Not allowing programs to clear nosuid, nodev, and noexec on new mounts
of sysfs or proc will cause lxc and libvirt-lxc to fail to start (a
regression). There are no device nodes or executables on sysfs or
proc today which means clearing these flags is harmless today.
Instead of failing the fresh mounts of sysfs and proc emit a warning
when these flags are improprely cleared. We only reach this point
because lxc and libvirt-lxc clear flags they mount flags had not
intended to.
In a couple of kernel releases when lxc and libvirt-lxc have been
fixed we can start failing fresh mounts proc and sysfs that clear
nosuid, nodev and noexec. Userspace clearly means to enforce those
attributes and historically they have avoided bugs.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
---
fs/namespace.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/fs/namespace.c b/fs/namespace.c
index eccd925c6e82..eaa49b628d28 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3198,6 +3198,7 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags)
if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
!(new_flags & MNT_READONLY))
continue;
+#if 0 /* Avoid unnecessary regressions */
if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
!(new_flags & MNT_NODEV))
continue;
@@ -3207,6 +3208,7 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags)
if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
!(new_flags & MNT_NOEXEC))
continue;
+#endif
if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (new_flags & MNT_ATIME_MASK)))
continue;
@@ -3226,10 +3228,35 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags)
}
/* Preserve the locked attributes */
*new_mnt_flags |= mnt->mnt.mnt_flags & (MNT_LOCK_READONLY | \
+ /* Avoid unnecessary regressions \
MNT_LOCK_NODEV | \
MNT_LOCK_NOSUID | \
MNT_LOCK_NOEXEC | \
+ */ \
MNT_LOCK_ATIME);
+ /* For now, warn about the "harmless" but invalid mnt flags */
+ {
+ bool nodev = false, nosuid = false, noexec = false;
+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
+ !(new_flags & MNT_NODEV))
+ nodev = true;
+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
+ !(new_flags & MNT_NOSUID))
+ nosuid = true;
+ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
+ !(new_flags & MNT_NOEXEC))
+ noexec = true;
+
+ if ((nodev || nosuid || noexec) && printk_ratelimit()) {
+ printk(KERN_INFO
+ "warning: process `%s' clears %s%s%sin mount of %s\n",
+ current->comm,
+ nodev ? "nodev ":"",
+ nosuid ? "nosuid ":"",
+ noexec ? "noexec ":"",
+ type->name);
+ }
+ }
visible = true;
goto found;
next: ;
--
2.2.1
--
To unsubscribe from this list: send the line "unsubscribe linux-api" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
