From mboxrd@z Thu Jan  1 00:00:00 1970
From: ebiederm@xmission.com (Eric W. Biederman)
Subject: Re: [PATCH review  4/4] vfs: Do not allow escaping from bind mounts.
Date: Thu, 09 Apr 2015 21:51:11 -0500
Message-ID: <874moo1ysg.fsf@x220.int.ebiederm.org>
References: <871tncuaf6.fsf@x220.int.ebiederm.org>
	<87mw5xq7lt.fsf@x220.int.ebiederm.org>
	<87a8yqou41.fsf_-_@x220.int.ebiederm.org>
	<874moq9oyb.fsf_-_@x220.int.ebiederm.org>
	<87iod68aa3.fsf_-_@x220.int.ebiederm.org>
	<20150409232212.GX889@ZenIV.linux.org.uk>
Mime-Version: 1.0
Content-Type: text/plain
Cc: Linux Containers <containers@lists.linux-foundation.org>,
	linux-fsdevel@vger.kernel.org,
	Andy Lutomirski <luto@amacapital.net>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Richard Weinberger <richard@nod.at>,
	Andrey Vagin <avagin@openvz.org>, Jann Horn <jann@thejh.net>,
	Willy Tarreau <w@1wt.eu>, Omar Sandoval <osandov@osandov.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from out01.mta.xmission.com ([166.70.13.231]:46209 "EHLO
	out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751300AbbDJCzY (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 9 Apr 2015 22:55:24 -0400
In-Reply-To: <20150409232212.GX889@ZenIV.linux.org.uk> (Al Viro's message of
	"Fri, 10 Apr 2015 00:22:13 +0100")
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Al Viro <viro@ZenIV.linux.org.uk> writes:

> On Wed, Apr 08, 2015 at 06:34:12PM -0500, Eric W. Biederman wrote:
>> +	if (ancestor) {
>> +		mark_violated_mounts(dentry, ancestor);
>> +		mark_violated_mounts(target, ancestor);
>> +	}
>
> Umm...  Both sides the same way, regardless of whether it's exchange or
> move?  Looks wrong...

I am pretty certain it can cause d_path to become an information leak
if we do not.

> Look:
>
> mkdir /tmp/a
> mkdir /tmp/b
> mkdir /tmp/c
> mkdir /tmp/b/c
> touch /tmp/a/x
> mount --bind /tmp/b /tmp/c
> mv /tmp/a/x /tmp/b/c/x
>
> should that make the vfsmount on /tmp/c violated?  And if so, why?

If /tmp is a mount point and before the move there was a:
touch /tmp/b/c/x

And a process opened /tmp/c/c/x.
d_path on that file descriptor before __d_move would say:

/tmp/c/c/x

after the __d_move d_path would say:

/tmp/c/a/x

Which is bizareely weird in this example, and could potentially be
an expolitable information leak in the hands of someone who knew
what they were doing.

I am not clever enough to take that deleted directory and walk up the
tree, so the damage may be limited to seeing the true path on the
fileystem.  But it just may be that I am dense today.

Furthermore all of the relevant changes to the dentry that happen 
when exchange is true also happen when exchange is false, so I am very
reluctant to believe that the non-exchange case is not exploitable by a
sufficiently clever individual.

Eric