userns: Don't allow creation if the user is chrooted

Guarantee that the policy of which files may be access that is established by setting the root directory will not be violated by user namespaces by verifying that the root directory points to the root of the mount namespace at the time of user namespace creation. Changing the root is a privileged operation, and as a matter of policy it serves to limit unprivileged processes to files below the current root directory. For reasons of simplicity and comprehensibility the privilege to change the root directory is gated solely on the CAP_SYS_CHROOT capability in the user namespace. Therefore when creating a user namespace we must ensure that the policy of which files may be access can not be violated by changing the root directory. Anyone who runs a processes in a chroot and would like to use user namespace can setup the same view of filesystems with a mount namespace instead. With this result that this is not a practical limitation for using user namespaces. Cc: stable@vger.kernel.org Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2013-03-15 04:45:51 -0400
committer: Eric W. Biederman <ebiederm@xmission.com> 2013-03-27 10:49:29 -0400
commit: 3151527ee007b73a0ebd296010f1c0454a919c7d (patch)
tree: 33175354889523cd20586fb28456e566529c46d9 /fs/namespace.c
parent: eddc0a3abff273842a94784d2d022bbc36dc9015 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index 50ca17d3cb45..a3035223d421 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2732,6 +2732,30 @@ bool our_mnt(struct vfsmount *mnt)
        return check_mnt(real_mount(mnt));
 }
+bool current_chrooted(void)
+{
+        /* Does the current process have a non-standard root */
+        struct path ns_root;
+        struct path fs_root;
+        bool chrooted;
+        /* Find the namespace root */
+        ns_root.mnt = &current->nsproxy->mnt_ns->root->mnt;
+        ns_root.dentry = ns_root.mnt->mnt_root;
+        path_get(&ns_root);
+        while (d_mountpoint(ns_root.dentry) && follow_down_one(&ns_root))
+                ;
+        get_fs_root(current->fs, &fs_root);
+        chrooted = !path_equal(&fs_root, &ns_root);
+        path_put(&fs_root);
+        path_put(&ns_root);
+        return chrooted;
+}
 static void *mntns_get(struct task_struct *task)
 {
        struct mnt_namespace *ns = NULL;
author	Eric W. Biederman <ebiederm@xmission.com>	2013-03-15 04:45:51 -0400
committer	Eric W. Biederman <ebiederm@xmission.com>	2013-03-27 10:49:29 -0400
commit	3151527ee007b73a0ebd296010f1c0454a919c7d (patch)
tree	33175354889523cd20586fb28456e566529c46d9 /fs/namespace.c
parent	eddc0a3abff273842a94784d2d022bbc36dc9015 (diff)

diff --git a/fs/namespace.c b/fs/namespace.c index 50ca17d3cb45..a3035223d421 100644 --- a/fs/namespace.c +++ b/fs/namespace.c
@@ -2732,6 +2732,30 @@ bool our_mnt(struct vfsmount *mnt)
2732	return check_mnt(real_mount(mnt));	2732	return check_mnt(real_mount(mnt));
2733	}	2733	}
2734		2734
		2735	bool current_chrooted(void)
		2736	{
		2737	/* Does the current process have a non-standard root */
		2738	struct path ns_root;
		2739	struct path fs_root;
		2740	bool chrooted;
		2741
		2742	/* Find the namespace root */
		2743	ns_root.mnt = &current->nsproxy->mnt_ns->root->mnt;
		2744	ns_root.dentry = ns_root.mnt->mnt_root;
		2745	path_get(&ns_root);
		2746	while (d_mountpoint(ns_root.dentry) && follow_down_one(&ns_root))
		2747	;
		2748
		2749	get_fs_root(current->fs, &fs_root);
		2750
		2751	chrooted = !path_equal(&fs_root, &ns_root);
		2752
		2753	path_put(&fs_root);
		2754	path_put(&ns_root);
		2755
		2756	return chrooted;
		2757	}
		2758
2735	static void mntns_get(struct task_struct task)	2759	static void mntns_get(struct task_struct task)
2736	{	2760	{
2737	struct mnt_namespace *ns = NULL;	2761	struct mnt_namespace *ns = NULL;