On Tue, Oct 7, 2014 at 2:42 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > I am squinting and looking this way and that but while I can imagine > someone more clever than I can think up some unique property of rootfs > that makes it a little more exploitable than just mounting a ramfs, > but since you have to be root to exploit those properties I think the > game is pretty much lost. Yes. rootfs might not be empty, it might have totally insane permissions, and it's globally shared, which makes it into a wonderful channel to pass things around that shouldn't be passed around. Can non-root do this? You'd need to be in a userns with a "/" that isn't MNT_LOCKED. Can this happen on any normal setup? FWIW, I think we should unconditionally MNT_LOCKED the root on userns unshare, even if it's the only mount. > >>> >> So it is only root (and not root in a container) who can get to the >>> >> exposed rootfs. >>> >> >>> >> I have a vague memory someone actually had a real use in miminal systems >>> >> for being able to get back to the rootfs and being able to use rootfs as >>> >> the rootfs. There was even a patch at that time that Andrew Morton was >>> >> carrying for a time to allow unmounting root and get at rootfs, and to >>> >> prevent the oops on rootfs unmount in some way. >>> >> >>> >> So not only do I not think it is a bug to get back too rootfs, I think >>> >> it is a feature that some people have expressed at least half-way sane >>> >> uses for. >>> > >>> > They can still do that if they want, using chroot :) >>> >>> It would take fchdir or fchroot and a directory file descriptor open on >>> rootfs. Frequently there is no appropriate directory file descriptor. >> >> ? you can always escape if you're simply chrooted. waterbuffalo :) > > filesystem type rootfs. > > Eric > > -- > To unsubscribe from this list: send the line "unsubscribe linux-api" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html