Re: CLONE_NEWUSER|CLONE_FS root exploit

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Andy Lutomirski <luto@amacapital.net>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>,
	containers@lists.linux-foundation.org,
	Sebastian Krahmer <krahmer@suse.de>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Oleg Nesterov <oleg@redhat.com>
Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit
Date: Wed, 13 Mar 2013 18:48:23 -0700	[thread overview]
Message-ID: <51412C67.30908@mit.edu> (raw)
In-Reply-To: <87r4jjkv18.fsf@xmission.com>

On 03/13/2013 11:35 AM, Eric W. Biederman wrote:
> Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> writes:
> 
>> Hi,
>>
>> It seem like we should block (at least) this combination. On 3.9, this
>> exploit works once uidmapping is added.
>>
>> http://www.openwall.com/lists/oss-security/2013/03/13/10
> 
> Yes.  That is a bad combination.  It let's chroot confuse privileged
> processes.
> 
> Now to figure out if this is easier to squash by adding a user_namespace
> to fs_struct or by just forbidding this combination.

It's worth making sure that setns(2) doesn't have similar issues.

Looking through other shared-but-not-a-namespace things, there are:

fs_struct: Buggy as noted.

files_struct: Probably harmless -- SCM_RIGHTS can emulate it

signal_struct: This interacts with the tty code.  Is it okay?

sighand_struct: Looks safe.  Famous last words.

FWIW, I've been alarmed in the past that struct path (e.g. the root
directory) implies an mnt_namespace (hidden in struct mount), and it's
entirely possible for the root directory's mnt_namespace not to match
nsproxy->mnt_namespace.  I'm not sure what the implications are, but
this doesn't seem healthy.

--Andy

next prev parent reply	other threads:[~2013-03-14  1:48 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-13 17:57 CLONE_NEWUSER|CLONE_FS root exploit Kees Cook
2013-03-13 18:35 ` Eric W. Biederman
2013-03-14  1:48   ` Andy Lutomirski [this message]
2013-03-14 20:29     ` Eric W. Biederman
2013-03-14 21:32       ` Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51412C67.30908@mit.edu \
    --to=luto@amacapital.net \
    --cc=containers@lists.linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=keescook@chromium.org \
    --cc=krahmer@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oleg@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox