All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 065/104] mnt: Correct permission checks in do_remount
Date: Wed, 20 Aug 2014 13:43:28 +0200	[thread overview]
Message-ID: <ac9bfbc60931cae246eff6380449d6c2b0dced50.1408535000.git.jslaby@suse.cz> (raw)
In-Reply-To: <cbcbb4c4826ff594b091e143b0f049f13ab7a64e.1408535000.git.jslaby@suse.cz>
In-Reply-To: <cover.1408535000.git.jslaby@suse.cz>

From: "Eric W. Biederman" <ebiederm@xmission.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9566d6742852c527bf5af38af5cbb878dad75705 upstream.

While invesgiating the issue where in "mount --bind -oremount,ro ..."
would result in later "mount --bind -oremount,rw" succeeding even if
the mount started off locked I realized that there are several
additional mount flags that should be locked and are not.

In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
flags in addition to MNT_READONLY should all be locked.  These
flags are all per superblock, can all be changed with MS_BIND,
and should not be changable if set by a more privileged user.

The following additions to the current logic are added in this patch.
- nosuid may not be clearable by a less privileged user.
- nodev  may not be clearable by a less privielged user.
- noexec may not be clearable by a less privileged user.
- atime flags may not be changeable by a less privileged user.

The logic with atime is that always setting atime on access is a
global policy and backup software and auditing software could break if
atime bits are not updated (when they are configured to be updated),
and serious performance degradation could result (DOS attack) if atime
updates happen when they have been explicitly disabled.  Therefore an
unprivileged user should not be able to mess with the atime bits set
by a more privileged user.

The additional restrictions are implemented with the addition of
MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
mnt flags.

Taken together these changes and the fixes for MNT_LOCK_READONLY
should make it safe for an unprivileged user to create a user
namespace and to call "mount --bind -o remount,... ..." without
the danger of mount flags being changed maliciously.

Cc: stable@vger.kernel.org
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/namespace.c        | 36 +++++++++++++++++++++++++++++++++---
 include/linux/mount.h |  5 +++++
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 8e90b037b706..7c67de88f3f1 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -827,8 +827,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
 
 	mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD;
 	/* Don't allow unprivileged users to change mount flags */
-	if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
-		mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
+	if (flag & CL_UNPRIVILEGED) {
+		mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
+
+		if (mnt->mnt.mnt_flags & MNT_READONLY)
+			mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
+
+		if (mnt->mnt.mnt_flags & MNT_NODEV)
+			mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
+
+		if (mnt->mnt.mnt_flags & MNT_NOSUID)
+			mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
+
+		if (mnt->mnt.mnt_flags & MNT_NOEXEC)
+			mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
+	}
 
 	/* Don't allow unprivileged users to reveal what is under a mount */
 	if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
@@ -1841,6 +1854,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
 	    !(mnt_flags & MNT_READONLY)) {
 		return -EPERM;
 	}
+	if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
+	    !(mnt_flags & MNT_NODEV)) {
+		return -EPERM;
+	}
+	if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
+	    !(mnt_flags & MNT_NOSUID)) {
+		return -EPERM;
+	}
+	if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
+	    !(mnt_flags & MNT_NOEXEC)) {
+		return -EPERM;
+	}
+	if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
+	    ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
+		return -EPERM;
+	}
+
 	err = security_sb_remount(sb, data);
 	if (err)
 		return err;
@@ -2043,7 +2073,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
 		 */
 		if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
 			flags |= MS_NODEV;
-			mnt_flags |= MNT_NODEV;
+			mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
 		}
 	}
 
diff --git a/include/linux/mount.h b/include/linux/mount.h
index 8707c9e9dbb9..22e5b96059cf 100644
--- a/include/linux/mount.h
+++ b/include/linux/mount.h
@@ -45,10 +45,15 @@ struct mnt_namespace;
 #define MNT_USER_SETTABLE_MASK  (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \
 				 | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \
 				 | MNT_READONLY)
+#define MNT_ATIME_MASK (MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME )
 
 
 #define MNT_INTERNAL	0x4000
 
+#define MNT_LOCK_ATIME		0x040000
+#define MNT_LOCK_NOEXEC		0x080000
+#define MNT_LOCK_NOSUID		0x100000
+#define MNT_LOCK_NODEV		0x200000
 #define MNT_LOCK_READONLY	0x400000
 #define MNT_LOCKED		0x800000
 
-- 
2.0.4


  parent reply	other threads:[~2014-08-20 11:47 UTC|newest]

Thread overview: 119+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-20 11:43 [PATCH 3.12 000/104] 3.12.27-stable review Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 001/104] s390/ptrace: fix PSW mask check Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 002/104] crypto: af_alg - properly label AF_ALG socket Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 003/104] ARM: 8115/1: LPAE: reduce damage caused by idmap to virtual memory layout Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 004/104] ath9k: fix aggregation session lockup Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 005/104] cfg80211: fix mic_failure tracing Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 006/104] rapidio/tsi721_dma: fix failure to obtain transaction descriptor Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 007/104] scsi: handle flush errors properly Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 008/104] mm/page-writeback.c: fix divide by zero in bdi_dirty_limits() Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 009/104] mm, thp: do not allow thp faults to avoid cpuset restrictions Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 010/104] memcg: oom_notify use-after-free fix Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 011/104] staging: vt6655: Fix disassociated messages every 10 seconds Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 012/104] iio:bma180: Fix scale factors to report correct acceleration units Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 013/104] iio:bma180: Missing check for frequency fractional part Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 014/104] iio: buffer: Fix demux table creation Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 015/104] dm bufio: fully initialize shrinker Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 016/104] dm cache: fix race affecting dirty block count Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 017/104] printk: rename printk_sched to printk_deferred Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 018/104] timer: Fix lock inversion between hrtimer_bases.lock and scheduler locks Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 019/104] Revert "x86-64, modify_ldt: Make support for 16-bit segments a runtime option" Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 020/104] x86-64, espfix: Don't leak bits 31:16 of %esp returning to 16-bit stack Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 021/104] x86, espfix: Move espfix definitions into a separate header file Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 022/104] x86, espfix: Fix broken header guard Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 023/104] x86, espfix: Make espfix64 a Kconfig option, fix UML Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 024/104] x86, espfix: Make it possible to disable 16-bit support Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 025/104] x86_64/entry/xen: Do not invoke espfix64 on Xen Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 026/104] staging: vt6655: Fix Warning on boot handle_irq_event_percpu Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 027/104] Revert "mac80211: move "bufferable MMPDU" check to fix AP mode scan" Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 028/104] xtensa: add fixup for double exception raised in window overflow Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 029/104] net/l2tp: don't fall back on UDP [get|set]sockopt Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 030/104] lib/btree.c: fix leak of whole btree nodes Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 031/104] x86/espfix/xen: Fix allocation of pages for paravirt page tables Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 032/104] bnx2x: fix crash during TSO tunneling Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 033/104] inetpeer: get rid of ip_id_count Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 034/104] ip: make IP identifiers less predictable Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 035/104] net: sendmsg: fix NULL pointer dereference Jiri Slaby
2014-08-20 11:42 ` [PATCH 3.12 036/104] tcp: Fix integer-overflows in TCP veno Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 037/104] tcp: Fix integer-overflow in TCP vegas Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 038/104] net: sctp: inherit auth_capable on INIT collisions Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 039/104] macvlan: Initialize vlan_features to turn on offload support Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 040/104] net: Correctly set segment mac_len in skb_segment() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 041/104] iovec: make sure the caller actually wants anything in memcpy_fromiovecend Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 042/104] sctp: fix possible seqlock seadlock in sctp_packet_transmit() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 043/104] sparc64: Fix argument sign extension for compat_sys_futex() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 044/104] sparc64: Make itc_sync_lock raw Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 045/104] sparc64: Fix executable bit testing in set_pmd_at() paths Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 046/104] sparc64: Handle 32-bit tasks properly in compute_effective_address() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 047/104] sparc64: Fix top-level fault handling bugs Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 048/104] sparc64: Add basic validations to {pud,pmd}_bad() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 049/104] sparc64: Give more detailed information in {pgd,pmd}_ERROR() and kill pte_ERROR() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 050/104] sparc64: Don't bark so loudly about 32-bit tasks generating 64-bit fault addresses Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 051/104] sparc64: Fix huge TSB mapping on pre-UltraSPARC-III cpus Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 052/104] sparc64: Add membar to Niagara2 memcpy code Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 053/104] sparc64: Do not insert non-valid PTEs into the TSB hash table Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 054/104] sparc64: Guard against flushing openfirmware mappings Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 055/104] bbc-i2c: Fix BBC I2C envctrl on SunBlade 2000 Jiri Slaby
2014-08-20 11:43   ` Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 056/104] sunsab: Fix detection of BREAK on sunsab serial console Jiri Slaby
2014-08-20 11:43   ` Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 057/104] sparc64: ldc_connect() should not return EINVAL when handshake is in progress Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 058/104] arch/sparc/math-emu/math_32.c: drop stray break operator Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 059/104] iwlwifi: mvm: Add a missed beacons threshold Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 060/104] mac80211: reset probe_send_count also in HW_CONNECTION_MONITOR case Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 061/104] hugetlb: fix copy_hugetlb_page_range() to handle migration/hwpoisoned entry Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 062/104] mm: hugetlb: fix copy_hugetlb_page_range() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 063/104] mnt: Only change user settable mount flags in remount Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 064/104] mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount Jiri Slaby
2014-08-20 11:43 ` Jiri Slaby [this message]
2014-08-20 11:43 ` [PATCH 3.12 066/104] ext4: Fix block zeroing when punching holes in indirect block files Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 067/104] offb: Little endian fixes Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 068/104] fbcon: Clean up fbcon data in fb_info on FB_EVENT_FB_UNBIND with 0 fbs Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 069/104] DMA-API: provide a helper to set both DMA and coherent DMA masks Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 070/104] DMA-API: net: intel/e1000e: fix 32-bit DMA mask handling Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 071/104] e1000e: Fix a compile flag mis-match for suspend/resume Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 072/104] e1000e: Fix compilation warning when !CONFIG_PM_SLEEP Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 073/104] e1000: fix wrong queue idx calculation Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 074/104] e1000: prevent oops when adapter is being closed and reset simultaneously Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 075/104] e1000: fix possible reset_task running after adapter down Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 076/104] DMA-API: net: intel/ixgbe: fix 32-bit DMA mask handling Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 077/104] ixgbe: fix rx-usecs range checks for BQL Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 078/104] ixgbe: fix qv_lock_napi call in ixgbe_napi_disable_all Jiri Slaby
2014-08-21 10:03   ` Eliezer Tamir
2014-08-21 14:55     ` Keller, Jacob E
2014-08-21 14:55       ` Keller, Jacob E
2014-08-20 11:43 ` [PATCH 3.12 079/104] ixgbe: fix inconsistent clearing of the multicast table Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 080/104] DMA-API: net: intel/ixgbevf: fix 32-bit DMA mask handling Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 081/104] ixgbevf: cleanup redundant mailbox read failure check Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 082/104] DMA-API: net: intel/igb: fix 32-bit DMA mask handling Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 083/104] igb: Add ethtool offline tests for i354 Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 084/104] igb: Fix master/slave mode for all m88 i354 PHY's Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 085/104] igb: fix driver reload with VF assigned to guest Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 086/104] igb: Don't let ethtool try to write to iNVM in i210/i211 Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 087/104] igb: Fixed Wake On LAN support Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 088/104] DMA-API: net: intel/igbvf: fix 32-bit DMA mask handling Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 089/104] igbvf: integer wrapping bug setting the mtu Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 090/104] igbvf: add missing iounmap() on error in igbvf_probe() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 091/104] DMA-API: net: brocade/bna/bnad.c: fix 32-bit DMA mask handling Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 092/104] netxen: Correct off-by-one errors in bounds checks Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 093/104] RDMA/cxgb3: Fix information leak in send_abort() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 094/104] bnx2x: Test nvram when interface is down Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 095/104] bnx2fc: fix memory leak in bnx2fc_allocate_hash_table() Jiri Slaby
2014-08-20 11:43 ` [PATCH 3.12 096/104] tg3: Add support for new 577xx device ids Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 097/104] tipc: don't use memcpy to copy from user space Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 098/104] PCI: rphahp: Fix endianess issues Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 099/104] Input: i8042 - add Acer Aspire 5710 to nomux blacklist Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 100/104] HID: logitech-dj: Fix USB 3.0 issue Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 101/104] ALSA: hda - load EQ params into IDT codec on HP bNB13 systems Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 102/104] drivers/rtc/rtc-efi.c: avoid subtracting day twice when computing year days Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 103/104] drivers/rtc/rtc-efi.c: check for invalid data coming back from UEFI Jiri Slaby
2014-08-20 11:44 ` [PATCH 3.12 104/104] drivers/rtc/interface.c: fix infinite loop in initializing the alarm Jiri Slaby
2014-08-20 16:54 ` [PATCH 3.12 000/104] 3.12.27-stable review Guenter Roeck
2014-08-20 19:54   ` Guenter Roeck
2014-08-21  8:05     ` Jiri Slaby
2014-08-21 15:08       ` Guenter Roeck
2014-08-21 16:31       ` Guenter Roeck
2014-08-23 15:14       ` Guenter Roeck
2014-08-23 18:10         ` David Miller
2014-08-26 11:32           ` Jiri Slaby
2014-08-22 19:38 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ac9bfbc60931cae246eff6380449d6c2b0dced50.1408535000.git.jslaby@suse.cz \
    --to=jslaby@suse.cz \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.