Re: [CFT][PATCH 11/10] mnt: Avoid unnecessary regressions in
fs_fully_visible (take 2)
[Posted June 10, 2015 by jake]
| From: |
| Greg Kroah-Hartman <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r-AT-public.gmane.org> |
| To: |
| "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w-AT-public.gmane.org> |
| Subject: |
| Re: [CFT][PATCH 11/10] mnt: Avoid unnecessary regressions in fs_fully_visible (take 2) |
| Date: |
| Thu, 4 Jun 2015 14:20:39 +0900 |
| Message-ID: |
| <20150604052039.GB21049@kroah.com> |
| Cc: |
| Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ-AT-public.gmane.org>, Kenton Varda <kenton-AuYgBwuPrUQTaNkGU808tA-AT-public.gmane.org>, Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA-AT-public.gmane.org>, Seth Forshee <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw-AT-public.gmane.org>, Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA-AT-public.gmane.org>, Linux Containers <containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA-AT-public.gmane.org>, Michael Kerrisk-manpages <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w-AT-public.gmane.org>, Richard Weinberger <richard-/L3Ra7n9ekc-AT-public.gmane.org>, Linux FS Devel <linux-fsdevel-u79uwXL29TY76Z2rM5mHXA-AT-public.gmane.org>, Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A-AT-public.gmane.org> |
| Archive‑link: | |
Article |
On Wed, Jun 03, 2015 at 11:35:30PM -0500, Eric W. Biederman wrote:
>
> Not allowing programs to clear nosuid and noexec on new mounts of
> sysfs or proc will cause lxc and libvirt-lxc to fail to start (a
> regression). There are no executables files on sysfs or proc today
> which means clearing these flags is harmless today.
>
> Instead of failing the fresh mounts of sysfs and proc emit a warning
> when these flags are improprely cleared. We only reach this point
> because lxc and libvirt-lxc clear flags they mount flags had not
> intended to.
>
> In a couple of kernel releases when lxc and libvirt-lxc have been
> fixed we can start failing fresh mounts proc and sysfs that clear
> nosuid and noexec. Userspace clearly means to enforce those
> attributes and enforcing these attributes have historically avoided
> bugs in the setattr implementations of proc and sysfs.
>
> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
> ---
>
> Now with warning on problematic remounts as well.
> nodev is also ignored because it is not currently problematic.
>
> fs/namespace.c | 33 +++++++++++++++++++++++++++++++++
> include/linux/mount.h | 5 +++++
> 2 files changed, 38 insertions(+)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index eccd925c6e82..3c3f8172c734 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2162,6 +2162,18 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
> ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
> return -EPERM;
> }
> + if ((mnt->mnt.mnt_flags & MNT_WARN_NOSUID) &&
> + !(mnt_flags & MNT_NOSUID) && printk_ratelimit()) {
> + printk(KERN_INFO
> + "warning: process `%s' clears nosuid in remount of %s\n",
> + current->comm, sb->s_type->name);
> + }
> + if ((mnt->mnt.mnt_flags & MNT_WARN_NOEXEC) &&
> + !(mnt_flags & MNT_NOEXEC) && printk_ratelimit()) {
> + printk(KERN_INFO
> + "warning: process `%s' clears noexec in remount of %s\n",
> + current->comm, sb->s_type->name);
> + }
>
> err = security_sb_remount(sb, data);
> if (err)
> @@ -3201,12 +3213,14 @@ static bool fs_fully_visible(struct file_system_type *type, int
*new_mnt_flags)
> if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
> !(new_flags & MNT_NODEV))
> continue;
> +#if 0 /* Avoid unnecessary regressions */
> if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
> !(new_flags & MNT_NOSUID))
> continue;
> if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
> !(new_flags & MNT_NOEXEC))
> continue;
> +#endif
> if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
> ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (new_flags & MNT_ATIME_MASK)))
> continue;
> @@ -3227,9 +3241,28 @@ static bool fs_fully_visible(struct file_system_type *type, int
*new_mnt_flags)
> /* Preserve the locked attributes */
> *new_mnt_flags |= mnt->mnt.mnt_flags & (MNT_LOCK_READONLY | \
> MNT_LOCK_NODEV | \
> + /* Avoid unnecessary regressions \
> MNT_LOCK_NOSUID | \
> MNT_LOCK_NOEXEC | \
> + */ \
> MNT_LOCK_ATIME);
> + /* For now, warn about the "harmless" but invalid mnt flags */
> + if (mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) {
> + *new_mnt_flags |= MNT_WARN_NOSUID;
> + if (!(new_flags & MNT_NOSUID) && printk_ratelimit()) {
> + printk(KERN_INFO
> + "warning: process `%s' clears nosuid in mount of %s\n",
> + current->comm, type->name);
> + }
> + }
> + if (mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) {
> + *new_mnt_flags |= MNT_WARN_NOEXEC;
> + if (!(new_flags & MNT_NOEXEC) && printk_ratelimit()) {
> + printk(KERN_INFO
> + "warning: process `%s' clears noexec in mount of %s\n",
> + current->comm, type->name);
> + }
> + }
Adding this to a stable kernel is not going to be ok, sorry. We can't
start being noisy in system logs for things that were working just fine.
greg k-h
