SDB:FilesystemBlacklisting

Jump to: navigation, search


Tested on openSUSE

Recommended articles

Icon-manual.png

Related articles

Icon-help.png


File System Modules and System Security

Kernel modules for file system support are a potential security threat, because the kernel has an auto-loading mechanism for file system modules. An attacker can prepare e.g. a USB stick with a file system type that has a known security flaw, using a specially crafted file system with an exploit. The system will detect the file system, auto-load the filesystem module, and try to mount the file system. This might activate the attacker's exploit without any user interaction.

File System Blacklisting

In order to avoid the attack scenario described in the #Security section, SUSE and openSUSE distributions have developed a simple means to avoid the automatic loading of file system modules. It is implemented in the suse-module-tools package, and uses modprobe's module blacklisting mechanism. Certain modules are blacklisted by default, and will therefore not be loaded automatically. This has the effect that the system won't be able to access media formatted with one of the blacklisted file systems by default.

Unblacklisting a File System Module

It is easy to override the file system module blacklisting. Simply load the module manually with the modprobe command. You will be prompted for the desired action:

# modprobe erofs
unblacklist: loading erofs file system module
unblacklist: Do you want to un-blacklist erofs permanently (<y>es/<n>o/n<e>ver)? n
unblacklist: not un-blacklisting erofs
  1. If you respond "n" to the prompt as in the example above, the module will loaded, but the system configuration will not change; i.e. you will see this prompt again the next time you try to load the module.
  2. If you respond "y", the module will be loaded and unblacklisted. You will not be prompted in the future, and autoloading will be enabled for this module.
  3. If you respond "e", the module will be loaded, but autoloading will remain disabled. If you run the modprobe command in the future again, the prompt will not be displayed any more, the module will be loaded and autoloading will remain disabled.
  4. If you don't want to load the module, interrupt the process with Ctrl-c.

In case 2. and 3., a file /etc/modprobe.d/60-blacklist_fs-${MODULE}.conf will be created which you can just delete to undo the changes you just made.

Unsupported File Systems Are Blacklisted

Whether or not a given file system poses a security threat as exlained above is a very diffult question. SUSE chooses the cautious approach and blacklists all modules which are not officially supported.

"Supported" and "Unsupported" File Systems on openSUSE

SUSE Linux Enterprise distributions have a limited set of fully supported file systems for SUSE customers, which are listed in the SLE storage administration guide. This set includes btrfs, xfs, ext2/3/4, nfs, cifs, msdos, vfat, and iso9660. fuse (file systems in user space) is supported, too. The Linux kernel has support for many more file systems, which are not officially supported on SLE.

openSUSE Leap inherits the kernel from SLE. The main kernel package kernel-default only includes modules officially supported by SUSE kernel developers. There are two additional packages for Leap, kernel-default-extra and kernel-default-optional, which contain unsupported modules.

The kernel of openSUSE Tumbleweed is a recent upstream kernel with minimal modifications. "SUSE support" doesn't apply for it, as the kernel is supported by the upstream community. Nevertheless, for consistency, the same blacklisting rules are applied as for SLE and Leap. Consequently, users must apply the workaround in the #Unblacklisting section before being able to use any of the unsupported file systems.

List of unsupported file systems (December 2023)

adfs, affs, bfs, befs, cramfs, efs, erofs, exofs, f2fs, freevxfs, hfs, hfsplus, hpfs, jffs2, jfs, kafs, minix, nilfs2, ntfs, ntfs3, omfs, orangefs, pstore, qnx4, qnx6, romfs, sysv, ufs, zonefs (note that this list contains some legacy modules that aren't shipped in current kernels).

The current list is maintained in the suse-module-tools package. You can examine it with the command

ls /lib/modprobe.d/60-blacklist_fs*| sed -E 's/.*-([^-]*).conf/\1/'

FAQ

I want to use a blacklisted file system. Is it safe to load the module?
Most importantly, make sure the media you want to use comes from a trustworthy source (for example, you may have created it yourself). If in doubt, don't unblacklist the module (see #Unblacklisting), and just load it once for accessing the media you currently need to access. This way you avoid being exploited via the autoloading mechanism in the future.
Module XYZ is blacklisted. Does this mean the module is unmaintained or abandoned upstream, or has bad code quality?
No, definitely not. As explained in section #Supported File Systems, all file system modules that SUSE doesn't officially support are blacklisted by default. Many of these modules are maintained actively upstream.
I want to use a blacklisted file system. How do I know if it's susceptible to an exploit as described in #Security?
Assessing the exploitability of any given kernel module is very difficult even for security experts. You basically have to trust your own common-sense judgement. If you want to investigate, check if the file system is under active development in the upstream Linux kernel, and if it has an entry in the kernel's MAINTAINERS file.