On Tue, Oct 7, 2014 at 3:42 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes: > >> On Tue, Oct 7, 2014 at 2:42 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: >>> >>> I am squinting and looking this way and that but while I can imagine >>> someone more clever than I can think up some unique property of rootfs >>> that makes it a little more exploitable than just mounting a ramfs, >>> but since you have to be root to exploit those properties I think the >>> game is pretty much lost. >> >> Yes. rootfs might not be empty, it might have totally insane >> permissions, and it's globally shared, which makes it into a wonderful >> channel to pass things around that shouldn't be passed around. > > But if only root with proc mounted can reach it... I don't know. It doesn't have to be global root. It could be userns root. > There might be a case for setting MNT_LOCKED when we overmount "/" > as root but I don't yet see it. > >> Can non-root do this? You'd need to be in a userns with a "/" that >> isn't MNT_LOCKED. Can this happen on any normal setup? >> >> FWIW, I think we should unconditionally MNT_LOCKED the root on userns >> unshare, even if it's the only mount. > > To the best of my knowledge MNT_LOCKED is set uncondintially on userns > unshare. Only if list_empty(&old->mnt_expire), whatever that means, I think. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html