From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f65.google.com ([74.125.82.65]:34229 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752560AbcEEWkv (ORCPT ); Thu, 5 May 2016 18:40:51 -0400 Date: Thu, 5 May 2016 23:40:31 +0100 From: Djalal Harouni To: Seth Forshee Cc: Serge Hallyn , Alexander Viro , Chris Mason , tytso@mit.edu, Serge Hallyn , Josh Triplett , "Eric W. Biederman" , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Dongsu Park , David Herrmann , Miklos Szeredi , Alban Crequy , Djalal Harouni Subject: Re: [RFC v2 PATCH 3/8] fs: Treat foreign mounts as nosuid Message-ID: <20160505224031.GD3071@dztty> References: <1462372014-3786-1-git-send-email-tixxdz@gmail.com> <1462372014-3786-4-git-send-email-tixxdz@gmail.com> <20160504231904.GA17801@ubuntumail> <20160505130508.GA63464@ubuntu-hedt> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160505130508.GA63464@ubuntu-hedt> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Hi, On Thu, May 05, 2016 at 08:05:08AM -0500, Seth Forshee wrote: > On Wed, May 04, 2016 at 11:19:04PM +0000, Serge Hallyn wrote: > > Quoting Djalal Harouni (tixxdz@gmail.com): > > > If a process gets access to a mount from a different user > > > namespace, that process should not be able to take advantage of > > > setuid files or selinux entrypoints from that filesystem. Prevent > > > this by treating mounts from other mount namespaces and those not > > > owned by current_user_ns() or an ancestor as nosuid. > > > > > > This patch was just adapted from the original one that was written > > > by Andy Lutomirski > > > https://www.redhat.com/archives/dm-devel/2016-April/msg00374.html > > > > I'm not sure that this makes sense given what you're doing. In the > > case of Seth's set, a filesystem is mounted specifically (and privately) > > in a user namespace. We don't want for instance the initial user ns > > to find a link to a setuid-root exploit left in the container-mounted > > filesystem. > > > > But you are having a parent user namespace mount the fs so that its > > children can all access the fs, uid-shifted for convenience. Not > > allowing the child namespaces to make use of setuid-root does not > > seem applicable here. > > Right, the problem addressed by this patch probably isn't relevant to > this sort of uid shifting. I'll have another deep look into it, yes the aim when I ported this, is I was not sure about setns(), or if you get a handle to a mount namespace through /proc or anything else... then you call into it from an external user namespace. > But I think there's another problem that needs to be addressed. > bprm_fill_uid() still gets the ids for sxid files unshifted from the > inode. We already protect against sxid to any user not in > bprm->cred->user_ns, so it will just ignore the sxid instead of e.g. > suid as global root from the id shifted mount, which is good. What would > be wanted though is to use the shifted ids so that something like > suid-root ping in the container rootfs would work. > > Seth Ok thank you Seth! I'll note it and try to fix it. -- Djalal Harouni http://opendz.org