[REVIEW][PATCH 3/5] mnt: Correct permission checks in do_remount
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jul 31 23:06:49 UTC 2014
Quoting Eric W. Biederman (ebiederm at xmission.com):
>
> While invesgiating the issue where in "mount --bind -oremount,ro ..."
> would result in later "mount --bind -oremount,rw" succeeding even if
> the mount started off locked I realized that there are several
> additional mount flags that should be locked and are not.
>
> In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
> flags in addition to MNT_READONLY should all be locked. These
> flags are all per superblock, can all be changed with MS_BIND,
> and should not be changable if set by a more privileged user.
>
> The following additions to the current logic are added in this patch.
> - nosuid may not be clearable by a less privileged user.
> - nodev may not be clearable by a less privielged user.
> - noexec may not be clearable by a less privileged user.
> - atime flags may not be changeable by a less privileged user.
>
> The logic with atime is that always setting atime on access is a
> global policy and backup software and auditing software could break if
> atime bits are not updated (when they are configured to be updated),
> and serious performance degradation could result (DOS attack) if atime
> updates happen when they have been explicitly disabled. Therefore an
> unprivileged user should not be able to mess with the atime bits set
> by a more privileged user.
>
> The additional restrictions are implemented with the addition of
> MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
> mnt flags.
>
> Taken together these changes and the fixes for MNT_LOCK_READONLY
> should make it safe for an unprivileged user to create a user
> namespace and to call "mount --bind -o remount,... ..." without
> the danger of mount flags being changed maliciously.
>
> Cc: stable at vger.kernel.org
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
> ---
> fs/namespace.c | 36 +++++++++++++++++++++++++++++++++---
> include/linux/mount.h | 5 +++++
> 2 files changed, 38 insertions(+), 3 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 1105a577a14f..dd9c93b5a9d5 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -890,8 +890,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
>
> mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
> /* Don't allow unprivileged users to change mount flags */
> - if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
> - mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
> + if (flag & CL_UNPRIVILEGED) {
> + mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
> +
> + if (mnt->mnt.mnt_flags & MNT_READONLY)
> + mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
> +
> + if (mnt->mnt.mnt_flags & MNT_NODEV)
> + mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
> +
> + if (mnt->mnt.mnt_flags & MNT_NOSUID)
> + mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
> +
> + if (mnt->mnt.mnt_flags & MNT_NOEXEC)
> + mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
> + }
>
> /* Don't allow unprivileged users to reveal what is under a mount */
> if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
> @@ -1931,6 +1944,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
> !(mnt_flags & MNT_READONLY)) {
> return -EPERM;
> }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
> + !(mnt_flags & MNT_NODEV)) {
> + return -EPERM;
> + }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
> + !(mnt_flags & MNT_NOSUID)) {
> + return -EPERM;
> + }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
> + !(mnt_flags & MNT_NOEXEC)) {
> + return -EPERM;
> + }
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
> + ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
> + return -EPERM;
> + }
> +
> err = security_sb_remount(sb, data);
> if (err)
> return err;
> @@ -2129,7 +2159,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
> */
> if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
> flags |= MS_NODEV;
> - mnt_flags |= MNT_NODEV;
> + mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
> }
> }
>
> diff --git a/include/linux/mount.h b/include/linux/mount.h
> index b637a89e1fae..b0c1e6574e7f 100644
> --- a/include/linux/mount.h
> +++ b/include/linux/mount.h
> @@ -45,12 +45,17 @@ struct mnt_namespace;
> #define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
> | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
> | MNT_READONLY)
> +#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )
>
> #define MNT_INTERNAL_FLAGS (MNT_SHARED | MNT_WRITE_HOLD | MNT_INTERNAL | \
> MNT_DOOMED | MNT_SYNC_UMOUNT | MNT_MARKED)
>
> #define MNT_INTERNAL 0x4000
>
> +#define MNT_LOCK_ATIME 0x040000
> +#define MNT_LOCK_NOEXEC 0x080000
> +#define MNT_LOCK_NOSUID 0x100000
> +#define MNT_LOCK_NODEV 0x200000
> #define MNT_LOCK_READONLY 0x400000
> #define MNT_LOCKED 0x800000
> #define MNT_DOOMED 0x1000000
> --
> 1.9.1
>
More information about the Containers
mailing list