| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrU62cq43hd7Wray0eZQfbQ9+hkuuo9AzCFgrL_2h_v7qw@mail.gmail.com>
Date: Mon, 16 Jan 2012 12:15:09 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: Casey Schaufler <casey@...aufler-ca.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jamie Lokier <jamie@...reable.org>,
Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org,
keescook@...omium.org, john.johansen@...onical.com,
serge.hallyn@...onical.com, coreyb@...ux.vnet.ibm.com,
pmoore@...hat.com, eparis@...hat.com, djm@...drot.org,
segoon@...nwall.com, rostedt@...dmis.org, jmorris@...ei.org,
scarybeasts@...il.com, avi@...hat.com, penberg@...helsinki.fi,
mingo@...e.hu, akpm@...ux-foundation.org, khilman@...com,
borislav.petkov@....com, amwang@...hat.com, oleg@...hat.com,
ak@...ux.intel.com, eric.dumazet@...il.com, gregkh@...e.de,
dhowells@...hat.com, daniel.lezcano@...e.fr,
linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org, olofj@...omium.org,
mhalcrow@...gle.com, dlaor@...hat.com, corbet@....net,
alan@...rguk.ukuu.org.uk
Subject: Re: [PATCH 4/4] Allow unprivileged chroot when safe
On Mon, Jan 16, 2012 at 12:06 PM, Al Viro <viro@...iv.linux.org.uk> wrote:
> On Sun, Jan 15, 2012 at 04:37:21PM -0800, Andy Lutomirski wrote:
>
>> + is_chrooted = (fs->root.mnt->mnt_mountpoint !=
>> + fs->root.mnt->mnt_parent->mnt_root ||
>> + fs->root.dentry != fs->root.mnt->mnt_root);
>
> Folks, is it _that_ hard to at least try to compile your patches? Hint:
> this one will *not*. That sad detail aside, this test would have been
> a pile of garbage even on the kernels that used to have mnt_mountpoint
> in struct vfsmount. What *are* you trying to test here? The last part
> at least does make some sense - it's "process root happens to be the
> root of some vfsmount". The first part, though, makes no sense whatsoever;
> it's "... and that vfsmount is mounted on top of root of some other
> vfsmount".
I compiled it, booted it, and tested it. I based it off an oldish
kernel, though, so I can rebase.
The first approach I tried was (from memory -- may not compile at all
on any version) fs->root.mnt != fs->root.mnt->mnt_parent. That didn't
work. The issue is that on dracut-based distros, AFAICT, the root (in
the sense of the root of the tree of struct vfsmounts) is rootfs. The
apparent root (the filesystem containing /, /usr, etc) is mounted on
top of (rootfs)/. Dracut then does something with the effect of
chroot("/"). So you end up with the vfsmount that contains "/" not
being the actual root vfsmount. But there's nothing hidden by the
chroot -- even if fs->root.mnt pointed at rootfs, "/" would still
follow the mountpoint into the actual filesystem.
An different approach would be to have fs_struct keep track of a hard
and a soft root. chroot would stay CAP_SYS_ADMIN only and change both
roots. A new unprivileged_chroot would change only the soft root.
follow_dotdot would check both, so unprivileged_chroot wouldn't be
useful for breaking chroot. The big downside would be an extra branch
on every follow_dotdot.
--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists