Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes: > On Tue, Oct 7, 2014 at 3:42 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: >> Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes: >> >>> On Tue, Oct 7, 2014 at 2:42 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: >>>> >>>> I am squinting and looking this way and that but while I can imagine >>>> someone more clever than I can think up some unique property of rootfs >>>> that makes it a little more exploitable than just mounting a ramfs, >>>> but since you have to be root to exploit those properties I think the >>>> game is pretty much lost. >>> >>> Yes. rootfs might not be empty, it might have totally insane >>> permissions, and it's globally shared, which makes it into a wonderful >>> channel to pass things around that shouldn't be passed around. >> >> But if only root with proc mounted can reach it... I don't know. > > It doesn't have to be global root. It could be userns root. > >> There might be a case for setting MNT_LOCKED when we overmount "/" >> as root but I don't yet see it. >> >>> Can non-root do this? You'd need to be in a userns with a "/" that >>> isn't MNT_LOCKED. Can this happen on any normal setup? >>> >>> FWIW, I think we should unconditionally MNT_LOCKED the root on userns >>> unshare, even if it's the only mount. >> >> To the best of my knowledge MNT_LOCKED is set uncondintially on userns >> unshare. > > Only if list_empty(&old->mnt_expire), whatever that means, I think. An autofs or nfs automounted mount. Can those ever become root? Eric -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html