Re: [PATCH 3.8 08/13] mnt: Only change user settable mount flags in remount

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Zefan Li <lizefan@xxxxxxxxxx> writes:

> On 2014/9/30 15:53, Francis Moreau wrote:
>> Hello Zefan Li,
>> 
>> I'm really not sure but this patch might be needed for 3.4 too.
>> 
>
> It looks to me this bug fix is for user namespace only and IIRC userns was
> introduced in 3.8, so I'm not going to apply it to 3.4.
>
> Same for the other patch.

I don't know about the other patch, and the security issue is with
respect to user namespaces and unprivileged mounts.  The bug where
remount can clear internal mount flags is present in 3.4.  remount has
been broken in this way for a long time.

I don't recall which mount flags you the incomplete MNT_PROPOGATION_MASK
but I seem to remember that if you were clever and stood on your head
and squinted you there was at least one flag that could be cleared by
root by accident.

Eric

>> Thanks
>> 
>> On 09/03/2014 06:15 PM, Francis Moreau wrote:
>>> Hello,
>>>
>>> Is it also needed by 3.2.x and 3.4.x ?
>>>
>>> Thanks
>>>
>>> On 08/25/2014 06:54 PM, Kamal Mostafa wrote:
>>>> 3.8.13.28 -stable review patch.  If anyone has any objections, please let me know.
>>>>
>>>> ------------------
>>>>
>>>> From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
>>>>
>>>> commit a6138db815df5ee542d848318e5dae681590fccd upstream.
>>>>
>>>> Kenton Varda <kenton@xxxxxxxxxxxx> discovered that by remounting a
>>>> read-only bind mount read-only in a user namespace the
>>>> MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
>>>> to the remount a read-only mount read-write.
>>>>
>>>> Correct this by replacing the mask of mount flags to preserve
>>>> with a mask of mount flags that may be changed, and preserve
>>>> all others.   This ensures that any future bugs with this mask and
>>>> remount will fail in an easy to detect way where new mount flags
>>>> simply won't change.
>>>>
>>>> Acked-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx>
>>>> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
>>>> Signed-off-by: Kamal Mostafa <kamal@xxxxxxxxxxxxx>
>>>> ---
>>>>  fs/namespace.c        | 2 +-
>>>>  include/linux/mount.h | 4 +++-
>>>>  2 files changed, 4 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/fs/namespace.c b/fs/namespace.c
>>>> index 5dd7709..ddbd5bc 100644
>>>> --- a/fs/namespace.c
>>>> +++ b/fs/namespace.c
>>>> @@ -1782,7 +1782,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
>>>>  		err = do_remount_sb(sb, flags, data, 0);
>>>>  	if (!err) {
>>>>  		br_write_lock(&vfsmount_lock);
>>>> -		mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK;
>>>> +		mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
>>>>  		mnt->mnt.mnt_flags = mnt_flags;
>>>>  		br_write_unlock(&vfsmount_lock);
>>>>  	}
>>>> diff --git a/include/linux/mount.h b/include/linux/mount.h
>>>> index 73005f9..16fc05d 100644
>>>> --- a/include/linux/mount.h
>>>> +++ b/include/linux/mount.h
>>>> @@ -42,7 +42,9 @@ struct mnt_namespace;
>>>>   * flag, consider how it interacts with shared mounts.
>>>>   */
>>>>  #define MNT_SHARED_MASK	(MNT_UNBINDABLE)
>>>> -#define MNT_PROPAGATION_MASK	(MNT_SHARED | MNT_UNBINDABLE)
>>>> +#define MNT_USER_SETTABLE_MASK  (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
>>>> +				 | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
>>>> +				 | MNT_READONLY)
>>>>  
>>>>  
>>>>  #define MNT_INTERNAL	0x4000
>>>>
>>>
>> 
>> .
>> 
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]