[PATCH review 4/4] vfs: Do not allow escaping from bind mounts.
Eric W. Biederman
ebiederm at xmission.com
Fri Apr 10 02:51:11 UTC 2015
Al Viro <viro at ZenIV.linux.org.uk> writes:
> On Wed, Apr 08, 2015 at 06:34:12PM -0500, Eric W. Biederman wrote:
>> + if (ancestor) {
>> + mark_violated_mounts(dentry, ancestor);
>> + mark_violated_mounts(target, ancestor);
>> + }
>
> Umm... Both sides the same way, regardless of whether it's exchange or
> move? Looks wrong...
I am pretty certain it can cause d_path to become an information leak
if we do not.
> Look:
>
> mkdir /tmp/a
> mkdir /tmp/b
> mkdir /tmp/c
> mkdir /tmp/b/c
> touch /tmp/a/x
> mount --bind /tmp/b /tmp/c
> mv /tmp/a/x /tmp/b/c/x
>
> should that make the vfsmount on /tmp/c violated? And if so, why?
If /tmp is a mount point and before the move there was a:
touch /tmp/b/c/x
And a process opened /tmp/c/c/x.
d_path on that file descriptor before __d_move would say:
/tmp/c/c/x
after the __d_move d_path would say:
/tmp/c/a/x
Which is bizareely weird in this example, and could potentially be
an expolitable information leak in the hands of someone who knew
what they were doing.
I am not clever enough to take that deleted directory and walk up the
tree, so the damage may be limited to seeing the true path on the
fileystem. But it just may be that I am dense today.
Furthermore all of the relevant changes to the dentry that happen
when exchange is true also happen when exchange is false, so I am very
reluctant to believe that the non-exchange case is not exploitable by a
sufficiently clever individual.
Eric
More information about the Containers
mailing list