[PATCH review 4/4] vfs: Do not allow escaping from bind mounts.
Al Viro
viro at ZenIV.linux.org.uk
Fri Apr 10 03:14:57 UTC 2015
On Thu, Apr 09, 2015 at 09:51:11PM -0500, Eric W. Biederman wrote:
> And a process opened /tmp/c/c/x.
> d_path on that file descriptor before __d_move would say:
>
> /tmp/c/c/x
>
> after the __d_move d_path would say:
>
> /tmp/c/a/x
So what?
> Which is bizareely weird in this example, and could potentially be
> an expolitable information leak in the hands of someone who knew
> what they were doing.
>
> I am not clever enough to take that deleted directory and walk up the
> tree, so the damage may be limited to seeing the true path on the
> fileystem. But it just may be that I am dense today.
>
> Furthermore all of the relevant changes to the dentry that happen
> when exchange is true also happen when exchange is false, so I am very
> reluctant to believe that the non-exchange case is not exploitable by a
> sufficiently clever individual.
Exploited how? The same assistant might very well have done
echo "/tmp/c/a/x or whatever else I might want to pass to you" >/tmp/c/c/x
and pass whatever information they wanted _that_ way.
As it is, you've created one hell of a DoS - *anyone* can poison
any vfsmount covering a subtree if they have access to a containing subtree
somewhere and write permissions on a directory inside and directory outside
of the victim one.
More information about the Containers
mailing list