diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2018-10-25 09:04:18 -0500 |
|---|---|---|
| committer | Eric W. Biederman <ebiederm@xmission.com> | 2018-11-08 00:30:30 -0600 |
| commit | df7342b240185d58d3d9665c0bbf0a0f5570ec29 (patch) | |
| tree | 2364c5f9c7f873d999f521c4a6227dfb19b786a6 /lib/Kconfig | |
| parent | 25d202ed820ee347edec0bf3bf553544556bf64b (diff) | |
| download | linux-df7342b240185d58d3d9665c0bbf0a0f5570ec29.tar.bz2 | |
mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
Jonathan Calmels from NVIDIA reported that he's able to bypass the
mount visibility security check in place in the Linux kernel by using
a combination of the unbindable property along with the private mount
propagation option to allow a unprivileged user to see a path which
was purposefully hidden by the root user.
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@castiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
Solve this by teaching copy_tree to fail if a mount turns out to be
both unbindable and locked.
Cc: stable@vger.kernel.org
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'lib/Kconfig')
0 files changed, 0 insertions, 0 deletions