From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
stable <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux FS Devel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH review 03/18] umount: Disallow unprivileged mount force
Date: Fri, 12 Dec 2014 17:25:53 -0600 [thread overview]
Message-ID: <87vblgxxfi.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CALCETrV2kBfzypMbYKgxJ4BqB6yBG6Xvo=sZy3tvTng5ZRvAKQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Andy Lutomirski's message of "Fri, 12 Dec 2014 15:07:28 -0800")
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> writes:
> On Fri, Dec 12, 2014 at 2:48 PM, Eric W. Biederman
> <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>> Forced unmount affects not just the mount namespace but the underlying
>> superblock as well. Restrict forced unmount to the global root user
>> for now. Otherwise it becomes possible a user in a less privileged
>> mount namespace to force the shutdown of a superblock of a filesystem
>> in a more privileged mount namespace, allowing a DOS attack on root.
>>
>
> I thought I already fixed this. Did I miss part of it?
My tree is based at 3.18-rc6 and as of there I don't see another
fix.
You fixed the remount_sb case in umount I don't think you fixed forced
unmounts themselves.
If you did fix this and can point me at it I will be happy to drop this
patch.
Eric
>> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
>> ---
>> fs/namespace.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/namespace.c b/fs/namespace.c
>> index 3a1a87dc33df..43b16af8af30 100644
>> --- a/fs/namespace.c
>> +++ b/fs/namespace.c
>> @@ -1544,6 +1544,9 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
>> goto dput_and_out;
>> if (mnt->mnt.mnt_flags & MNT_LOCKED)
>> goto dput_and_out;
>> + retval = -EPERM;
>> + if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
>> + goto dput_and_out;
>>
>> retval = do_umount(mnt, flags);
>> dput_and_out:
>> --
>> 1.9.1
>>
next prev parent reply other threads:[~2014-12-12 23:25 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-12 22:32 [PATCH review 00/18] userns: review of bug fixes for 3.19-rcX Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 01/18] mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 02/18] mnt: Update unprivileged remount test Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 05/18] mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 06/18] mnt: Carefully set CL_UNPRIVILEGED in clone_mnt Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 07/18] mnt: Clear mnt_expire during pivot_root Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 08/18] groups: Consolidate the setgroups permission checks Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 09/18] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 10/18] userns: Don't allow setgroups until a gid mapping has been setablished Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 12/18] userns: Check euid no fsuid when establishing an unprivileged uid mapping Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 14/18] userns: Rename id_map_mutex to userns_state_mutex Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 15/18] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 16/18] userns: Allow setting gid_maps without privilege when setgroups is disabled Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 17/18] userns; Correct the comment in map_write Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 18/18] userns: Unbreak the unprivileged remount tests Eric W. Biederman
[not found] ` <87k31wzehb.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-12-12 22:48 ` [PATCH review 03/18] umount: Disallow unprivileged mount force Eric W. Biederman
2014-12-12 23:07 ` Andy Lutomirski
[not found] ` <CALCETrV2kBfzypMbYKgxJ4BqB6yBG6Xvo=sZy3tvTng5ZRvAKQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-12-12 23:25 ` Eric W. Biederman [this message]
2014-12-13 0:20 ` Andy Lutomirski
2014-12-12 22:48 ` [PATCH review 04/18] umount: Do not allow unmounting rootfs Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 11/18] userns: Don't allow unprivileged creation of gid mappings Eric W. Biederman
2014-12-12 22:48 ` [PATCH review 13/18] userns: Only allow the creator of the userns unprivileged mappings Eric W. Biederman
2014-12-14 19:41 ` [PATCH review 00/18] userns: review of bug fixes for 3.19-rcX Richard Weinberger
2014-12-15 2:25 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vblgxxfi.fsf@x220.int.ebiederm.org \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=richard-/L3Ra7n9ekc@public.gmane.org \
--cc=stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox