From: Cyril Hrubis <chrubis@suse.cz>
To: Wei Gao <wegao@suse.com>
Cc: ltp@lists.linux.it
Subject: Re: [LTP] [PATCH v4] mount08.c: Restrict overmounting of ephemeral entities
Date: Fri, 11 Jul 2025 15:02:51 +0200 [thread overview]
Message-ID: <aHELexqAddKs0qU0@yuki.lan> (raw)
In-Reply-To: <20250321151143.11332-1-wegao@suse.com>
Hi!
> Signed-off-by: Wei Gao <wegao@suse.com>
> Reviewed-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> runtest/syscalls | 1 +
> testcases/kernel/syscalls/mount/.gitignore | 1 +
> testcases/kernel/syscalls/mount/mount08.c | 57 ++++++++++++++++++++++
> 3 files changed, 59 insertions(+)
> create mode 100644 testcases/kernel/syscalls/mount/mount08.c
>
> diff --git a/runtest/syscalls b/runtest/syscalls
> index ded035ee8..d3abc8b85 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -852,6 +852,7 @@ mount04 mount04
> mount05 mount05
> mount06 mount06
> mount07 mount07
> +mount08 mount08
>
> mount_setattr01 mount_setattr01
>
> diff --git a/testcases/kernel/syscalls/mount/.gitignore b/testcases/kernel/syscalls/mount/.gitignore
> index 80885dbf0..3eee5863a 100644
> --- a/testcases/kernel/syscalls/mount/.gitignore
> +++ b/testcases/kernel/syscalls/mount/.gitignore
> @@ -6,3 +6,4 @@
> /mount05
> /mount06
> /mount07
> +/mount08
> diff --git a/testcases/kernel/syscalls/mount/mount08.c b/testcases/kernel/syscalls/mount/mount08.c
> new file mode 100644
> index 000000000..1938c5519
> --- /dev/null
> +++ b/testcases/kernel/syscalls/mount/mount08.c
> @@ -0,0 +1,57 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2024 Wei Gao <wegao@suse.com>
> + */
> +
> +/*\
> + * Verify that mount will raise ENOENT if we try to mount on magic links
> + * under /proc/<pid>/fd/<nr>.
> + */
> +
> +#include "tst_test.h"
> +#include <sys/mount.h>
> +#include "tst_safe_file_at.h"
> +
> +#define MNTPOINT "mntpoint"
> +#define FOO MNTPOINT "/foo"
> +#define BAR MNTPOINT "/bar"
> +
> +static void run(void)
> +{
> + char path[PATH_MAX];
> + int foo_fd, newfd, proc_fd;
> +
> + foo_fd = SAFE_OPEN(FOO, O_RDONLY | O_NONBLOCK, 0640);
> + newfd = SAFE_DUP(foo_fd);
> + SAFE_CLOSE(foo_fd);
AFAIK the dup() here is not needed, the original reproducer used the
dup() to create a file descriptor with exact number for the loop. In
this case we can just take the fd from SAFE_OPEN() and use it instead of
the newfd.
> + sprintf(path, "/proc/%d/fd/%d", getpid(), newfd);
> +
> + proc_fd = SAFE_OPENAT(AT_FDCWD, path, O_PATH | O_NOFOLLOW);
> +
> + sprintf(path, "/proc/%d/fd/%d", getpid(), proc_fd);
> +
> + TST_EXP_FAIL(
> + mount(BAR, path, "", MS_BIND, 0),
> + ENOENT,
> + "mount() on proc failed expectedly"
^
This message is used even if the call passed
unexpectedly, so it should describe what is being done
rather than the expected outcome, e.g.:
"mount(/proc/$PID/fd/$FD)"
> + );
You are not closing the file descriptors here, so the test fails with:
"-i 1000" command line params.
> +}
> +
> +static void setup(void)
> +{
> + SAFE_CREAT(FOO, 0777);
> + SAFE_CREAT(BAR, 0777);
This leaks two file descriptors too, but at least it's these are not
opened on each iteration.
If you just need to create a file do SAFE_TOUCH(FOO, 0777, NULL)
instead.
> +}
> +
> +static struct tst_test test = {
> + .setup = setup,
> + .test_all = run,
> + .needs_root = 1,
> + .mntpoint = MNTPOINT,
> + .min_kver = "6.12",
With this you are masking the problem on older kernels, please do not,
as the problem has possible security implications.
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "d80b065bb172"},
> + {}
> + }
> +};
> --
> 2.35.3
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2025-07-11 13:02 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-25 11:42 [LTP] [PATCH v1] mount08.c: Restrict overmounting of ephemeral entities on /proc/<pid>/fd/<nr> Wei Gao via ltp
2025-02-19 13:27 ` Andrea Cervesato via ltp
2025-03-19 4:47 ` [LTP] [PATCH v2] " Wei Gao via ltp
2025-03-20 14:53 ` Andrea Cervesato via ltp
2025-03-21 3:42 ` [LTP] [PATCH v3] mount08.c: Restrict overmounting of ephemeral entities Wei Gao via ltp
2025-03-21 10:27 ` Ricardo B. Marli��re via ltp
2025-03-21 15:14 ` Wei Gao via ltp
2025-03-21 15:11 ` [LTP] [PATCH v4] " Wei Gao via ltp
2025-07-11 13:02 ` Cyril Hrubis [this message]
2025-07-21 20:04 ` [LTP] [PATCH v5] " Wei Gao via ltp
2025-07-22 6:40 ` Andrea Cervesato via ltp
2025-07-22 19:00 ` Wei Gao via ltp
2025-07-22 18:54 ` [LTP] [PATCH v6] " Wei Gao via ltp
2025-07-23 11:51 ` Andrea Cervesato via ltp
2025-07-23 12:42 ` Cyril Hrubis
2025-07-24 17:04 ` Petr Vorel
2025-07-24 17:10 ` Petr Vorel
2025-07-25 12:54 ` Wei Gao via ltp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aHELexqAddKs0qU0@yuki.lan \
--to=chrubis@suse.cz \
--cc=ltp@lists.linux.it \
--cc=wegao@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox