Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH v2 0/2] proc: Relax check of mount visibility
@ 2020-08-19 19:14 Alexey Gladkov
  2020-08-19 19:14 ` [PATCH v2 1/2] " Alexey Gladkov
  2020-08-19 19:14 ` [PATCH v2 2/2] Show /proc/self/net only for CAP_NET_ADMIN Alexey Gladkov
  0 siblings, 2 replies; 7+ messages in thread
From: Alexey Gladkov @ 2020-08-19 19:14 UTC (permalink / raw)
  To: LKML, Linux FS Devel, Eric W . Biederman
  Cc: Alexey Gladkov, Alexander Viro, Kees Cook

If only the dynamic part of procfs is mounted (subset=pid), then there is no
need to check if procfs is fully visible to the user in the new user namespace.

Alexey Gladkov (2):
  proc: Relax check of mount visibility
  Show /proc/self/net only for CAP_NET_ADMIN

 fs/namespace.c          | 27 ++++++++++++++++-----------
 fs/proc/proc_net.c      |  8 ++++++++
 fs/proc/root.c          | 21 +++++++++++++++------
 include/linux/fs.h      |  1 +
 include/linux/proc_fs.h |  1 +
 5 files changed, 41 insertions(+), 17 deletions(-)

-- 
2.25.4


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH v1 2/2] Show /proc/self/net only for CAP_NET_ADMIN
@ 2020-07-27 16:29 Eric W. Biederman
  2020-07-31 16:10 ` [PATCH v2 " Alexey Gladkov
  0 siblings, 1 reply; 7+ messages in thread
From: Eric W. Biederman @ 2020-07-27 16:29 UTC (permalink / raw)
  To: Alexey Gladkov
  Cc: LKML, Linux FS Devel, Alexander Viro, Alexey Gladkov, Kees Cook

Alexey Gladkov <gladkov.alexey@gmail.com> writes:

> Show /proc/self/net only for CAP_NET_ADMIN if procfs is mounted with
> subset=pid option in user namespace. This is done to avoid possible
> information leakage.
>
> Signed-off-by: Alexey Gladkov <gladkov.alexey@gmail.com>
> ---
>  fs/proc/proc_net.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
> index dba63b2429f0..11fa2c4b3529 100644
> --- a/fs/proc/proc_net.c
> +++ b/fs/proc/proc_net.c
> @@ -275,6 +275,12 @@ static struct net *get_proc_task_net(struct inode *dir)
>  	struct task_struct *task;
>  	struct nsproxy *ns;
>  	struct net *net = NULL;
> +	struct proc_fs_info *fs_info = proc_sb_info(dir->i_sb);
> +
> +	if ((fs_info->pidonly == PROC_PIDONLY_ON) &&
> +	    (current_user_ns() != &init_user_ns) &&
> +	    !capable(CAP_NET_ADMIN))
> +		return net;
>
>  	rcu_read_lock();
>  	task = pid_task(proc_pid(dir), PIDTYPE_PID);

Hmm.

I see 3 options going forward.

1) We just make PROC_PIDONLY_ON mean the net directory does not exist.
   No permission checks just always fail.

2) Move the permission checks into opendir/readdir and whichever
   is the appropriate method there and always allow the dentries
   to be cached.

3) Simply cache the mounters credentials and make access to the
   net directories contingent of the permisions of the mounter of
   proc.  Something like the code below.

static struct net *get_proc_task_net(struct inode *dir)
{
	struct task_struct *task;
	struct nsproxy *ns;
	struct net *net = NULL;

	rcu_read_lock();
	task = pid_task(proc_pid(dir), PIDTYPE_PID);
	if (task != NULL) {
		task_lock(task);
		ns = task->nsproxy;
		if (ns != NULL)
			net = get_net(ns->net_ns);
		task_unlock(task);
	}
	rcu_read_unlock();
	if ((fs_info->pidonly == PROC_PIDONLY_ON) &&
            !security_capable(fs_info->mounter_cred,
			      net->user_ns, CAP_SYS_ADMIN,
			      CAP_OPT_NONE)) {
		put_net(net);
		net = NULL;
	}
	return net;
}

Eric

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-08-19 23:28 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-19 19:14 [PATCH v2 0/2] proc: Relax check of mount visibility Alexey Gladkov
2020-08-19 19:14 ` [PATCH v2 1/2] " Alexey Gladkov
2020-08-19 19:14 ` [PATCH v2 2/2] Show /proc/self/net only for CAP_NET_ADMIN Alexey Gladkov
2020-08-19 21:27   ` kernel test robot
2020-08-19 21:59   ` kernel test robot
2020-08-19 23:27   ` kernel test robot
  -- strict thread matches above, loose matches on Subject: below --
2020-07-27 16:29 [PATCH v1 " Eric W. Biederman
2020-07-31 16:10 ` [PATCH v2 " Alexey Gladkov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).