From: Andy Lutomirski <luto@amacapital.net> To: Will Drewry <wad@chromium.org>, linux-kernel@vger.kernel.org Cc: Casey Schaufler <casey@schaufler-ca.com>, Linus Torvalds <torvalds@linux-foundation.org>, Jamie Lokier <jamie@shareable.org>, keescook@chromium.org, john.johansen@canonical.com, serge.hallyn@canonical.com, coreyb@linux.vnet.ibm.com, pmoore@redhat.com, eparis@redhat.com, djm@mindrot.org, segoon@openwall.com, rostedt@goodmis.org, jmorris@namei.org, scarybeasts@gmail.com, avi@redhat.com, penberg@cs.helsinki.fi, viro@zeniv.linux.org.uk, mingo@elte.hu, akpm@linux-foundation.org, khilman@ti.com, borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com, ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de, dhowells@redhat.com, daniel.lezcano@free.fr, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, olofj@chromium.org, mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net, alan@lxorguk.ukuu.org.uk, Al Viro <viro@zeniv.linux.org.uk>, Andy Lutomirski <luto@amacapital.net> Subject: [PATCH v3 4/4] Allow unprivileged chroot when safe Date: Mon, 30 Jan 2012 08:17:29 -0800 [thread overview] Message-ID: <0e2f0f54e19bff53a3739ecfddb4ffa9a6dbde4d.1327858005.git.luto@amacapital.net> (raw) In-Reply-To: <cover.1327858005.git.luto@amacapital.net> In-Reply-To: <cover.1327858005.git.luto@amacapital.net> Chroot can easily be used to subvert setuid programs. If no_new_privs, then setuid programs don't gain any privilege, so allow chroot. Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN is still required if the caller is already chrooted. Signed-off-by: Andy Lutomirski <luto@amacapital.net> --- fs/open.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 1 files changed, 44 insertions(+), 2 deletions(-) diff --git a/fs/open.c b/fs/open.c index 77becc0..2e2887a 100644 --- a/fs/open.c +++ b/fs/open.c @@ -418,10 +418,39 @@ out: return error; } +static bool is_chrooted(struct fs_struct *fs) +{ + bool ret; + + /* + * This is equivalent to checking whether "/.." is the same + * directory as "/", where the ".." part ignores the current + * root. This logic is the same as follow_dotdot except that we + * ignore fs->root and we don't need to follow the final + * mountpoint we end up on. + */ + struct path path = fs->root; + path_get(&path); + while (true) { + if (path.dentry != path.mnt->mnt_root) { + ret = true; /* .. moves up within a vfsmount. */ + break; + } + + if (!follow_up(&path)) { + ret = false; /* We've hit the real root. */ + break; + } + } + path_put(&path); + return ret; +} + SYSCALL_DEFINE1(chroot, const char __user *, filename) { struct path path; int error; + struct fs_struct *fs = current->fs; error = user_path_dir(filename, &path); if (error) @@ -432,13 +461,26 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename) goto dput_and_out; error = -EPERM; - if (!capable(CAP_SYS_CHROOT)) + /* + * Chroot is dangerous unless no_new_privs is set, and we also + * don't want to allow unprivileged users to break out of chroot + * jail with another chroot call. + * + * We therefore allow chroot under one of two circumstances: + * a) no_new_privs (so setuid and similar programs can't be + * exploited), fs not shared (to avoid bypassing no_new_privs), + * and not already chrooted (so there's no chroot jail to break + * out of) + * b) CAP_SYS_CHROOT + */ + if (!(current->no_new_privs && fs->users == 1 && !is_chrooted(fs)) && + !capable(CAP_SYS_CHROOT)) goto dput_and_out; error = security_path_chroot(&path); if (error) goto dput_and_out; - set_fs_root(current->fs, &path); + set_fs_root(fs, &path); error = 0; dput_and_out: path_put(&path); -- 1.7.7.6
next prev parent reply other threads:[~2012-01-30 16:18 UTC|newest] Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top 2012-01-30 16:17 [PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot Andy Lutomirski 2012-01-30 16:17 ` [PATCH v3 1/4] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Andy Lutomirski 2012-02-01 18:14 ` Kees Cook 2012-01-30 16:17 ` [PATCH v3 2/4] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Andy Lutomirski 2012-01-30 16:17 ` [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs Andy Lutomirski 2012-02-01 19:02 ` Kees Cook 2012-02-01 20:35 ` Andy Lutomirski 2012-01-30 16:17 ` Andy Lutomirski [this message] 2012-01-30 21:58 ` [PATCH v3 4/4] Allow unprivileged chroot when safe Colin Walters 2012-01-30 22:10 ` Andy Lutomirski 2012-01-30 22:41 ` Colin Walters 2012-01-30 22:43 ` Andy Lutomirski 2012-01-30 23:10 ` Colin Walters 2012-01-30 23:15 ` Andy Lutomirski 2012-01-30 23:55 ` Colin Walters 2012-01-31 0:13 ` Andy Lutomirski 2012-01-30 22:18 ` Steven Rostedt 2012-01-30 22:28 ` Andy Lutomirski 2012-01-30 22:38 ` Will Drewry 2012-01-30 22:48 ` Colin Walters 2012-01-30 22:51 ` Andy Lutomirski 2012-02-09 9:35 ` Vasiliy Kulikov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=0e2f0f54e19bff53a3739ecfddb4ffa9a6dbde4d.1327858005.git.luto@amacapital.net \ --to=luto@amacapital.net \ --cc=ak@linux.intel.com \ --cc=akpm@linux-foundation.org \ --cc=alan@lxorguk.ukuu.org.uk \ --cc=amwang@redhat.com \ --cc=avi@redhat.com \ --cc=borislav.petkov@amd.com \ --cc=casey@schaufler-ca.com \ --cc=corbet@lwn.net \ --cc=coreyb@linux.vnet.ibm.com \ --cc=daniel.lezcano@free.fr \ --cc=dhowells@redhat.com \ --cc=djm@mindrot.org \ --cc=dlaor@redhat.com \ --cc=eparis@redhat.com \ --cc=eric.dumazet@gmail.com \ --cc=gregkh@suse.de \ --cc=jamie@shareable.org \ --cc=jmorris@namei.org \ --cc=john.johansen@canonical.com \ --cc=keescook@chromium.org \ --cc=khilman@ti.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mhalcrow@google.com \ --cc=mingo@elte.hu \ --cc=oleg@redhat.com \ --cc=olofj@chromium.org \ --cc=penberg@cs.helsinki.fi \ --cc=pmoore@redhat.com \ --cc=rostedt@goodmis.org \ --cc=scarybeasts@gmail.com \ --cc=segoon@openwall.com \ --cc=serge.hallyn@canonical.com \ --cc=torvalds@linux-foundation.org \ --cc=viro@zeniv.linux.org.uk \ --cc=wad@chromium.org \ --subject='Re: [PATCH v3 4/4] Allow unprivileged chroot when safe' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).