userns: Don't allow creation if the user is chrooted

Guarantee that the policy of which files may be access that is established by setting the root directory will not be violated by user namespaces by verifying that the root directory points to the root of the mount namespace at the time of user namespace creation. Changing the root is a privileged operation, and as a matter of policy it serves to limit unprivileged processes to files below the current root directory. For reasons of simplicity and comprehensibility the privilege to change the root directory is gated solely on the CAP_SYS_CHROOT capability in the user namespace. Therefore when creating a user namespace we must ensure that the policy of which files may be access can not be violated by changing the root directory. Anyone who runs a processes in a chroot and would like to use user namespace can setup the same view of filesystems with a mount namespace instead. With this result that this is not a practical limitation for using user namespaces. Cc: stable@vger.kernel.org Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

userns: Don't allow creation if the user is chrooted
Guarantee that the policy of which files may be access that is established by setting the root directory will not be violated by user namespaces by verifying that the root directory points to the root of the mount namespace at the time of user namespace creation. Changing the root is a privileged operation, and as a matter of policy it serves to limit unprivileged processes to files below the current root directory. For reasons of simplicity and comprehensibility the privilege to change the root directory is gated solely on the CAP_SYS_CHROOT capability in the user namespace. Therefore when creating a user namespace we must ensure that the policy of which files may be access can not be violated by changing the root directory. Anyone who runs a processes in a chroot and would like to use user namespace can setup the same view of filesystems with a mount namespace instead. With this result that this is not a practical limitation for using user namespaces. Cc: stable@vger.kernel.org Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Eric W. Biederman
1 parent eddc0a3abf
Showing 3 changed files with 35 additions and 0 deletions Side-by-side Diff
fs/namespace.c
include/linux/fs_struct.h
kernel/user_namespace.c
@@ -2732,6 +2732,30 @@
 	return check_mnt(real_mount(mnt));
 }
  
+bool current_chrooted(void)
+{
+	/* Does the current process have a non-standard root */
+	struct path ns_root;
+	struct path fs_root;
+	bool chrooted;
+
+	/* Find the namespace root */
+	ns_root.mnt = &current->nsproxy->mnt_ns->root->mnt;
+	ns_root.dentry = ns_root.mnt->mnt_root;
+	path_get(&ns_root);
+	while (d_mountpoint(ns_root.dentry) && follow_down_one(&ns_root))
+		;
+
+	get_fs_root(current->fs, &fs_root);
+
+	chrooted = !path_equal(&fs_root, &ns_root);
+
+	path_put(&fs_root);
+	path_put(&ns_root);
+
+	return chrooted;
+}
+
 static void *mntns_get(struct task_struct *task)
 {
 	struct mnt_namespace *ns = NULL;
@@ -50,5 +50,7 @@
 	spin_unlock(&fs->lock);
 }
  
+extern bool current_chrooted(void);
+
 #endif /* _LINUX_FS_STRUCT_H */
@@ -61,6 +61,15 @@
 	kgid_t group = new->egid;
 	int ret;
  
+	/*
+	 * Verify that we can not violate the policy of which files
+	 * may be accessed that is specified by the root directory,
+	 * by verifing that the root directory is at the root of the
+	 * mount namespace which allows all files to be accessed.
+	 */
+	if (current_chrooted())
+		return -EPERM;
+
 	/* The creator needs a mapping in the parent user namespace
 	 * or else we won't be able to reasonably tell userspace who
 	 * created a user_namespace.
...	...	@@ -2732,6 +2732,30 @@
2732	2732	return check_mnt(real_mount(mnt));
2733	2733	}
2734	2734
	2735	+bool current_chrooted(void)
	2736	+{
	2737	+ /* Does the current process have a non-standard root */
	2738	+ struct path ns_root;
	2739	+ struct path fs_root;
	2740	+ bool chrooted;
	2741	+
	2742	+ /* Find the namespace root */
	2743	+ ns_root.mnt = &current->nsproxy->mnt_ns->root->mnt;
	2744	+ ns_root.dentry = ns_root.mnt->mnt_root;
	2745	+ path_get(&ns_root);
	2746	+ while (d_mountpoint(ns_root.dentry) && follow_down_one(&ns_root))
	2747	+ ;
	2748	+
	2749	+ get_fs_root(current->fs, &fs_root);
	2750	+
	2751	+ chrooted = !path_equal(&fs_root, &ns_root);
	2752	+
	2753	+ path_put(&fs_root);
	2754	+ path_put(&ns_root);
	2755	+
	2756	+ return chrooted;
	2757	+}
	2758	+
2735	2759	static void mntns_get(struct task_struct task)
2736	2760	{
2737	2761	struct mnt_namespace *ns = NULL;
...	...	@@ -50,5 +50,7 @@
50	50	spin_unlock(&fs->lock);
51	51	}
52	52
	53	+extern bool current_chrooted(void);
	54	+
53	55	#endif /* _LINUX_FS_STRUCT_H */
...	...	@@ -61,6 +61,15 @@
61	61	kgid_t group = new->egid;
62	62	int ret;
63	63
	64	+ /*
	65	+ * Verify that we can not violate the policy of which files
	66	+ * may be accessed that is specified by the root directory,
	67	+ * by verifing that the root directory is at the root of the
	68	+ * mount namespace which allows all files to be accessed.
	69	+ */
	70	+ if (current_chrooted())
	71	+ return -EPERM;
	72	+
64	73	/* The creator needs a mapping in the parent user namespace
65	74	* or else we won't be able to reasonably tell userspace who
66	75	* created a user_namespace.