[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1549201508.37120095@decadent.org.uk>
Date: Sun, 03 Feb 2019 14:45:08 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, Denis Kirjanov <kda@...ux-powerpc.org>,
"Jonathan Calmels" <jcalmels@...dia.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: [PATCH 3.16 160/305] mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED
mounts
3.16.63-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@...ssion.com>
commit df7342b240185d58d3d9665c0bbf0a0f5570ec29 upstream.
Jonathan Calmels from NVIDIA reported that he's able to bypass the
mount visibility security check in place in the Linux kernel by using
a combination of the unbindable property along with the private mount
propagation option to allow a unprivileged user to see a path which
was purposefully hidden by the root user.
Reproducer:
# Hide a path to all users using a tmpfs
root@...tiana:~# mount -t tmpfs tmpfs /sys/devices/
root@...tiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@...tiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@...tiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@...tiana:~# mount --make-runbindable /sys
root@...tiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@...tiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@...tiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
Solve this by teaching copy_tree to fail if a mount turns out to be
both unbindable and locked.
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Jonathan Calmels <jcalmels@...dia.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
fs/namespace.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1574,8 +1574,14 @@ struct mount *copy_tree(struct mount *mn
struct mount *t = NULL;
if (!(flag & CL_COPY_UNBINDABLE) &&
IS_MNT_UNBINDABLE(s)) {
- s = skip_mnt_tree(s);
- continue;
+ if (s->mnt.mnt_flags & MNT_LOCKED) {
+ /* Both unbindable and locked. */
+ q = ERR_PTR(-EPERM);
+ goto out;
+ } else {
+ s = skip_mnt_tree(s);
+ continue;
+ }
}
if (!(flag & CL_COPY_MNT_NS_FILE) &&
is_mnt_ns_file(s->mnt.mnt_root)) {
Powered by blists - more mailing lists