• Eric W. Biederman's avatar
    mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts · c4585861
    Eric W. Biederman authored
    commit df7342b2 upstream.
    Jonathan Calmels from NVIDIA reported that he's able to bypass the
    mount visibility security check in place in the Linux kernel by using
    a combination of the unbindable property along with the private mount
    propagation option to allow a unprivileged user to see a path which
    was purposefully hidden by the root user.
      # Hide a path to all users using a tmpfs
      root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
      # As an unprivileged user, unshare user namespace and mount namespace
      stgraber@castiana:~$ unshare -U -m -r
      # Confirm the path is still not accessible
      root@castiana:~# ls /sys/devices/
      # Make /sys recursively unbindable and private
      root@castiana:~# mount --make-runbindable /sys
      root@castiana:~# mount --make-private /sys
      # Recursively bind-mount the rest of /sys over to /mnnt
      root@castiana:~# mount --rbind /sys/ /mnt
      # Access our hidden /sys/device as an unprivileged user
      root@castiana:~# ls /mnt/devices/
      breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
      LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
      tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
    Solve this by teaching copy_tree to fail if a mount turns out to be
    both unbindable and locked.
    Cc: stable@vger.kernel.org
    Fixes: 5ff9d8a6
     ("vfs: Lock in place mounts from more privileged users")
    Reported-by: default avatarJonathan Calmels <jcalmels@nvidia.com>
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
namespace.c 86.5 KB