Commit c4585861 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Greg Kroah-Hartman
mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

commit df7342b2 upstream.

Jonathan Calmels from NVIDIA reported that he's able to bypass the
mount visibility security check in place in the Linux kernel by using
a combination of the unbindable property along with the private mount
propagation option to allow a unprivileged user to see a path which
was purposefully hidden by the root user.

  # Hide a path to all users using a tmpfs
  root@castiana:~# mount -t tmpfs tmpfs /sys/devices/

  # As an unprivileged user, unshare user namespace and mount namespace
  stgraber@castiana:~$ unshare -U -m -r

  # Confirm the path is still not accessible
  root@castiana:~# ls /sys/devices/

  # Make /sys recursively unbindable and private
  root@castiana:~# mount --make-runbindable /sys
  root@castiana:~# mount --make-private /sys

  # Recursively bind-mount the rest of /sys over to /mnnt
  root@castiana:~# mount --rbind /sys/ /mnt

  # Access our hidden /sys/device as an unprivileged user
  root@castiana:~# ls /mnt/devices/
  breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
  LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
  tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual

Solve this by teaching copy_tree to fail if a mount turns out to be
both unbindable and locked.

Fixes: 5ff9d8a6

 ("vfs: Lock in place mounts from more privileged users")
Reported-by: default avatarJonathan Calmels <>
Signed-off-by: default avatar"Eric W. Biederman" <>
Signed-off-by: default avatarGreg Kroah-Hartman <>
parent 5e64ee87
......@@ -1814,9 +1814,15 @@ struct mount *copy_tree(struct mount *mnt, struct dentry *dentry,
for (s = r; s; s = next_mnt(s, r)) {
if (!(flag & CL_COPY_UNBINDABLE) &&
if (s->mnt.mnt_flags & MNT_LOCKED) {
/* Both unbindable and locked. */
goto out;
} else {
s = skip_mnt_tree(s);
if (!(flag & CL_COPY_MNT_NS_FILE) &&
is_mnt_ns_file(s->mnt.mnt_root)) {
s = skip_mnt_tree(s);
