From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Andrew Lutomirski <andy-RHosVwM/Cj8@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Willy Tarreau <w@1wt.eu>,
security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
Subject: Re: [REVIEW][PATCH 3/5] mnt: Correct permission checks in do_remount
Date: Thu, 31 Jul 2014 23:06:49 +0000 [thread overview]
Message-ID: <20140731230649.GC7954@ubuntumail> (raw)
In-Reply-To: <877g2vjyd7.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>
> While invesgiating the issue where in "mount --bind -oremount,ro ..."
> would result in later "mount --bind -oremount,rw" succeeding even if
> the mount started off locked I realized that there are several
> additional mount flags that should be locked and are not.
>
> In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
> flags in addition to MNT_READONLY should all be locked. These
> flags are all per superblock, can all be changed with MS_BIND,
> and should not be changable if set by a more privileged user.
>
> The following additions to the current logic are added in this patch.
> - nosuid may not be clearable by a less privileged user.
> - nodev may not be clearable by a less privielged user.
> - noexec may not be clearable by a less privileged user.
> - atime flags may not be changeable by a less privileged user.
>
> The logic with atime is that always setting atime on access is a
> global policy and backup software and auditing software could break if
> atime bits are not updated (when they are configured to be updated),
> and serious performance degradation could result (DOS attack) if atime
> updates happen when they have been explicitly disabled. Therefore an
> unprivileged user should not be able to mess with the atime bits set
> by a more privileged user.
>
> The additional restrictions are implemented with the addition of
> MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
> mnt flags.
>
> Taken together these changes and the fixes for MNT_LOCK_READONLY
> should make it safe for an unprivileged user to create a user
> namespace and to call "mount --bind -o remount,... ..." without
> the danger of mount flags being changed maliciously.
>
> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Acked-by: Serge E. Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
> ---
> fs/namespace.c | 36 +++++++++++++++++++++++++++++++++---
> include/linux/mount.h | 5 +++++
> 2 files changed, 38 insertions(+), 3 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 1105a577a14f..dd9c93b5a9d5 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -890,8 +890,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
>
> mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
> /* Don't allow unprivileged users to change mount flags */
> - if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
> - mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
> + if (flag & CL_UNPRIVILEGED) {
> + mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
> +
> + if (mnt->mnt.mnt_flags & MNT_READONLY)
> + mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
> +
> + if (mnt->mnt.mnt_flags & MNT_NODEV)
> + mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
> +
> + if (mnt->mnt.mnt_flags & MNT_NOSUID)
> + mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
> +
> + if (mnt->mnt.mnt_flags & MNT_NOEXEC)
> + mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
> + }
>
> /* Don't allow unprivileged users to reveal what is under a mount */
> if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
> @@ -1931,6 +1944,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
> !(mnt_flags & MNT_READONLY)) {
> return -EPERM;
> }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
> + !(mnt_flags & MNT_NODEV)) {
> + return -EPERM;
> + }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
> + !(mnt_flags & MNT_NOSUID)) {
> + return -EPERM;
> + }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
> + !(mnt_flags & MNT_NOEXEC)) {
> + return -EPERM;
> + }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
> + ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
> + return -EPERM;
> + }
> +
> err = security_sb_remount(sb, data);
> if (err)
> return err;
> @@ -2129,7 +2159,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
> */
> if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
> flags |= MS_NODEV;
> - mnt_flags |= MNT_NODEV;
> + mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
> }
> }
>
> diff --git a/include/linux/mount.h b/include/linux/mount.h
> index b637a89e1fae..b0c1e6574e7f 100644
> --- a/include/linux/mount.h
> +++ b/include/linux/mount.h
> @@ -45,12 +45,17 @@ struct mnt_namespace;
> #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
> | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
> | MNT_READONLY)
> +#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )
>
> #define MNT_INTERNAL_FLAGS (MNT_SHARED | MNT_WRITE_HOLD | MNT_INTERNAL | \
> MNT_DOOMED | MNT_SYNC_UMOUNT | MNT_MARKED)
>
> #define MNT_INTERNAL 0x4000
>
> +#define MNT_LOCK_ATIME 0x040000
> +#define MNT_LOCK_NOEXEC 0x080000
> +#define MNT_LOCK_NOSUID 0x100000
> +#define MNT_LOCK_NODEV 0x200000
> #define MNT_LOCK_READONLY 0x400000
> #define MNT_LOCKED 0x800000
> #define MNT_DOOMED 0x1000000
> --
> 1.9.1
>
next prev parent reply other threads:[~2014-07-31 23:06 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87fvih4a99.fsf@x220.int.ebiederm.org>
[not found] ` <CAObL_7FfacSTdO=JEfYyqQrp8qOSob6qoWrGN=rSM5t9ckkTWg@mail.gmail.com>
[not found] ` <8761injfj9.fsf_-_@x220.int.ebiederm.org>
[not found] ` <CAObL_7GhpuO4m6HunKvNMSpiEYBuaJnvjfVDiyG88GZ8HOa-vg@mail.gmail.com>
[not found] ` <CAOP=4wgKGxJmLwSHYRKXCTva_Fyzn+D1vaWhtT-mo_t9Uu68zA@mail.gmail.com>
[not found] ` <87lhrihaan.fsf@x220.int.ebiederm.org>
[not found] ` <CAObL_7HSNkM=Kr9Jwc9JB7Zt7ZdR+skzmPrxYcFSkCutFDA5KA@mail.gmail.com>
[not found] ` <20140724194920.GU26600@ubuntumail>
[not found] ` <CAOP=4wh-AXf7qPy0rPaQ6RFbbJGRWKo0h1Rn=9vLUeJ6b6Q7YA@mail.gmail.com>
[not found] ` <8738dqh2j1.fsf@x220.int.ebiederm.org>
[not found] ` <20140725060810.GC31313@1wt.eu>
[not found] ` <877g2xou2u.fsf@x220.int.ebiederm.org>
[not found] ` <87r415nf3k.fsf_-_@x220.int.ebiederm.org>
[not found] ` <874my1neyr.fsf_-_@x220.int.ebiederm.org>
[not found] ` <CAOP=4wj7m+w4aDJCuQaf3r9aFraPN1SvPgFSz=_UNkyC8gEHyQ@mail.gmail.com>
[not found] ` <CAOP=4wj7m+w4aDJCuQaf3r9aFraPN1SvPgFSz=_UNkyC8gEHyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-07-30 3:38 ` [REVIEW][0/5] Fixing unprivileged mount -o remount,ro Eric W. Biederman
2014-07-30 3:41 ` Eric W. Biederman
[not found] ` <87ppgnjyx4.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-30 3:52 ` [REVIEW][PATCH 1/5] mnt: Only change user settable mount flags in remount Eric W. Biederman
[not found] ` <87ha1zjyf0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:13 ` Serge Hallyn
2014-08-01 0:10 ` Eric W. Biederman
2014-07-30 3:53 ` [REVIEW][PATCH 2/5] mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount Eric W. Biederman
[not found] ` <87bns7jye1.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:11 ` Serge Hallyn
2014-07-30 3:53 ` [REVIEW][PATCH 3/5] mnt: Correct permission checks in do_remount Eric W. Biederman
[not found] ` <877g2vjyd7.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:06 ` Serge Hallyn [this message]
2014-07-30 3:54 ` [REVIEW][PATCH 4/5] mnt: Change the default remount atime from relatime to the existing value Eric W. Biederman
[not found] ` <871tt3jycd.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 22:59 ` Serge Hallyn
2014-07-30 3:55 ` [REVIEW][PATCH 5/5] mnt: Add tests for unprivileged remount cases that have found to be faulty Eric W. Biederman
[not found] ` <87vbqfijq0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 22:48 ` Serge Hallyn
2014-07-31 22:52 ` Eric W. Biederman
[not found] ` <87fvhhdtua.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:15 ` Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140731230649.GC7954@ubuntumail \
--to=serge.hallyn-gewih/nmzzlqt0dzr+alfa@public.gmane.org \
--cc=andy-RHosVwM/Cj8@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.