On Sun, 27 Aug 2023 02:34:04 +0200 Marco d'Itri <m...@linux.it> wrote:
Control: reassign -1 udisks2 Control: retitle -1 do not mount automatically unmaintained file systemsOn Jul 20, md wrote: > You are totally correct. > Kernel team, please blacklist HFS/HFS+ for automounting.As discussed on debian-devel@, this policy should not be handled by the kernel because modules autoloading of file systems drivers should not bedisabled. So I propose this content for a file like /usr/lib/udev/rules.d/75-insecure-fs.rules: # Do not automatically mount these file systems because their drivers are # marked as "orphan" or "odd fixes" in the kernel MAINTAINERS file and so # are more at risk of having security-sensitive defects which could be # exploited by a crafted file system. SUBSYSTEM!="block", GOTO="udisks_insecure_fs_end" ENV{ID_FS_TYPE}=="affs", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="ecryptfs", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="efs", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="hfs", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="hfsplus", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="jffs2", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="jfs", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="qnx6", ENV{UDISKS_AUTO}="0" ENV{ID_FS_TYPE}=="sysv", ENV{UDISKS_AUTO}="0" LABEL="udisks_insecure_fs_end"
I asked udisks upstream for their input, see https://github.com/storaged-project/udisks/issues/1239
OpenPGP_signature.asc
Description: OpenPGP digital signature
