qkd.1.2019.03.21.09.00.05 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 21 Mar 2019 09:00:05 -0700 (PDT) Date: Thu, 21 Mar 2019 11:59:22 -0400 From: Shawn Webb To: Alan Somers Cc: FreeBSD CURRENT , freebsd-fs Subject: Re: HEAD'S UP: fusefs sysctls going away Message-ID: <20190321155922.rdsnvyztssgmms2x@mutt-hbsd> References: <20190321154817.2lgwjzl4o2urlmdw@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hufympp2ubog24yz" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: E64C46B01E X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=kEY95Xt/; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::82e as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org X-Spamd-Result: default: False [-7.82 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCVD_IN_DNSWL_NONE(0.00)[e.2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.98)[-0.980,0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; IP_SCORE(-2.73)[ip: (-8.65), ipnet: 2607:f8b0::/32(-2.82), asn: 15169(-2.12), country: US(-0.07)] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2019 16:00:07 -0000 --hufympp2ubog24yz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 21, 2019 at 09:55:15AM -0600, Alan Somers wrote: > On Thu, Mar 21, 2019 at 9:49 AM Shawn Webb w= rote: > > > > Hey Alan, > > > > Thank you very much for your work in maintaining fusefs. I only use > > fusefs in very limited circumstances, so take what I'm about to say > > with a grain of salt. > > > > On Thu, Mar 21, 2019 at 09:43:07AM -0600, Alan Somers wrote: > > > fusefs has several sysctl knobs that seem to be workarounds for bugs > > > in particular fuse daemons. However, there is no indication as to > > > which those daemons are, neither in the code nor in SVN. All of the > > > workarounds are at least 6.5 years old, so the original bugs may have > > > been fixed already. Since the original bugs aren't documented, I > > > consider these workarounds to be unmaintainable, and I'm planning to > > > delete them unless anybody objects. Please pipe up if you still use > > > them! > > > > > > vfs.fusefs.mmap_enable: If non-zero, and data_cache_mode is also > > > non-zero, enable mmap(2) of FUSE files > > > > I'm curious if the security impacts of removing the toggle to disable > > mmap support for fusefs. Is there a per-fusefs replacement for > > mmap_enable? From a security perspective, it would be nice to keep the > > ability to disable mapping of files mounted on a fusefs. >=20 > As a matter of fact, there are three other ways to disable mmap: > 1) Set vfs.fusefs.data_cache_mode=3D0. This completely disables caching > file data, which precludes mmap. > 2) Use the undocumented -o no_datacache mount option, which does the > same thing on a per-mount basis. > 3) Use the undocumented -o no_mmap mount option, which disables mmap > on a per-mount basis. Awesome! I wasn't aware of these. Thanks! >=20 > Are you aware of any general security problems with using mmap? > Anything that would apply to fusefs but not other filesystems? Primarily because I trust the filesystems natively implemented in my OS more than I trust some (potentially random) fusefs module. For example, if I'm in a shared hosting environment, implemented with jails, and I let the customer mount a fusefs module in the jail (which is now possible, if I remember right), then I must trust that the module's mmap integration is properly implemented. I'm not sure I personally am okay with that level of trust. However, the point is moot now that you documented the three ways to disable mmap (two of which work on a per-mount basis). Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --hufympp2ubog24yz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlyTtNUACgkQaoRlj1JF bu7pBxAAu9dQmpqs6FBiTaEZYr7+EUw0dBynp7/0Y3ER/2I5vsB4I+cxZ9QgDnGe O2MaT7hwx3tjj/70r6igr6zcjB0EgNY4C8P4T/7vtE9kAIg0uJoamjwYoD1+cceh U1yIa1AKO4mIYHUbYRfUlXVj5FZla5rYvKYNW1xRht/2Kl5nEIdX0kx2OJJ0e+6R XEhu9TXEvz4VJpRG3B5H1r1j92IrfKRm5Fbs3FpGdWqFgCZEqllnP9KpydIqaNQd MklkuhukkqFVr+ydPKIo38gVRBgDglf8VFheJK2b141LsvGk03tLxo8aK2Urtnm1 22omMRSyClogDGXcnqCwJQmu5LpKbWoB8jrkqiaiiOq3yWGJ86GIwECGgWr8TXUi iAinXiEQZOQYha20r+nVQJBnTtSydpa66EgX06+2gb0TojaHUa4elPpUgG+8W7Tk +V6ZZiUKj7xwaLtunqFgWZbgYU5FNCjqL080agYaN3nimg73ABdfNxcEitl1f46Q ABeXc8KzAj9G8Xt3D4LWJdkXEcmEqdwMY3MmirrUnm/GaHWeUyhnXaLnumIHsAqz UwW0YU3Tky1+gWdT7776igWUrAGg/JHmpqZAdTroTEG0o13ZkNoSCmSWBvk14aSd TO74uh4mgAbDb48CQmRUT6nm2B4Rucf2iWIE1zeV/B0Akjm9FBA= =LcA3 -----END PGP SIGNATURE----- --hufympp2ubog24yz--