debcrafters-packages team mailing list archive

Thread
Date

[Bug 2114945] Re: block less common filesystems by default

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <2114945@xxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Jun 2025 11:55:35 -0000
Reply-to: Bug 2114945 <2114945@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

the 70-insecure-fs.rules file was shipped in udisks2 (2.10.1-8), so
Oracular and later:

  * Do not automatically mount unmaintained file systems.
    Ship a udev rules files named 70-insecure-fs.rules which sets the udev
    property UDISKS_AUTO to 0 for file systems that are marked as "Orphan"
    or "Odd Fixes" in the kernel MAINTAINERS file. Those are more at risk of
    having security-sensitive defects which could be exploited by a crafted
    file system.
    The list includes the following file systems:
    affs, ecryptfs, efs, hfs, hfsplus, jffs2, jfs, qnx6, sysv.
    As we require ID_FS_TYPE to be set, use priority 70 so it is ordered
    after 60-persistent-storage.rules.
    Thanks to Marco d'Itri (Closes: #1041552)


Perhaps we should backport this change to previous releases as a security improvement.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to kmod in Ubuntu.
https://bugs.launchpad.net/bugs/2114945

Title:
  block less common filesystems by default

Status in kmod package in Ubuntu:
  New

Bug description:
  The Linux kernel supports a lot of different filesystem types. This is
  cool, it's part of what makes Linux so flexible and helped bring Linux
  to the mainstream. However, quality of filesystem implementations
  varies wildly and the upstream kernel community doesn't consider flaws
  in filesystems to be security issues: https://lore.kernel.org/linux-
  fsdevel/20250407-biegung-furor-e7313ca9d712@brauner/

  Ubuntu has decided to make it easy for users to mount filesystems, for
  better or for worse.

  The filesystems that have had less dedicated bug hunting bring
  significant risk to Ubuntu users. We can make it harder to mount these
  filesystem types without affecting most Ubuntu users through some
  simple module blocklisting. System administrators can still enable
  these other filesystem types with relatively easy efforts and everyone
  else will have reduced risk of ring 0 privilege escalation issues.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kmod/+bug/2114945/+subscriptions

References

[Bug 2114945] [NEW] block less common filesystems by default
From: Seth Arnold, 2025-06-18