diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-12-17 15:31:40 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-12-17 15:31:40 -0500 |
| commit | 87c31b39abcb6fb6bd7d111200c9627a594bf6a9 (patch) | |
| tree | ab2e5331fea9b823cb92719d0954a9141451c931 /tools | |
| parent | f045bbb9fa1bf6f507ad4de12d4e3471d8f672f1 (diff) | |
| parent | db86da7cb76f797a1a8b445166a15cb922c6ff85 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull user namespace related fixes from Eric Biederman:
"As these are bug fixes almost all of thes changes are marked for
backporting to stable.
The first change (implicitly adding MNT_NODEV on remount) addresses a
regression that was created when security issues with unprivileged
remount were closed. I go on to update the remount test to make it
easy to detect if this issue reoccurs.
Then there are a handful of mount and umount related fixes.
Then half of the changes deal with the a recently discovered design
bug in the permission checks of gid_map. Unix since the beginning has
allowed setting group permissions on files to less than the user and
other permissions (aka ---rwx---rwx). As the unix permission checks
stop as soon as a group matches, and setgroups allows setting groups
that can not later be dropped, results in a situtation where it is
possible to legitimately use a group to assign fewer privileges to a
process. Which means dropping a group can increase a processes
privileges.
The fix I have adopted is that gid_map is now no longer writable
without privilege unless the new file /proc/self/setgroups has been
set to permanently disable setgroups.
The bulk of user namespace using applications even the applications
using applications using user namespaces without privilege remain
unaffected by this change. Unfortunately this ix breaks a couple user
space applications, that were relying on the problematic behavior (one
of which was tools/selftests/mount/unprivileged-remount-test.c).
To hopefully prevent needing a regression fix on top of my security
fix I rounded folks who work with the container implementations mostly
like to be affected and encouraged them to test the changes.
> So far nothing broke on my libvirt-lxc test bed. :-)
> Tested with openSUSE 13.2 and libvirt 1.2.9.
> Tested-by: Richard Weinberger <richard@nod.at>
> Tested on Fedora20 with libvirt 1.2.11, works fine.
> Tested-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
> Ok, thanks - yes, unprivileged lxc is working fine with your kernels.
> Just to be sure I was testing the right thing I also tested using
> my unprivileged nsexec testcases, and they failed on setgroup/setgid
> as now expected, and succeeded there without your patches.
> Tested-by: Serge Hallyn <serge.hallyn@ubuntu.com>
> I tested this with Sandstorm. It breaks as is and it works if I add
> the setgroups thing.
> Tested-by: Andy Lutomirski <luto@amacapital.net> # breaks things as designed :("
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
userns: Unbreak the unprivileged remount tests
userns; Correct the comment in map_write
userns: Allow setting gid_maps without privilege when setgroups is disabled
userns: Add a knob to disable setgroups on a per user namespace basis
userns: Rename id_map_mutex to userns_state_mutex
userns: Only allow the creator of the userns unprivileged mappings
userns: Check euid no fsuid when establishing an unprivileged uid mapping
userns: Don't allow unprivileged creation of gid mappings
userns: Don't allow setgroups until a gid mapping has been setablished
userns: Document what the invariant required for safe unprivileged mappings.
groups: Consolidate the setgroups permission checks
mnt: Clear mnt_expire during pivot_root
mnt: Carefully set CL_UNPRIVILEGED in clone_mnt
mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers.
umount: Do not allow unmounting rootfs.
umount: Disallow unprivileged mount force
mnt: Update unprivileged remount test
mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/testing/selftests/mount/unprivileged-remount-test.c | 204 |
1 files changed, 166 insertions, 38 deletions
diff --git a/tools/testing/selftests/mount/unprivileged-remount-test.c b/tools/testing/selftests/mount/unprivileged-remount-test.c index 1b3ff2fda4d0..517785052f1c 100644 --- a/tools/testing/selftests/mount/unprivileged-remount-test.c +++ b/tools/testing/selftests/mount/unprivileged-remount-test.c | |||
| @@ -6,6 +6,8 @@ | |||
| 6 | #include <sys/types.h> | 6 | #include <sys/types.h> |
| 7 | #include <sys/mount.h> | 7 | #include <sys/mount.h> |
| 8 | #include <sys/wait.h> | 8 | #include <sys/wait.h> |
| 9 | #include <sys/vfs.h> | ||
| 10 | #include <sys/statvfs.h> | ||
| 9 | #include <stdlib.h> | 11 | #include <stdlib.h> |
| 10 | #include <unistd.h> | 12 | #include <unistd.h> |
| 11 | #include <fcntl.h> | 13 | #include <fcntl.h> |
| @@ -32,11 +34,14 @@ | |||
| 32 | # define CLONE_NEWPID 0x20000000 | 34 | # define CLONE_NEWPID 0x20000000 |
| 33 | #endif | 35 | #endif |
| 34 | 36 | ||
| 37 | #ifndef MS_REC | ||
| 38 | # define MS_REC 16384 | ||
| 39 | #endif | ||
| 35 | #ifndef MS_RELATIME | 40 | #ifndef MS_RELATIME |
| 36 | #define MS_RELATIME (1 << 21) | 41 | # define MS_RELATIME (1 << 21) |
| 37 | #endif | 42 | #endif |
| 38 | #ifndef MS_STRICTATIME | 43 | #ifndef MS_STRICTATIME |
| 39 | #define MS_STRICTATIME (1 << 24) | 44 | # define MS_STRICTATIME (1 << 24) |
| 40 | #endif | 45 | #endif |
| 41 | 46 | ||
| 42 | static void die(char *fmt, ...) | 47 | static void die(char *fmt, ...) |
| @@ -48,17 +53,14 @@ static void die(char *fmt, ...) | |||
| 48 | exit(EXIT_FAILURE); | 53 | exit(EXIT_FAILURE); |
| 49 | } | 54 | } |
| 50 | 55 | ||
| 51 | static void write_file(char *filename, char *fmt, ...) | 56 | static void vmaybe_write_file(bool enoent_ok, char *filename, char *fmt, va_list ap) |
| 52 | { | 57 | { |
| 53 | char buf[4096]; | 58 | char buf[4096]; |
| 54 | int fd; | 59 | int fd; |
| 55 | ssize_t written; | 60 | ssize_t written; |
| 56 | int buf_len; | 61 | int buf_len; |
| 57 | va_list ap; | ||
| 58 | 62 | ||
| 59 | va_start(ap, fmt); | ||
| 60 | buf_len = vsnprintf(buf, sizeof(buf), fmt, ap); | 63 | buf_len = vsnprintf(buf, sizeof(buf), fmt, ap); |
| 61 | va_end(ap); | ||
| 62 | if (buf_len < 0) { | 64 | if (buf_len < 0) { |
| 63 | die("vsnprintf failed: %s\n", | 65 | die("vsnprintf failed: %s\n", |
| 64 | strerror(errno)); | 66 | strerror(errno)); |
| @@ -69,6 +71,8 @@ static void write_file(char *filename, char *fmt, ...) | |||
| 69 | 71 | ||
| 70 | fd = open(filename, O_WRONLY); | 72 | fd = open(filename, O_WRONLY); |
| 71 | if (fd < 0) { | 73 | if (fd < 0) { |
| 74 | if ((errno == ENOENT) && enoent_ok) | ||
| 75 | return; | ||
| 72 | die("open of %s failed: %s\n", | 76 | die("open of %s failed: %s\n", |
| 73 | filename, strerror(errno)); | 77 | filename, strerror(errno)); |
| 74 | } | 78 | } |
| @@ -87,6 +91,65 @@ static void write_file(char *filename, char *fmt, ...) | |||
| 87 | } | 91 | } |
| 88 | } | 92 | } |
| 89 | 93 | ||
| 94 | static void maybe_write_file(char *filename, char *fmt, ...) | ||
| 95 | { | ||
| 96 | va_list ap; | ||
| 97 | |||
| 98 | va_start(ap, fmt); | ||
| 99 | vmaybe_write_file(true, filename, fmt, ap); | ||
| 100 | va_end(ap); | ||
| 101 | |||
| 102 | } | ||
| 103 | |||
| 104 | static void write_file(char *filename, char *fmt, ...) | ||
| 105 | { | ||
| 106 | va_list ap; | ||
| 107 | |||
| 108 | va_start(ap, fmt); | ||
| 109 | vmaybe_write_file(false, filename, fmt, ap); | ||
| 110 | va_end(ap); | ||
| 111 | |||
| 112 | } | ||
| 113 | |||
| 114 | static int read_mnt_flags(const char *path) | ||
| 115 | { | ||
| 116 | int ret; | ||
| 117 | struct statvfs stat; | ||
| 118 | int mnt_flags; | ||
| 119 | |||
| 120 | ret = statvfs(path, &stat); | ||
| 121 | if (ret != 0) { | ||
| 122 | die("statvfs of %s failed: %s\n", | ||
| 123 | path, strerror(errno)); | ||
| 124 | } | ||
| 125 | if (stat.f_flag & ~(ST_RDONLY | ST_NOSUID | ST_NODEV | \ | ||
| 126 | ST_NOEXEC | ST_NOATIME | ST_NODIRATIME | ST_RELATIME | \ | ||
| 127 | ST_SYNCHRONOUS | ST_MANDLOCK)) { | ||
| 128 | die("Unrecognized mount flags\n"); | ||
| 129 | } | ||
| 130 | mnt_flags = 0; | ||
| 131 | if (stat.f_flag & ST_RDONLY) | ||
| 132 | mnt_flags |= MS_RDONLY; | ||
| 133 | if (stat.f_flag & ST_NOSUID) | ||
| 134 | mnt_flags |= MS_NOSUID; | ||
| 135 | if (stat.f_flag & ST_NODEV) | ||
| 136 | mnt_flags |= MS_NODEV; | ||
| 137 | if (stat.f_flag & ST_NOEXEC) | ||
| 138 | mnt_flags |= MS_NOEXEC; | ||
| 139 | if (stat.f_flag & ST_NOATIME) | ||
| 140 | mnt_flags |= MS_NOATIME; | ||
| 141 | if (stat.f_flag & ST_NODIRATIME) | ||
| 142 | mnt_flags |= MS_NODIRATIME; | ||
| 143 | if (stat.f_flag & ST_RELATIME) | ||
| 144 | mnt_flags |= MS_RELATIME; | ||
| 145 | if (stat.f_flag & ST_SYNCHRONOUS) | ||
| 146 | mnt_flags |= MS_SYNCHRONOUS; | ||
| 147 | if (stat.f_flag & ST_MANDLOCK) | ||
| 148 | mnt_flags |= ST_MANDLOCK; | ||
| 149 | |||
| 150 | return mnt_flags; | ||
| 151 | } | ||
| 152 | |||
| 90 | static void create_and_enter_userns(void) | 153 | static void create_and_enter_userns(void) |
| 91 | { | 154 | { |
| 92 | uid_t uid; | 155 | uid_t uid; |
| @@ -100,13 +163,10 @@ static void create_and_enter_userns(void) | |||
| 100 | strerror(errno)); | 163 | strerror(errno)); |
| 101 | } | 164 | } |
| 102 | 165 | ||
| 166 | maybe_write_file("/proc/self/setgroups", "deny"); | ||
| 103 | write_file("/proc/self/uid_map", "0 %d 1", uid); | 167 | write_file("/proc/self/uid_map", "0 %d 1", uid); |
| 104 | write_file("/proc/self/gid_map", "0 %d 1", gid); | 168 | write_file("/proc/self/gid_map", "0 %d 1", gid); |
| 105 | 169 | ||
| 106 | if (setgroups(0, NULL) != 0) { | ||
| 107 | die("setgroups failed: %s\n", | ||
| 108 | strerror(errno)); | ||
| 109 | } | ||
| 110 | if (setgid(0) != 0) { | 170 | if (setgid(0) != 0) { |
| 111 | die ("setgid(0) failed %s\n", | 171 | die ("setgid(0) failed %s\n", |
| 112 | strerror(errno)); | 172 | strerror(errno)); |
| @@ -118,7 +178,8 @@ static void create_and_enter_userns(void) | |||
| 118 | } | 178 | } |
| 119 | 179 | ||
| 120 | static | 180 | static |
| 121 | bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags) | 181 | bool test_unpriv_remount(const char *fstype, const char *mount_options, |
| 182 | int mount_flags, int remount_flags, int invalid_flags) | ||
| 122 | { | 183 | { |
| 123 | pid_t child; | 184 | pid_t child; |
| 124 | 185 | ||
| @@ -151,9 +212,11 @@ bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags) | |||
| 151 | strerror(errno)); | 212 | strerror(errno)); |
| 152 | } | 213 | } |
| 153 | 214 | ||
| 154 | if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) { | 215 | if (mount("testing", "/tmp", fstype, mount_flags, mount_options) != 0) { |
| 155 | die("mount of /tmp failed: %s\n", | 216 | die("mount of %s with options '%s' on /tmp failed: %s\n", |
| 156 | strerror(errno)); | 217 | fstype, |
| 218 | mount_options? mount_options : "", | ||
| 219 | strerror(errno)); | ||
| 157 | } | 220 | } |
| 158 | 221 | ||
| 159 | create_and_enter_userns(); | 222 | create_and_enter_userns(); |
| @@ -181,62 +244,127 @@ bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags) | |||
| 181 | 244 | ||
| 182 | static bool test_unpriv_remount_simple(int mount_flags) | 245 | static bool test_unpriv_remount_simple(int mount_flags) |
| 183 | { | 246 | { |
| 184 | return test_unpriv_remount(mount_flags, mount_flags, 0); | 247 | return test_unpriv_remount("ramfs", NULL, mount_flags, mount_flags, 0); |
| 185 | } | 248 | } |
| 186 | 249 | ||
| 187 | static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags) | 250 | static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags) |
| 188 | { | 251 | { |
| 189 | return test_unpriv_remount(mount_flags, mount_flags, invalid_flags); | 252 | return test_unpriv_remount("ramfs", NULL, mount_flags, mount_flags, |
| 253 | invalid_flags); | ||
| 254 | } | ||
| 255 | |||
| 256 | static bool test_priv_mount_unpriv_remount(void) | ||
| 257 | { | ||
| 258 | pid_t child; | ||
| 259 | int ret; | ||
| 260 | const char *orig_path = "/dev"; | ||
| 261 | const char *dest_path = "/tmp"; | ||
| 262 | int orig_mnt_flags, remount_mnt_flags; | ||
| 263 | |||
| 264 | child = fork(); | ||
| 265 | if (child == -1) { | ||
| 266 | die("fork failed: %s\n", | ||
| 267 | strerror(errno)); | ||
| 268 | } | ||
| 269 | if (child != 0) { /* parent */ | ||
| 270 | pid_t pid; | ||
| 271 | int status; | ||
| 272 | pid = waitpid(child, &status, 0); | ||
| 273 | if (pid == -1) { | ||
| 274 | die("waitpid failed: %s\n", | ||
| 275 | strerror(errno)); | ||
| 276 | } | ||
| 277 | if (pid != child) { | ||
| 278 | die("waited for %d got %d\n", | ||
| 279 | child, pid); | ||
| 280 | } | ||
| 281 | if (!WIFEXITED(status)) { | ||
| 282 | die("child did not terminate cleanly\n"); | ||
| 283 | } | ||
| 284 | return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false; | ||
| 285 | } | ||
| 286 | |||
| 287 | orig_mnt_flags = read_mnt_flags(orig_path); | ||
| 288 | |||
| 289 | create_and_enter_userns(); | ||
| 290 | ret = unshare(CLONE_NEWNS); | ||
| 291 | if (ret != 0) { | ||
| 292 | die("unshare(CLONE_NEWNS) failed: %s\n", | ||
| 293 | strerror(errno)); | ||
| 294 | } | ||
| 295 | |||
| 296 | ret = mount(orig_path, dest_path, "bind", MS_BIND | MS_REC, NULL); | ||
| 297 | if (ret != 0) { | ||
| 298 | die("recursive bind mount of %s onto %s failed: %s\n", | ||
| 299 | orig_path, dest_path, strerror(errno)); | ||
| 300 | } | ||
| 301 | |||
| 302 | ret = mount(dest_path, dest_path, "none", | ||
| 303 | MS_REMOUNT | MS_BIND | orig_mnt_flags , NULL); | ||
| 304 | if (ret != 0) { | ||
| 305 | /* system("cat /proc/self/mounts"); */ | ||
| 306 | die("remount of /tmp failed: %s\n", | ||
| 307 | strerror(errno)); | ||
| 308 | } | ||
| 309 | |||
| 310 | remount_mnt_flags = read_mnt_flags(dest_path); | ||
| 311 | if (orig_mnt_flags != remount_mnt_flags) { | ||
| 312 | die("Mount flags unexpectedly changed during remount of %s originally mounted on %s\n", | ||
| 313 | dest_path, orig_path); | ||
| 314 | } | ||
| 315 | exit(EXIT_SUCCESS); | ||
| 190 | } | 316 | } |
| 191 | 317 | ||
| 192 | int main(int argc, char **argv) | 318 | int main(int argc, char **argv) |
| 193 | { | 319 | { |
| 194 | if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) { | 320 | if (!test_unpriv_remount_simple(MS_RDONLY)) { |
| 195 | die("MS_RDONLY malfunctions\n"); | 321 | die("MS_RDONLY malfunctions\n"); |
| 196 | } | 322 | } |
| 197 | if (!test_unpriv_remount_simple(MS_NODEV)) { | 323 | if (!test_unpriv_remount("devpts", "newinstance", MS_NODEV, MS_NODEV, 0)) { |
| 198 | die("MS_NODEV malfunctions\n"); | 324 | die("MS_NODEV malfunctions\n"); |
| 199 | } | 325 | } |
| 200 | if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) { | 326 | if (!test_unpriv_remount_simple(MS_NOSUID)) { |
| 201 | die("MS_NOSUID malfunctions\n"); | 327 | die("MS_NOSUID malfunctions\n"); |
| 202 | } | 328 | } |
| 203 | if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) { | 329 | if (!test_unpriv_remount_simple(MS_NOEXEC)) { |
| 204 | die("MS_NOEXEC malfunctions\n"); | 330 | die("MS_NOEXEC malfunctions\n"); |
| 205 | } | 331 | } |
| 206 | if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV, | 332 | if (!test_unpriv_remount_atime(MS_RELATIME, |
| 207 | MS_NOATIME|MS_NODEV)) | 333 | MS_NOATIME)) |
| 208 | { | 334 | { |
| 209 | die("MS_RELATIME malfunctions\n"); | 335 | die("MS_RELATIME malfunctions\n"); |
| 210 | } | 336 | } |
| 211 | if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV, | 337 | if (!test_unpriv_remount_atime(MS_STRICTATIME, |
| 212 | MS_NOATIME|MS_NODEV)) | 338 | MS_NOATIME)) |
| 213 | { | 339 | { |
| 214 | die("MS_STRICTATIME malfunctions\n"); | 340 | die("MS_STRICTATIME malfunctions\n"); |
| 215 | } | 341 | } |
| 216 | if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV, | 342 | if (!test_unpriv_remount_atime(MS_NOATIME, |
| 217 | MS_STRICTATIME|MS_NODEV)) | 343 | MS_STRICTATIME)) |
| 218 | { | 344 | { |
| 219 | die("MS_RELATIME malfunctions\n"); | 345 | die("MS_NOATIME malfunctions\n"); |
| 220 | } | 346 | } |
| 221 | if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV, | 347 | if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME, |
| 222 | MS_NOATIME|MS_NODEV)) | 348 | MS_NOATIME)) |
| 223 | { | 349 | { |
| 224 | die("MS_RELATIME malfunctions\n"); | 350 | die("MS_RELATIME|MS_NODIRATIME malfunctions\n"); |
| 225 | } | 351 | } |
| 226 | if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV, | 352 | if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME, |
| 227 | MS_NOATIME|MS_NODEV)) | 353 | MS_NOATIME)) |
| 228 | { | 354 | { |
| 229 | die("MS_RELATIME malfunctions\n"); | 355 | die("MS_STRICTATIME|MS_NODIRATIME malfunctions\n"); |
| 230 | } | 356 | } |
| 231 | if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV, | 357 | if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME, |
| 232 | MS_STRICTATIME|MS_NODEV)) | 358 | MS_STRICTATIME)) |
| 233 | { | 359 | { |
| 234 | die("MS_RELATIME malfunctions\n"); | 360 | die("MS_NOATIME|MS_DIRATIME malfunctions\n"); |
| 235 | } | 361 | } |
| 236 | if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV, | 362 | if (!test_unpriv_remount("ramfs", NULL, MS_STRICTATIME, 0, MS_NOATIME)) |
| 237 | MS_NOATIME|MS_NODEV)) | ||
| 238 | { | 363 | { |
| 239 | die("Default atime malfunctions\n"); | 364 | die("Default atime malfunctions\n"); |
| 240 | } | 365 | } |
| 366 | if (!test_priv_mount_unpriv_remount()) { | ||
| 367 | die("Mount flags unexpectedly changed after remount\n"); | ||
| 368 | } | ||
| 241 | return EXIT_SUCCESS; | 369 | return EXIT_SUCCESS; |
| 242 | } | 370 | } |