diff mbox series

[1/6] tools/pygrub: Set mount propagation to private recursively

Message ID 20231106150508.22665-2-alejandro.vallejo@cloud.com (mailing list archive)
State New, archived
Headers show
Series Pygrub security enhancements and bugfixes | expand

Commit Message

Alejandro Vallejo Nov. 6, 2023, 3:05 p.m. UTC
This is important in order for every mount done inside a mount namespace to
go away after the namespace itself goes away. The comment referring to
unreliability in Linux 4.19 was just wrong.

This patch sets the story straight and makes the depriv pygrub a bit more
confined should a layer of the onion be vulnerable.

Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
---
 tools/pygrub/src/pygrub | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

Comments

Andrew Cooper Nov. 22, 2023, 7:46 p.m. UTC | #1
On 06/11/2023 3:05 pm, Alejandro Vallejo wrote:
> This is important in order for every mount done inside a mount namespace to
> go away after the namespace itself goes away. The comment referring to
> unreliability in Linux 4.19 was just wrong.
>
> This patch sets the story straight and makes the depriv pygrub a bit more
> confined should a layer of the onion be vulnerable.
>
> Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>

Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
Andrew Cooper Nov. 22, 2023, 7:48 p.m. UTC | #2
On 22/11/2023 7:46 pm, Andrew Cooper wrote:
> On 06/11/2023 3:05 pm, Alejandro Vallejo wrote:
>> This is important in order for every mount done inside a mount namespace to
>> go away after the namespace itself goes away. The comment referring to
>> unreliability in Linux 4.19 was just wrong.
>>
>> This patch sets the story straight and makes the depriv pygrub a bit more
>> confined should a layer of the onion be vulnerable.
>>
>> Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>

Sorry, wants

Fixes: e0342ae5556f ("tools/pygrub: Deprivilege pygrub")

too.  Will fix on commit.

~Andrew
Alejandro Vallejo Nov. 23, 2023, 4:49 p.m. UTC | #3
On 22/11/2023 19:48, Andrew Cooper wrote:
> On 22/11/2023 7:46 pm, Andrew Cooper wrote:
>> On 06/11/2023 3:05 pm, Alejandro Vallejo wrote:
>>> This is important in order for every mount done inside a mount namespace to
>>> go away after the namespace itself goes away. The comment referring to
>>> unreliability in Linux 4.19 was just wrong.
>>>
>>> This patch sets the story straight and makes the depriv pygrub a bit more
>>> confined should a layer of the onion be vulnerable.
>>>
>>> Signed-off-by: Alejandro Vallejo <alejandro.vallejo@cloud.com>
>> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> Sorry, wants
> 
> Fixes: e0342ae5556f ("tools/pygrub: Deprivilege pygrub")
> 
> too.  Will fix on commit.
> 
> ~Andrew

Sounds good.

Cheers,
Alejandro
diff mbox series

Patch

diff --git a/tools/pygrub/src/pygrub b/tools/pygrub/src/pygrub
index 541e562327..08540ad288 100755
--- a/tools/pygrub/src/pygrub
+++ b/tools/pygrub/src/pygrub
@@ -55,6 +55,12 @@  def unshare(flags):
     if unshare(flags) < 0:
         raise OSError(ctypes.get_errno(), os.strerror(ctypes.get_errno()))
 
+    # It's very typical for systemd to mount / with MS_SHARED. That means
+    # any events in the new namespace get propagated back to the parent.
+    #
+    # Undo it so that every mount done in the NS stay confined within it.
+    subprocess.check_output(["mount", "--make-rprivate", "/"])
+
 def bind_mount(src, dst, options):
     open(dst, "a").close() # touch
 
@@ -113,11 +119,9 @@  def depriv(output_directory, output, device, uid, path_kernel, path_ramdisk):
             if rc != 0 or os.path.getsize(path) == 0:
                 os.unlink(path)
 
-        # Normally, unshare(CLONE_NEWNS) will ensure this is not required.
-        # However, this syscall doesn't exist in *BSD systems and doesn't
-        # auto-unmount everything on older Linux kernels (At least as of
-        # Linux 4.19, but it seems fixed in 5.15). Either way,
-        # recursively unmount everything if needed. Quietly.
+        # Unshare(CLONE_NEWNS) ensures this is not required, but that's not
+        # present on *BSD, so recursively unmount everything if needed.
+        # Quietly.
         with open('/dev/null', 'w') as devnull:
             subprocess.call(["umount", "-f", chroot + device_path],
                             stdout=devnull, stderr=devnull)