Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.12.54 2014-08-26T12:12:05Z 2014-08-26T12:12:05Z Eric W. Biederman ebiederm@xmission.com 2014-07-29T00:26:07Z urn:sha1:8b18c0adbc5d0cb1530692e72bcfb88fd7bb77bb commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream. While invesgiating the issue where in "mount --bind -oremount,ro ..." would result in later "mount --bind -oremount,rw" succeeding even if the mount started off locked I realized that there are several additional mount flags that should be locked and are not. In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime flags in addition to MNT_READONLY should all be locked. These flags are all per superblock, can all be changed with MS_BIND, and should not be changable if set by a more privileged user. The following additions to the current logic are added in this patch. - nosuid may not be clearable by a less privileged user. - nodev may not be clearable by a less privielged user. - noexec may not be clearable by a less privileged user. - atime flags may not be changeable by a less privileged user. The logic with atime is that always setting atime on access is a global policy and backup software and auditing software could break if atime bits are not updated (when they are configured to be updated), and serious performance degradation could result (DOS attack) if atime updates happen when they have been explicitly disabled. Therefore an unprivileged user should not be able to mess with the atime bits set by a more privileged user. The additional restrictions are implemented with the addition of MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME mnt flags. Taken together these changes and the fixes for MNT_LOCK_READONLY should make it safe for an unprivileged user to create a user namespace and to call "mount --bind -o remount,... ..." without the danger of mount flags being changed maliciously. Cc: stable@vger.kernel.org Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2014-08-26T12:12:04Z Eric W. Biederman ebiederm@xmission.com 2014-07-28T23:26:53Z urn:sha1:25c1def33a2f74079f3062b7afdf98fcf9f34e6d commit a6138db815df5ee542d848318e5dae681590fccd upstream. Kenton Varda <kenton@sandstorm.io> discovered that by remounting a read-only bind mount read-only in a user namespace the MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user to the remount a read-only mount read-write. Correct this by replacing the mask of mount flags to preserve with a mask of mount flags that may be changed, and preserve all others. This ensures that any future bugs with this mask and remount will fail in an easy to detect way where new mount flags simply won't change. Cc: stable@vger.kernel.org Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2013-07-24T16:14:46Z Eric W. Biederman ebiederm@xmission.com 2013-03-30T04:04:39Z urn:sha1:5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 When creating a less privileged mount namespace or propogating mounts from a more privileged to a less privileged mount namespace lock the submounts so they may not be unmounted individually in the child mount namespace revealing what is under them. This enforces the reasonable expectation that it is not possible to see under a mount point. Most of the time mounts are on empty directories and revealing that does not matter, however I have seen an occassionaly sloppy configuration where there were interesting things concealed under a mount point that probably should not be revealed. Expirable submounts are not locked because they will eventually unmount automatically so whatever is under them already needs to be safe for unprivileged users to access. From a practical standpoint these restrictions do not appear to be significant for unprivileged users of the mount namespace. Recursive bind mounts and pivot_root continues to work, and mounts that are created in a mount namespace may be unmounted there. All of which means that the common idiom of keeping a directory of interesting files and using pivot_root to throw everything else away continues to work just fine. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2013-03-27T14:50:04Z Eric W. Biederman ebiederm@xmission.com 2013-03-22T10:10:15Z urn:sha1:90563b198e4c6674c63672fae1923da467215f45 When a read-only bind mount is copied from mount namespace in a higher privileged user namespace to a mount namespace in a lesser privileged user namespace, it should not be possible to remove the the read-only restriction. Add a MNT_LOCK_READONLY mount flag to indicate that a mount must remain read-only. CC: stable@vger.kernel.org Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2012-01-04T03:57:12Z Al Viro viro@zeniv.linux.org.uk 2011-11-25T07:35:16Z urn:sha1:c63181e6b6df89176b3984c6977bb5ec03d0df23 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:11Z Al Viro viro@zeniv.linux.org.uk 2011-11-25T07:25:17Z urn:sha1:52ba1621de1479ce7e52b6d167860462e483313c Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:11Z Al Viro viro@zeniv.linux.org.uk 2011-11-25T07:19:55Z urn:sha1:1a4eeaf2a8c07404e2d1c3ff99b393fd4c207170 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:10Z Al Viro viro@zeniv.linux.org.uk 2011-11-25T05:57:42Z urn:sha1:863d684f946eb240c7dd57d265d88315950ca5cc Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:10Z Al Viro viro@zeniv.linux.org.uk 2011-11-25T05:50:41Z urn:sha1:15169fe784a9846b24cdb0840329d41aebc23249 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:09Z Al Viro viro@zeniv.linux.org.uk 2011-11-25T05:46:35Z urn:sha1:143c8c91cee7efdd732ec5f61b3471fc46192f20 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>