From patchwork Thu Jun 4 04:35:30 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 6543891 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 00F909F1C1 for ; Thu, 4 Jun 2015 04:40:43 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0139A20713 for ; Thu, 4 Jun 2015 04:40:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E3C4E206FF for ; Thu, 4 Jun 2015 04:40:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751043AbbFDEkj (ORCPT ); Thu, 4 Jun 2015 00:40:39 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:44170 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750936AbbFDEkg (ORCPT ); Thu, 4 Jun 2015 00:40:36 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1Z0MxH-0005bc-Lq; Wed, 03 Jun 2015 22:40:35 -0600 Received: from 67-3-205-90.omah.qwest.net ([67.3.205.90] helo=x220.int.ebiederm.org.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1Z0MxG-0006dI-Ge; Wed, 03 Jun 2015 22:40:35 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Andy Lutomirski Cc: Kenton Varda , Serge Hallyn , Seth Forshee , Linux API , Linux Containers , Greg Kroah-Hartman , Michael Kerrisk-manpages , Richard Weinberger , Linux FS Devel , Tejun Heo References: <87pp63jcca.fsf@x220.int.ebiederm.org> <87siaxuvik.fsf@x220.int.ebiederm.org> <87wq004im1.fsf@x220.int.ebiederm.org> <20150528140839.GD28842@ubuntumail> <87lhg8pwvz.fsf@x220.int.ebiederm.org> <87fv6gikfn.fsf@x220.int.ebiederm.org> <87fv6g80g7.fsf@x220.int.ebiederm.org> <87k2vkebri.fsf@x220.int.ebiederm.org> <87eglseboh.fsf_-_@x220.int.ebiederm.org> Date: Wed, 03 Jun 2015 23:35:30 -0500 In-Reply-To: <87eglseboh.fsf_-_@x220.int.ebiederm.org> (Eric W. Biederman's message of "Wed, 03 Jun 2015 16:15:10 -0500") Message-ID: <874mmodral.fsf_-_@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 X-XM-AID: U2FsdGVkX19lwcLIG5NNmebDRzhnpbSLeQcgUEI6Otk= X-SA-Exim-Connect-IP: 67.3.205.90 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;Andy Lutomirski X-Spam-Relay-Country: X-Spam-Timing: total 607 ms - load_scoreonly_sql: 0.17 (0.0%), signal_user_changed: 6 (1.0%), b_tie_ro: 3.9 (0.6%), parse: 1.82 (0.3%), extract_message_metadata: 15 (2.5%), get_uri_detail_list: 2.8 (0.5%), tests_pri_-1000: 7 (1.1%), tests_pri_-950: 1.53 (0.3%), tests_pri_-900: 1.26 (0.2%), tests_pri_-400: 30 (4.9%), check_bayes: 28 (4.6%), b_tokenize: 10 (1.6%), b_tok_get_all: 8 (1.4%), b_comp_prob: 3.0 (0.5%), b_tok_touch_all: 3.3 (0.5%), b_finish: 0.89 (0.1%), tests_pri_0: 533 (87.7%), tests_pri_500: 7 (1.1%), rewrite_mail: 0.00 (0.0%) Subject: [CFT][PATCH 11/10] mnt: Avoid unnecessary regressions in fs_fully_visible (take 2) X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Not allowing programs to clear nosuid and noexec on new mounts of sysfs or proc will cause lxc and libvirt-lxc to fail to start (a regression). There are no executables files on sysfs or proc today which means clearing these flags is harmless today. Instead of failing the fresh mounts of sysfs and proc emit a warning when these flags are improprely cleared. We only reach this point because lxc and libvirt-lxc clear flags they mount flags had not intended to. In a couple of kernel releases when lxc and libvirt-lxc have been fixed we can start failing fresh mounts proc and sysfs that clear nosuid and noexec. Userspace clearly means to enforce those attributes and enforcing these attributes have historically avoided bugs in the setattr implementations of proc and sysfs. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" --- Now with warning on problematic remounts as well. nodev is also ignored because it is not currently problematic. fs/namespace.c | 33 +++++++++++++++++++++++++++++++++ include/linux/mount.h | 5 +++++ 2 files changed, 38 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index eccd925c6e82..3c3f8172c734 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2162,6 +2162,18 @@ static int do_remount(struct path *path, int flags, int mnt_flags, ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) { return -EPERM; } + if ((mnt->mnt.mnt_flags & MNT_WARN_NOSUID) && + !(mnt_flags & MNT_NOSUID) && printk_ratelimit()) { + printk(KERN_INFO + "warning: process `%s' clears nosuid in remount of %s\n", + current->comm, sb->s_type->name); + } + if ((mnt->mnt.mnt_flags & MNT_WARN_NOEXEC) && + !(mnt_flags & MNT_NOEXEC) && printk_ratelimit()) { + printk(KERN_INFO + "warning: process `%s' clears noexec in remount of %s\n", + current->comm, sb->s_type->name); + } err = security_sb_remount(sb, data); if (err) @@ -3201,12 +3213,14 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags) if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) && !(new_flags & MNT_NODEV)) continue; +#if 0 /* Avoid unnecessary regressions */ if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) && !(new_flags & MNT_NOSUID)) continue; if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) && !(new_flags & MNT_NOEXEC)) continue; +#endif if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) && ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (new_flags & MNT_ATIME_MASK))) continue; @@ -3227,9 +3241,28 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags) /* Preserve the locked attributes */ *new_mnt_flags |= mnt->mnt.mnt_flags & (MNT_LOCK_READONLY | \ MNT_LOCK_NODEV | \ + /* Avoid unnecessary regressions \ MNT_LOCK_NOSUID | \ MNT_LOCK_NOEXEC | \ + */ \ MNT_LOCK_ATIME); + /* For now, warn about the "harmless" but invalid mnt flags */ + if (mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) { + *new_mnt_flags |= MNT_WARN_NOSUID; + if (!(new_flags & MNT_NOSUID) && printk_ratelimit()) { + printk(KERN_INFO + "warning: process `%s' clears nosuid in mount of %s\n", + current->comm, type->name); + } + } + if (mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) { + *new_mnt_flags |= MNT_WARN_NOEXEC; + if (!(new_flags & MNT_NOEXEC) && printk_ratelimit()) { + printk(KERN_INFO + "warning: process `%s' clears noexec in mount of %s\n", + current->comm, type->name); + } + } visible = true; goto found; next: ; diff --git a/include/linux/mount.h b/include/linux/mount.h index f822c3c11377..a9ac188413fd 100644 --- a/include/linux/mount.h +++ b/include/linux/mount.h @@ -52,6 +52,11 @@ struct mnt_namespace; #define MNT_INTERNAL 0x4000 +/* These warning options should be removed in a few kernel releases + * once userspace has been fixed. + */ +#define MNT_WARN_NOSUID 0x010000 +#define MNT_WARN_NOEXEC 0x020000 #define MNT_LOCK_ATIME 0x040000 #define MNT_LOCK_NOEXEC 0x080000 #define MNT_LOCK_NOSUID 0x100000