Chroot can easily be used to subvert setuid programs. If no_new_privs, then setuid programs don't gain any privilege, so allow chroot. Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN is still required if the caller is already chrooted. Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> --- fs/open.c | 16 ++++++++++++++-- 1 files changed, 14 insertions(+), 2 deletions(-) diff --git a/fs/open.c b/fs/open.c index f711921..80ca7e2 100644 --- a/fs/open.c +++ b/fs/open.c @@ -422,6 +422,8 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename) { struct path path; int error; + struct fs_struct *fs = current->fs; + bool is_chrooted; error = user_path_dir(filename, &path); if (error) @@ -432,13 +434,23 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename) goto dput_and_out; error = -EPERM; - if (!capable(CAP_SYS_CHROOT)) + /* + * Chroot is dangerous unless no_new_privs is set. But we also + * don't want to allow unprivileged users to break out of chroot + * jail with another chroot call, so we require either CAP_SYS_CHROOT + * unless we're not chrooted already and we have no_new_privs. + */ + is_chrooted = (fs->root.mnt->mnt_mountpoint != + fs->root.mnt->mnt_parent->mnt_root || + fs->root.dentry != fs->root.mnt->mnt_root); + if (!(current->no_new_privs && !is_chrooted) && + !capable(CAP_SYS_CHROOT)) goto dput_and_out; error = security_path_chroot(&path); if (error) goto dput_and_out; - set_fs_root(current->fs, &path); + set_fs_root(fs, &path); error = 0; dput_and_out: path_put(&path); -- 1.7.7.5 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html