• Eric W. Biederman's avatar
    mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts · df7342b2
    Eric W. Biederman authored
    Jonathan Calmels from NVIDIA reported that he's able to bypass the
    mount visibility security check in place in the Linux kernel by using
    a combination of the unbindable property along with the private mount
    propagation option to allow a unprivileged user to see a path which
    was purposefully hidden by the root user.
    
    Reproducer:
      # Hide a path to all users using a tmpfs
      root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
      root@castiana:~#
    
      # As an unprivileged user, unshare user namespace and mount namespace
      stgraber@castiana:~$ unshare -U -m -r
    
      # Confirm the path is still not accessible
      root@castiana:~# ls /sys/devices/
    
      # Make /sys recursively unbindable and private
      root@castiana:~# mount --make-runbindable /sys
      root@castiana:~# mount --make-private /sys
    
      # Recursively bind-mount the rest of /sys over to /mnnt
      root@castiana:~# mount --rbind /sys/ /mnt
    
      # Access our hidden /sys/device as an unprivileged user
      root@castiana:~# ls /mnt/devices/
      breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe
      LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system
      tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
    
    Solve this by teaching copy_tree to fail if a mount turns out to be
    both unbindable and locked.
    
    Cc: stable@vger.kernel.org
    Fixes: 5ff9d8a6 ("vfs: Lock in place mounts from more privileged users")
    Reported-by: default avatarJonathan Calmels <jcalmels@nvidia.com>
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    df7342b2
namespace.c 84.7 KB