* [RFC PATCH] mount: Add a flag to not follow symlink at the end of mount point
@ 2013-09-09 21:35 Vivek Goyal
0 siblings, 0 replies; only message in thread
From: Vivek Goyal @ 2013-09-09 21:35 UTC (permalink / raw)
To: linux-fsdevel, linux kernel mailing list, linux-security-module
Cc: Eric W. Biederman, viro, matthew.garrett
I have a requirement where I want to make sure that mount() fails if
mount point is a symlink. Hence introducing a new mount flag MS_NOSYMLINK.
Following is little more info on what I am trying to do. I am trying
to write patches for signed /sbin/kexec. That is /sbin/kexec binary will
be signed and in secureboot environment kernel will verify signature
of /sbin/kexec and upon successful verfication, /sbin/kexec will be
trusted and allowed to load new kernel.
/sbin/kexec gathers bunch of data from /sys and /proc. Given the fact that
only /sbin/kexec is trusted and not other root processes, one need to make
sure that a root process can not alter /sys or /proc to fool /sbin/kexec.
So requirement is that /sbin/kexec needs to make sure that it is
looking at /proc and /sys as exported by kernel (and not an artificial
view possibly created by a root process).
Eric Biederman suggested that use per process mount name space functionality.
/sbin/kexec runs as root. So create separate mount namespace. Make it
recursively private to disable any event propogation. Unmount existing
/proc and /sys and remount them.
Actual code of what I am trying to do in kexec-tools is posted here.
https://lists.fedoraproject.org/pipermail/kernel/2013-September/004463.html
Al Viro mentioned that one needs to make sure /proc and /sys are not symlinks.
Otherwise after remounting, root could remove symlinks and create /proc and
/sys with its own files.
And there comes the need to make sure mount point is not a symlink
and hence this patch.
I did basic testing by doing following and it seems to work.
syscall(__NR_mount, "none", <mount-point>, "proc", 1<<25,"");
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
fs/namespace.c | 6 +++++-
include/uapi/linux/fs.h | 1 +
2 files changed, 6 insertions(+), 1 deletion(-)
Index: linux-2.6/include/uapi/linux/fs.h
===================================================================
--- linux-2.6.orig/include/uapi/linux/fs.h 2013-05-03 22:05:19.000000000 -0400
+++ linux-2.6/include/uapi/linux/fs.h 2013-09-10 04:42:08.372708254 -0400
@@ -86,6 +86,7 @@ struct inodes_stat_t {
#define MS_KERNMOUNT (1<<22) /* this is a kern_mount call */
#define MS_I_VERSION (1<<23) /* Update inode I_version field */
#define MS_STRICTATIME (1<<24) /* Always perform atime updates */
+#define MS_NOSYMLINK (1<<25) /* Do not follow symlink at the end */
/* These sb flags are internal to the kernel */
#define MS_NOSEC (1<<28)
Index: linux-2.6/fs/namespace.c
===================================================================
--- linux-2.6.orig/fs/namespace.c 2013-09-09 21:50:45.000000000 -0400
+++ linux-2.6/fs/namespace.c 2013-09-10 04:40:26.477709733 -0400
@@ -2323,7 +2323,11 @@ long do_mount(const char *dev_name, cons
((char *)data_page)[PAGE_SIZE - 1] = 0;
/* ... and get the mountpoint */
- retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
+ if (flags & MS_NOSYMLINK)
+ retval = kern_path(dir_name, 0, &path);
+ else
+ retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
+
if (retval)
return retval;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-09-09 21:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-09 21:35 [RFC PATCH] mount: Add a flag to not follow symlink at the end of mount point Vivek Goyal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.