| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fa2e0a93243c197ae8ba8b9b61f8be04320b11a1.1768295900.git.legion@kernel.org>
Date: Tue, 13 Jan 2026 10:20:36 +0100
From: Alexey Gladkov <legion@...nel.org>
To: Christian Brauner <brauner@...nel.org>,
Dan Klishch <danilklishch@...il.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Kees Cook <keescook@...omium.org>,
containers@...ts.linux-foundation.org,
linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH v7 4/5] proc: Relax check of mount visibility
When /proc is mounted with the subset=pid option, all system files from
the root of the file system are not accessible in userspace. Only
dynamic information about processes is available, which cannot be
hidden with overmount.
For this reason, checking for full visibility is not relevant if
mounting is performed with the subset=pid option.
Signed-off-by: Alexey Gladkov <legion@...nel.org>
---
fs/namespace.c | 29 ++++++++++++++++-------------
fs/proc/root.c | 16 ++++++++++------
include/linux/fs/super_types.h | 2 ++
3 files changed, 28 insertions(+), 19 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index c58674a20cad..7daa86315c05 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -6116,7 +6116,8 @@ static bool mnt_already_visible(struct mnt_namespace *ns,
/* This mount is not fully visible if it's root directory
* is not the root directory of the filesystem.
*/
- if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
+ if (!(sb->s_iflags & SB_I_USERNS_ALLOW_REVEALING) &&
+ mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
continue;
/* A local view of the mount flags */
@@ -6136,18 +6137,20 @@ static bool mnt_already_visible(struct mnt_namespace *ns,
((mnt_flags & MNT_ATIME_MASK) != (new_flags & MNT_ATIME_MASK)))
continue;
- /* This mount is not fully visible if there are any
- * locked child mounts that cover anything except for
- * empty directories.
- */
- list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
- struct inode *inode = child->mnt_mountpoint->d_inode;
- /* Only worry about locked mounts */
- if (!(child->mnt.mnt_flags & MNT_LOCKED))
- continue;
- /* Is the directory permanently empty? */
- if (!is_empty_dir_inode(inode))
- goto next;
+ if (!(sb->s_iflags & SB_I_USERNS_ALLOW_REVEALING)) {
+ /* This mount is not fully visible if there are any
+ * locked child mounts that cover anything except for
+ * empty directories.
+ */
+ list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
+ struct inode *inode = child->mnt_mountpoint->d_inode;
+ /* Only worry about locked mounts */
+ if (!IS_MNT_LOCKED(child))
+ continue;
+ /* Is the directory permanently empty? */
+ if (!is_empty_dir_inode(inode))
+ goto next;
+ }
}
/* Preserve the locked attributes */
*new_mnt_flags |= mnt_flags & (MNT_LOCK_READONLY | \
diff --git a/fs/proc/root.c b/fs/proc/root.c
index b9f33b67cdd6..354dc13417e3 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -223,18 +223,21 @@ static int proc_parse_param(struct fs_context *fc, struct fs_parameter *param)
return 0;
}
-static int proc_apply_options(struct proc_fs_info *fs_info,
+static int proc_apply_options(struct super_block *s,
struct fs_context *fc,
struct user_namespace *user_ns)
{
struct proc_fs_context *ctx = fc->fs_private;
+ struct proc_fs_info *fs_info = proc_sb_info(s);
if (ctx->mask & (1 << Opt_gid))
fs_info->pid_gid = make_kgid(user_ns, ctx->gid);
if (ctx->mask & (1 << Opt_hidepid))
fs_info->hide_pid = ctx->hidepid;
if (ctx->mask & (1 << Opt_subset)) {
- if (ctx->pidonly != PROC_PIDONLY_ON && fs_info->pidonly == PROC_PIDONLY_ON)
+ if (ctx->pidonly == PROC_PIDONLY_ON)
+ s->s_iflags |= SB_I_USERNS_ALLOW_REVEALING;
+ else if (fs_info->pidonly == PROC_PIDONLY_ON)
return invalf(fc, "proc: subset=pid cannot be unset\n");
fs_info->pidonly = ctx->pidonly;
}
@@ -259,9 +262,6 @@ static int proc_fill_super(struct super_block *s, struct fs_context *fc)
fs_info->pid_ns = get_pid_ns(ctx->pid_ns);
fs_info->mounter_cred = get_cred(fc->cred);
- ret = proc_apply_options(fs_info, fc, current_user_ns());
- if (ret)
- return ret;
/* User space would break if executables or devices appear on proc */
s->s_iflags |= SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV;
@@ -273,6 +273,10 @@ static int proc_fill_super(struct super_block *s, struct fs_context *fc)
s->s_time_gran = 1;
s->s_fs_info = fs_info;
+ ret = proc_apply_options(s, fc, current_user_ns());
+ if (ret)
+ return ret;
+
/*
* procfs isn't actually a stacking filesystem; however, there is
* too much magic going on inside it to permit stacking things on
@@ -313,7 +317,7 @@ static int proc_reconfigure(struct fs_context *fc)
put_cred(fs_info->mounter_cred);
fs_info->mounter_cred = get_cred(fc->cred);
- return proc_apply_options(fs_info, fc, current_user_ns());
+ return proc_apply_options(sb, fc, current_user_ns());
}
static int proc_get_tree(struct fs_context *fc)
diff --git a/include/linux/fs/super_types.h b/include/linux/fs/super_types.h
index 6bd3009e09b3..5e640b9140df 100644
--- a/include/linux/fs/super_types.h
+++ b/include/linux/fs/super_types.h
@@ -333,4 +333,6 @@ struct super_block {
#define SB_I_NOIDMAP 0x00002000 /* No idmapped mounts on this superblock */
#define SB_I_ALLOW_HSM 0x00004000 /* Allow HSM events on this superblock */
+#define SB_I_USERNS_ALLOW_REVEALING 0x00008000 /* Skip full visibility check */
+
#endif /* _LINUX_FS_SUPER_TYPES_H */
--
2.52.0
Powered by blists - more mailing lists