Not allowing programs to clear nosuid, nodev, and noexec on new mounts of sysfs or proc will cause lxc and libvirt-lxc to fail to start (a regression). There are no device nodes or executables on sysfs or proc today which means clearing these flags is harmless today.
Instead of failing the fresh mounts of sysfs and proc emit a warning when these flags are improprely cleared. We only reach this point because lxc and libvirt-lxc clear flags they mount flags had not intended to. In a couple of kernel releases when lxc and libvirt-lxc have been fixed we can start failing fresh mounts proc and sysfs that clear nosuid, nodev and noexec. Userspace clearly means to enforce those attributes and historically they have avoided bugs. Cc: [email protected] Signed-off-by: "Eric W. Biederman" <[email protected]> --- fs/namespace.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index eccd925c6e82..eaa49b628d28 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3198,6 +3198,7 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags) if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) && !(new_flags & MNT_READONLY)) continue; +#if 0 /* Avoid unnecessary regressions */ if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) && !(new_flags & MNT_NODEV)) continue; @@ -3207,6 +3208,7 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags) if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) && !(new_flags & MNT_NOEXEC)) continue; +#endif if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) && ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (new_flags & MNT_ATIME_MASK))) continue; @@ -3226,10 +3228,35 @@ static bool fs_fully_visible(struct file_system_type *type, int *new_mnt_flags) } /* Preserve the locked attributes */ *new_mnt_flags |= mnt->mnt.mnt_flags & (MNT_LOCK_READONLY | \ + /* Avoid unnecessary regressions \ MNT_LOCK_NODEV | \ MNT_LOCK_NOSUID | \ MNT_LOCK_NOEXEC | \ + */ \ MNT_LOCK_ATIME); + /* For now, warn about the "harmless" but invalid mnt flags */ + { + bool nodev = false, nosuid = false, noexec = false; + if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) && + !(new_flags & MNT_NODEV)) + nodev = true; + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) && + !(new_flags & MNT_NOSUID)) + nosuid = true; + if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) && + !(new_flags & MNT_NOEXEC)) + noexec = true; + + if ((nodev || nosuid || noexec) && printk_ratelimit()) { + printk(KERN_INFO + "warning: process `%s' clears %s%s%sin mount of %s\n", + current->comm, + nodev ? "nodev ":"", + nosuid ? "nosuid ":"", + noexec ? "noexec ":"", + type->name); + } + } visible = true; goto found; next: ; -- 2.2.1 -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
