mnt: Add tests for unprivileged remount cases that have found to be faulty

commit db181ce011e3c033328608299cd6fac06ea50130 upstream. Kenton Varda <kenton@sandstorm.io> discovered that by remounting a read-only bind mount read-only in a user namespace the MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user to the remount a read-only mount read-write. Upon review of the code in remount it was discovered that the code allowed nosuid, noexec, and nodev to be cleared. It was also discovered that the code was allowing the per mount atime flags to be changed. The first naive patch to fix these issues contained the flaw that using default atime settings when remounting a filesystem could be disallowed. To avoid this problems in the future add tests to ensure unprivileged remounts are succeeding and failing at the appropriate times. Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mnt: Add tests for unprivileged remount cases that have found to be faulty
commit db181ce011e3c033328608299cd6fac06ea50130 upstream. Kenton Varda <kenton@sandstorm.io> discovered that by remounting a read-only bind mount read-only in a user namespace the MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user to the remount a read-only mount read-write. Upon review of the code in remount it was discovered that the code allowed nosuid, noexec, and nodev to be cleared. It was also discovered that the code was allowing the per mount atime flags to be changed. The first naive patch to fix these issues contained the flaw that using default atime settings when remounting a filesystem could be disallowed. To avoid this problems in the future add tests to ensure unprivileged remounts are succeeding and failing at the appropriate times. Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric W. Biederman · Greg Kroah-Hartman
1 parent 74006d6e96
Showing 3 changed files with 260 additions and 0 deletions Side-by-side Diff
tools/testing/selftests/Makefile
tools/testing/selftests/mount/Makefile
tools/testing/selftests/mount/unprivileged-remount-test.c
@@ -4,6 +4,7 @@
 TARGETS += kcmp
 TARGETS += memory-hotplug
 TARGETS += mqueue
+TARGETS += mount
 TARGETS += net
 TARGETS += ptrace
 TARGETS += timers
+# Makefile for mount selftests.
+
+all: unprivileged-remount-test
+
+unprivileged-remount-test: unprivileged-remount-test.c
+	gcc -Wall -O2 unprivileged-remount-test.c -o unprivileged-remount-test
+
+# Allow specific tests to be selected.
+test_unprivileged_remount: unprivileged-remount-test
+	@if [ -f /proc/self/uid_map ] ; then ./unprivileged-remount-test ; fi
+
+run_tests: all test_unprivileged_remount
+
+clean:
+	rm -f unprivileged-remount-test
+
+.PHONY: all test_unprivileged_remount
+#define _GNU_SOURCE
+#include <sched.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/wait.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <stdbool.h>
+#include <stdarg.h>
+
+#ifndef CLONE_NEWNS
+# define CLONE_NEWNS 0x00020000
+#endif
+#ifndef CLONE_NEWUTS
+# define CLONE_NEWUTS 0x04000000
+#endif
+#ifndef CLONE_NEWIPC
+# define CLONE_NEWIPC 0x08000000
+#endif
+#ifndef CLONE_NEWNET
+# define CLONE_NEWNET 0x40000000
+#endif
+#ifndef CLONE_NEWUSER
+# define CLONE_NEWUSER 0x10000000
+#endif
+#ifndef CLONE_NEWPID
+# define CLONE_NEWPID 0x20000000
+#endif
+
+#ifndef MS_RELATIME
+#define MS_RELATIME (1 << 21)
+#endif
+#ifndef MS_STRICTATIME
+#define MS_STRICTATIME (1 << 24)
+#endif
+
+static void die(char *fmt, ...)
+{
+	va_list ap;
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	exit(EXIT_FAILURE);
+}
+
+static void write_file(char *filename, char *fmt, ...)
+{
+	char buf[4096];
+	int fd;
+	ssize_t written;
+	int buf_len;
+	va_list ap;
+
+	va_start(ap, fmt);
+	buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
+	va_end(ap);
+	if (buf_len < 0) {
+		die("vsnprintf failed: %s\n",
+		    strerror(errno));
+	}
+	if (buf_len >= sizeof(buf)) {
+		die("vsnprintf output truncated\n");
+	}
+
+	fd = open(filename, O_WRONLY);
+	if (fd < 0) {
+		die("open of %s failed: %s\n",
+		    filename, strerror(errno));
+	}
+	written = write(fd, buf, buf_len);
+	if (written != buf_len) {
+		if (written >= 0) {
+			die("short write to %s\n", filename);
+		} else {
+			die("write to %s failed: %s\n",
+				filename, strerror(errno));
+		}
+	}
+	if (close(fd) != 0) {
+		die("close of %s failed: %s\n",
+			filename, strerror(errno));
+	}
+}
+
+static void create_and_enter_userns(void)
+{
+	uid_t uid;
+	gid_t gid;
+
+	uid = getuid();
+	gid = getgid();
+
+	if (unshare(CLONE_NEWUSER) !=0) {
+		die("unshare(CLONE_NEWUSER) failed: %s\n",
+			strerror(errno));
+	}
+
+	write_file("/proc/self/uid_map", "0 %d 1", uid);
+	write_file("/proc/self/gid_map", "0 %d 1", gid);
+
+	if (setgroups(0, NULL) != 0) {
+		die("setgroups failed: %s\n",
+			strerror(errno));
+	}
+	if (setgid(0) != 0) {
+		die ("setgid(0) failed %s\n",
+			strerror(errno));
+	}
+	if (setuid(0) != 0) {
+		die("setuid(0) failed %s\n",
+			strerror(errno));
+	}
+}
+
+static
+bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
+{
+	pid_t child;
+
+	child = fork();
+	if (child == -1) {
+		die("fork failed: %s\n",
+			strerror(errno));
+	}
+	if (child != 0) { /* parent */
+		pid_t pid;
+		int status;
+		pid = waitpid(child, &status, 0);
+		if (pid == -1) {
+			die("waitpid failed: %s\n",
+				strerror(errno));
+		}
+		if (pid != child) {
+			die("waited for %d got %d\n",
+				child, pid);
+		}
+		if (!WIFEXITED(status)) {
+			die("child did not terminate cleanly\n");
+		}
+		return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false;
+	}
+
+	create_and_enter_userns();
+	if (unshare(CLONE_NEWNS) != 0) {
+		die("unshare(CLONE_NEWNS) failed: %s\n",
+			strerror(errno));
+	}
+
+	if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) {
+		die("mount of /tmp failed: %s\n",
+			strerror(errno));
+	}
+
+	create_and_enter_userns();
+
+	if (unshare(CLONE_NEWNS) != 0) {
+		die("unshare(CLONE_NEWNS) failed: %s\n",
+			strerror(errno));
+	}
+
+	if (mount("/tmp", "/tmp", "none",
+		  MS_REMOUNT | MS_BIND | remount_flags, NULL) != 0) {
+		/* system("cat /proc/self/mounts"); */
+		die("remount of /tmp failed: %s\n",
+		    strerror(errno));
+	}
+
+	if (mount("/tmp", "/tmp", "none",
+		  MS_REMOUNT | MS_BIND | invalid_flags, NULL) == 0) {
+		/* system("cat /proc/self/mounts"); */
+		die("remount of /tmp with invalid flags "
+		    "succeeded unexpectedly\n");
+	}
+	exit(EXIT_SUCCESS);
+}
+
+static bool test_unpriv_remount_simple(int mount_flags)
+{
+	return test_unpriv_remount(mount_flags, mount_flags, 0);
+}
+
+static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags)
+{
+	return test_unpriv_remount(mount_flags, mount_flags, invalid_flags);
+}
+
+int main(int argc, char **argv)
+{
+	if (!test_unpriv_remount_simple(MS_RDONLY|MS_NODEV)) {
+		die("MS_RDONLY malfunctions\n");
+	}
+	if (!test_unpriv_remount_simple(MS_NODEV)) {
+		die("MS_NODEV malfunctions\n");
+	}
+	if (!test_unpriv_remount_simple(MS_NOSUID|MS_NODEV)) {
+		die("MS_NOSUID malfunctions\n");
+	}
+	if (!test_unpriv_remount_simple(MS_NOEXEC|MS_NODEV)) {
+		die("MS_NOEXEC malfunctions\n");
+	}
+	if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODEV,
+				       MS_NOATIME|MS_NODEV))
+	{
+		die("MS_RELATIME malfunctions\n");
+	}
+	if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODEV,
+				       MS_NOATIME|MS_NODEV))
+	{
+		die("MS_STRICTATIME malfunctions\n");
+	}
+	if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODEV,
+				       MS_STRICTATIME|MS_NODEV))
+	{
+		die("MS_RELATIME malfunctions\n");
+	}
+	if (!test_unpriv_remount_atime(MS_RELATIME|MS_NODIRATIME|MS_NODEV,
+				       MS_NOATIME|MS_NODEV))
+	{
+		die("MS_RELATIME malfunctions\n");
+	}
+	if (!test_unpriv_remount_atime(MS_STRICTATIME|MS_NODIRATIME|MS_NODEV,
+				       MS_NOATIME|MS_NODEV))
+	{
+		die("MS_RELATIME malfunctions\n");
+	}
+	if (!test_unpriv_remount_atime(MS_NOATIME|MS_NODIRATIME|MS_NODEV,
+				       MS_STRICTATIME|MS_NODEV))
+	{
+		die("MS_RELATIME malfunctions\n");
+	}
+	if (!test_unpriv_remount(MS_STRICTATIME|MS_NODEV, MS_NODEV,
+				 MS_NOATIME|MS_NODEV))
+	{
+		die("Default atime malfunctions\n");
+	}
+	return EXIT_SUCCESS;
+}
...	...	@@ -4,6 +4,7 @@
4	4	TARGETS += kcmp
5	5	TARGETS += memory-hotplug
6	6	TARGETS += mqueue
	7	+TARGETS += mount
7	8	TARGETS += net
8	9	TARGETS += ptrace
9	10	TARGETS += timers
	1	+# Makefile for mount selftests.
	2	+
	3	+all: unprivileged-remount-test
	4	+
	5	+unprivileged-remount-test: unprivileged-remount-test.c
	6	+ gcc -Wall -O2 unprivileged-remount-test.c -o unprivileged-remount-test
	7	+
	8	+# Allow specific tests to be selected.
	9	+test_unprivileged_remount: unprivileged-remount-test
	10	+ @if [ -f /proc/self/uid_map ] ; then ./unprivileged-remount-test ; fi
	11	+
	12	+run_tests: all test_unprivileged_remount
	13	+
	14	+clean:
	15	+ rm -f unprivileged-remount-test
	16	+
	17	+.PHONY: all test_unprivileged_remount
	1	+#define _GNU_SOURCE
	2	+#include <sched.h>
	3	+#include <stdio.h>
	4	+#include <errno.h>
	5	+#include <string.h>
	6	+#include <sys/types.h>
	7	+#include <sys/mount.h>
	8	+#include <sys/wait.h>
	9	+#include <stdlib.h>
	10	+#include <unistd.h>
	11	+#include <fcntl.h>
	12	+#include <grp.h>
	13	+#include <stdbool.h>
	14	+#include <stdarg.h>
	15	+
	16	+#ifndef CLONE_NEWNS
	17	+# define CLONE_NEWNS 0x00020000
	18	+#endif
	19	+#ifndef CLONE_NEWUTS
	20	+# define CLONE_NEWUTS 0x04000000
	21	+#endif
	22	+#ifndef CLONE_NEWIPC
	23	+# define CLONE_NEWIPC 0x08000000
	24	+#endif
	25	+#ifndef CLONE_NEWNET
	26	+# define CLONE_NEWNET 0x40000000
	27	+#endif
	28	+#ifndef CLONE_NEWUSER
	29	+# define CLONE_NEWUSER 0x10000000
	30	+#endif
	31	+#ifndef CLONE_NEWPID
	32	+# define CLONE_NEWPID 0x20000000
	33	+#endif
	34	+
	35	+#ifndef MS_RELATIME
	36	+#define MS_RELATIME (1 << 21)
	37	+#endif
	38	+#ifndef MS_STRICTATIME
	39	+#define MS_STRICTATIME (1 << 24)
	40	+#endif
	41	+
	42	+static void die(char *fmt, ...)
	43	+{
	44	+ va_list ap;
	45	+ va_start(ap, fmt);
	46	+ vfprintf(stderr, fmt, ap);
	47	+ va_end(ap);
	48	+ exit(EXIT_FAILURE);
	49	+}
	50	+
	51	+static void write_file(char filename, char fmt, ...)
	52	+{
	53	+ char buf[4096];
	54	+ int fd;
	55	+ ssize_t written;
	56	+ int buf_len;
	57	+ va_list ap;
	58	+
	59	+ va_start(ap, fmt);
	60	+ buf_len = vsnprintf(buf, sizeof(buf), fmt, ap);
	61	+ va_end(ap);
	62	+ if (buf_len < 0) {
	63	+ die("vsnprintf failed: %s\n",
	64	+ strerror(errno));
	65	+ }
	66	+ if (buf_len >= sizeof(buf)) {
	67	+ die("vsnprintf output truncated\n");
	68	+ }
	69	+
	70	+ fd = open(filename, O_WRONLY);
	71	+ if (fd < 0) {
	72	+ die("open of %s failed: %s\n",
	73	+ filename, strerror(errno));
	74	+ }
	75	+ written = write(fd, buf, buf_len);
	76	+ if (written != buf_len) {
	77	+ if (written >= 0) {
	78	+ die("short write to %s\n", filename);
	79	+ } else {
	80	+ die("write to %s failed: %s\n",
	81	+ filename, strerror(errno));
	82	+ }
	83	+ }
	84	+ if (close(fd) != 0) {
	85	+ die("close of %s failed: %s\n",
	86	+ filename, strerror(errno));
	87	+ }
	88	+}
	89	+
	90	+static void create_and_enter_userns(void)
	91	+{
	92	+ uid_t uid;
	93	+ gid_t gid;
	94	+
	95	+ uid = getuid();
	96	+ gid = getgid();
	97	+
	98	+ if (unshare(CLONE_NEWUSER) !=0) {
	99	+ die("unshare(CLONE_NEWUSER) failed: %s\n",
	100	+ strerror(errno));
	101	+ }
	102	+
	103	+ write_file("/proc/self/uid_map", "0 %d 1", uid);
	104	+ write_file("/proc/self/gid_map", "0 %d 1", gid);
	105	+
	106	+ if (setgroups(0, NULL) != 0) {
	107	+ die("setgroups failed: %s\n",
	108	+ strerror(errno));
	109	+ }
	110	+ if (setgid(0) != 0) {
	111	+ die ("setgid(0) failed %s\n",
	112	+ strerror(errno));
	113	+ }
	114	+ if (setuid(0) != 0) {
	115	+ die("setuid(0) failed %s\n",
	116	+ strerror(errno));
	117	+ }
	118	+}
	119	+
	120	+static
	121	+bool test_unpriv_remount(int mount_flags, int remount_flags, int invalid_flags)
	122	+{
	123	+ pid_t child;
	124	+
	125	+ child = fork();
	126	+ if (child == -1) {
	127	+ die("fork failed: %s\n",
	128	+ strerror(errno));
	129	+ }
	130	+ if (child != 0) { /* parent */
	131	+ pid_t pid;
	132	+ int status;
	133	+ pid = waitpid(child, &status, 0);
	134	+ if (pid == -1) {
	135	+ die("waitpid failed: %s\n",
	136	+ strerror(errno));
	137	+ }
	138	+ if (pid != child) {
	139	+ die("waited for %d got %d\n",
	140	+ child, pid);
	141	+ }
	142	+ if (!WIFEXITED(status)) {
	143	+ die("child did not terminate cleanly\n");
	144	+ }
	145	+ return WEXITSTATUS(status) == EXIT_SUCCESS ? true : false;
	146	+ }
	147	+
	148	+ create_and_enter_userns();
	149	+ if (unshare(CLONE_NEWNS) != 0) {
	150	+ die("unshare(CLONE_NEWNS) failed: %s\n",
	151	+ strerror(errno));
	152	+ }
	153	+
	154	+ if (mount("testing", "/tmp", "ramfs", mount_flags, NULL) != 0) {
	155	+ die("mount of /tmp failed: %s\n",
	156	+ strerror(errno));
	157	+ }
	158	+
	159	+ create_and_enter_userns();
	160	+
	161	+ if (unshare(CLONE_NEWNS) != 0) {
	162	+ die("unshare(CLONE_NEWNS) failed: %s\n",
	163	+ strerror(errno));
	164	+ }
	165	+
	166	+ if (mount("/tmp", "/tmp", "none",
	167	+ MS_REMOUNT \| MS_BIND \| remount_flags, NULL) != 0) {
	168	+ /* system("cat /proc/self/mounts"); */
	169	+ die("remount of /tmp failed: %s\n",
	170	+ strerror(errno));
	171	+ }
	172	+
	173	+ if (mount("/tmp", "/tmp", "none",
	174	+ MS_REMOUNT \| MS_BIND \| invalid_flags, NULL) == 0) {
	175	+ /* system("cat /proc/self/mounts"); */
	176	+ die("remount of /tmp with invalid flags "
	177	+ "succeeded unexpectedly\n");
	178	+ }
	179	+ exit(EXIT_SUCCESS);
	180	+}
	181	+
	182	+static bool test_unpriv_remount_simple(int mount_flags)
	183	+{
	184	+ return test_unpriv_remount(mount_flags, mount_flags, 0);
	185	+}
	186	+
	187	+static bool test_unpriv_remount_atime(int mount_flags, int invalid_flags)
	188	+{
	189	+ return test_unpriv_remount(mount_flags, mount_flags, invalid_flags);
	190	+}
	191	+
	192	+int main(int argc, char **argv)
	193	+{
	194	+ if (!test_unpriv_remount_simple(MS_RDONLY\|MS_NODEV)) {
	195	+ die("MS_RDONLY malfunctions\n");
	196	+ }
	197	+ if (!test_unpriv_remount_simple(MS_NODEV)) {
	198	+ die("MS_NODEV malfunctions\n");
	199	+ }
	200	+ if (!test_unpriv_remount_simple(MS_NOSUID\|MS_NODEV)) {
	201	+ die("MS_NOSUID malfunctions\n");
	202	+ }
	203	+ if (!test_unpriv_remount_simple(MS_NOEXEC\|MS_NODEV)) {
	204	+ die("MS_NOEXEC malfunctions\n");
	205	+ }
	206	+ if (!test_unpriv_remount_atime(MS_RELATIME\|MS_NODEV,
	207	+ MS_NOATIME\|MS_NODEV))
	208	+ {
	209	+ die("MS_RELATIME malfunctions\n");
	210	+ }
	211	+ if (!test_unpriv_remount_atime(MS_STRICTATIME\|MS_NODEV,
	212	+ MS_NOATIME\|MS_NODEV))
	213	+ {
	214	+ die("MS_STRICTATIME malfunctions\n");
	215	+ }
	216	+ if (!test_unpriv_remount_atime(MS_NOATIME\|MS_NODEV,
	217	+ MS_STRICTATIME\|MS_NODEV))
	218	+ {
	219	+ die("MS_RELATIME malfunctions\n");
	220	+ }
	221	+ if (!test_unpriv_remount_atime(MS_RELATIME\|MS_NODIRATIME\|MS_NODEV,
	222	+ MS_NOATIME\|MS_NODEV))
	223	+ {
	224	+ die("MS_RELATIME malfunctions\n");
	225	+ }
	226	+ if (!test_unpriv_remount_atime(MS_STRICTATIME\|MS_NODIRATIME\|MS_NODEV,
	227	+ MS_NOATIME\|MS_NODEV))
	228	+ {
	229	+ die("MS_RELATIME malfunctions\n");
	230	+ }
	231	+ if (!test_unpriv_remount_atime(MS_NOATIME\|MS_NODIRATIME\|MS_NODEV,
	232	+ MS_STRICTATIME\|MS_NODEV))
	233	+ {
	234	+ die("MS_RELATIME malfunctions\n");
	235	+ }
	236	+ if (!test_unpriv_remount(MS_STRICTATIME\|MS_NODEV, MS_NODEV,
	237	+ MS_NOATIME\|MS_NODEV))
	238	+ {
	239	+ die("Default atime malfunctions\n");
	240	+ }
	241	+ return EXIT_SUCCESS;
	242	+}