From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Cc: Andrew Lutomirski <andy-RHosVwM/Cj8@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
Willy Tarreau <w@1wt.eu>,
security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
Subject: Re: [REVIEW][PATCH 1/5] mnt: Only change user settable mount flags in remount
Date: Thu, 31 Jul 2014 17:10:15 -0700 [thread overview]
Message-ID: <87vbqdcbo8.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20140731231354.GE7954@ubuntumail> (Serge Hallyn's message of "Thu, 31 Jul 2014 23:13:54 +0000")
Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org> writes:
> Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>>
>> Kenton Varda <kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org> discovered that by remounting a
>> read-only bind mount read-only in a user namespace the
>> MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
>> to the remount a read-only mount read-write.
>>
>> Correct this by replacing the mask of mount flags to preserve
>> with a mask of mount flags that may be changed, and preserve
>> all others. This ensures that any future bugs with this mask and
>> remount will fail in an easy to detect way where new mount flags
>> simply won't change.
>>
>> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
>
> Not exactly sure about the name. Actually seems like it should be
> caled MNT_USER_UNCLEARABLE_MASK or something, but
It is the set of mnt_flags that user space can cause to change.
So this patch inverts that mask and unconditionally preserves
everything else.
> Acked-by: Serge E. Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
>
>> ---
>> fs/namespace.c | 2 +-
>> include/linux/mount.h | 4 +++-
>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/namespace.c b/fs/namespace.c
>> index 7187d01329c3..cb40449ea0df 100644
>> --- a/fs/namespace.c
>> +++ b/fs/namespace.c
>> @@ -1937,7 +1937,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
>> err = do_remount_sb(sb, flags, data, 0);
>> if (!err) {
>> lock_mount_hash();
>> - mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
>> + mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
>> mnt->mnt.mnt_flags = mnt_flags;
>> touch_mnt_namespace(mnt->mnt_ns);
>> unlock_mount_hash();
>> diff --git a/include/linux/mount.h b/include/linux/mount.h
>> index 839bac270904..b637a89e1fae 100644
>> --- a/include/linux/mount.h
>> +++ b/include/linux/mount.h
>> @@ -42,7 +42,9 @@ struct mnt_namespace;
>> * flag, consider how it interacts with shared mounts.
>> */
>> #define MNT_SHARED_MASK (MNT_UNBINDABLE)
>> -#define MNT_PROPAGATION_MASK (MNT_SHARED | MNT_UNBINDABLE)
>> +#define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
>> + | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
>> + | MNT_READONLY)
>>
>> #define MNT_INTERNAL_FLAGS (MNT_SHARED | MNT_WRITE_HOLD | MNT_INTERNAL | \
>> MNT_DOOMED | MNT_SYNC_UMOUNT | MNT_MARKED)
>> --
>> 1.9.1
>>
next prev parent reply other threads:[~2014-08-01 0:10 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87fvih4a99.fsf@x220.int.ebiederm.org>
[not found] ` <CAObL_7FfacSTdO=JEfYyqQrp8qOSob6qoWrGN=rSM5t9ckkTWg@mail.gmail.com>
[not found] ` <8761injfj9.fsf_-_@x220.int.ebiederm.org>
[not found] ` <CAObL_7GhpuO4m6HunKvNMSpiEYBuaJnvjfVDiyG88GZ8HOa-vg@mail.gmail.com>
[not found] ` <CAOP=4wgKGxJmLwSHYRKXCTva_Fyzn+D1vaWhtT-mo_t9Uu68zA@mail.gmail.com>
[not found] ` <87lhrihaan.fsf@x220.int.ebiederm.org>
[not found] ` <CAObL_7HSNkM=Kr9Jwc9JB7Zt7ZdR+skzmPrxYcFSkCutFDA5KA@mail.gmail.com>
[not found] ` <20140724194920.GU26600@ubuntumail>
[not found] ` <CAOP=4wh-AXf7qPy0rPaQ6RFbbJGRWKo0h1Rn=9vLUeJ6b6Q7YA@mail.gmail.com>
[not found] ` <8738dqh2j1.fsf@x220.int.ebiederm.org>
[not found] ` <20140725060810.GC31313@1wt.eu>
[not found] ` <877g2xou2u.fsf@x220.int.ebiederm.org>
[not found] ` <87r415nf3k.fsf_-_@x220.int.ebiederm.org>
[not found] ` <874my1neyr.fsf_-_@x220.int.ebiederm.org>
[not found] ` <CAOP=4wj7m+w4aDJCuQaf3r9aFraPN1SvPgFSz=_UNkyC8gEHyQ@mail.gmail.com>
[not found] ` <CAOP=4wj7m+w4aDJCuQaf3r9aFraPN1SvPgFSz=_UNkyC8gEHyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-07-30 3:38 ` [REVIEW][0/5] Fixing unprivileged mount -o remount,ro Eric W. Biederman
2014-07-30 3:41 ` Eric W. Biederman
[not found] ` <87ppgnjyx4.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-30 3:52 ` [REVIEW][PATCH 1/5] mnt: Only change user settable mount flags in remount Eric W. Biederman
[not found] ` <87ha1zjyf0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:13 ` Serge Hallyn
2014-08-01 0:10 ` Eric W. Biederman [this message]
2014-07-30 3:53 ` [REVIEW][PATCH 2/5] mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount Eric W. Biederman
[not found] ` <87bns7jye1.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:11 ` Serge Hallyn
2014-07-30 3:53 ` [REVIEW][PATCH 3/5] mnt: Correct permission checks in do_remount Eric W. Biederman
[not found] ` <877g2vjyd7.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:06 ` Serge Hallyn
2014-07-30 3:54 ` [REVIEW][PATCH 4/5] mnt: Change the default remount atime from relatime to the existing value Eric W. Biederman
[not found] ` <871tt3jycd.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 22:59 ` Serge Hallyn
2014-07-30 3:55 ` [REVIEW][PATCH 5/5] mnt: Add tests for unprivileged remount cases that have found to be faulty Eric W. Biederman
[not found] ` <87vbqfijq0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 22:48 ` Serge Hallyn
2014-07-31 22:52 ` Eric W. Biederman
[not found] ` <87fvhhdtua.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:15 ` Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vbqdcbo8.fsf@x220.int.ebiederm.org \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=andy-RHosVwM/Cj8@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox