From patchwork Sat May 9 20:54:13 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 6370301 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 9A05A9F32B for ; Sat, 9 May 2015 20:58:52 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id C126E20384 for ; Sat, 9 May 2015 20:58:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D7F7120382 for ; Sat, 9 May 2015 20:58:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751435AbbEIU6t (ORCPT ); Sat, 9 May 2015 16:58:49 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:55929 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751168AbbEIU6s (ORCPT ); Sat, 9 May 2015 16:58:48 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1YrBpf-0004Re-Qk; Sat, 09 May 2015 14:58:47 -0600 Received: from 67-3-205-90.omah.qwest.net ([67.3.205.90] helo=x220.int.ebiederm.org.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1YrBpe-0004iJ-Qm; Sat, 09 May 2015 14:58:47 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Linus Torvalds Cc: security@kernel.org, Andy Lutomirski , Linux Containers , , Eric Windisch References: <87k2wi4urh.fsf@x220.int.ebiederm.org> Date: Sat, 09 May 2015 15:54:13 -0500 In-Reply-To: (Eric Windisch's message of "Fri, 8 May 2015 18:44:05 -0400") Message-ID: <877fshtqtm.fsf_-_@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 X-XM-AID: U2FsdGVkX1+g+hnzmajyXx86XbXRhsA+RB25nSKI56I= X-SA-Exim-Connect-IP: 67.3.205.90 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Linus Torvalds X-Spam-Relay-Country: X-Spam-Timing: total 453 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.2 (0.7%), b_tie_ro: 2.3 (0.5%), parse: 0.70 (0.2%), extract_message_metadata: 15 (3.2%), get_uri_detail_list: 1.78 (0.4%), tests_pri_-1000: 6 (1.4%), tests_pri_-950: 1.23 (0.3%), tests_pri_-900: 0.99 (0.2%), tests_pri_-400: 21 (4.6%), check_bayes: 20 (4.3%), b_tokenize: 6 (1.3%), b_tok_get_all: 7 (1.5%), b_comp_prob: 1.98 (0.4%), b_tok_touch_all: 2.9 (0.6%), b_finish: 0.59 (0.1%), tests_pri_0: 398 (87.9%), tests_pri_500: 4.3 (0.9%), rewrite_mail: 0.00 (0.0%) Subject: [GIT PULL] userns: proc and sysfs mount fix X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Linus, Please pull the for-linus branch from the git tree: git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-linus HEAD: 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd mnt: Fix fs_fully_visible to verify the root directory is visible Eric Windish recently reported a really bug that allows mounting fresh copies of proc and sysfs when it really should not be allowed. The code attempted to verify that proc and sysfs were fully visible but there is a test missing to ensure that the root of the filesystem is visible. Doh! The following patch fixes that. This fixes a containment issue that the docker folks are seeing. I see one or two more issues that I would like to correct in the check for mounting proc and sysfs but those look like they have a non-trivial chance of breaking working user space so they are going to need more review and testing before I send them your way. commit 7e96c1b0e0f495c5a7450dc4aa7c9a24ba4305bd Author: Eric W. Biederman Date: Fri May 8 16:36:50 2015 -0500 mnt: Fix fs_fully_visible to verify the root directory is visible This fixes a dumb bug in fs_fully_visible that allows proc or sys to be mounted if there is a bind mount of part of /proc/ or /sys/ visible. Cc: stable@vger.kernel.org Reported-by: Eric Windisch Signed-off-by: "Eric W. Biederman" --- fs/namespace.c | 6 ++++++ 1 file changed, 6 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/namespace.c b/fs/namespace.c index 1f4f9dac6e5a..1b9e11167bae 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3179,6 +3179,12 @@ bool fs_fully_visible(struct file_system_type *type) if (mnt->mnt.mnt_sb->s_type != type) continue; + /* This mount is not fully visible if it's root directory + * is not the root directory of the filesystem. + */ + if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root) + continue; + /* This mount is not fully visible if there are any child mounts * that cover anything except for empty directories. */