From patchwork Wed Dec 2 15:40:18 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 551434 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 9D18614030F for ; Thu, 3 Dec 2015 02:46:07 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b=Ysf6rKB8; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1a49aB-0000yB-08; Wed, 02 Dec 2015 15:44:39 +0000 Received: from mail-ig0-x22e.google.com ([2607:f8b0:4001:c05::22e]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1a49YW-0007pu-Im for linux-mtd@lists.infradead.org; Wed, 02 Dec 2015 15:43:02 +0000 Received: by igcto18 with SMTP id to18so34151459igc.0 for ; Wed, 02 Dec 2015 07:42:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/P20URYx5Q3iot6ujsoPpkjBGQL+sdh20yydgcKanak=; b=Ysf6rKB8V9Ix4K60T/bS8iW9dqrp4cTd5bthAMxjvsYPlOu4Jidp14Ne/66yEQDT+s 7VsChSzvVVYncMgIoxe8sJsCS0i5FsZTyYJ8AWVv1ngVd6udDRWL6nAMK03h4RXfNQw+ OXIyfAdPJI8mTw5QXzyScWUDZ0uzmkDA0cScN3u4Ba9yhXm7sc99503NiTRw52ga7gJM HMTfJ4SY15LBmzr/rjN6ldCCathtfpkkUEJ6ybxOyhNFj6ZcsvoRHCCozUNsG1PVRQ5D H/68hUNCYO3lR7Km9xTy2DUWmdWLiG+lLEtaAj+2LZttikyeSH9afBXd2pfJqovRWfiG RqNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=/P20URYx5Q3iot6ujsoPpkjBGQL+sdh20yydgcKanak=; b=gLhEVT2E1kktq+ILsUl/JpjvYE33wHDz/8LPljNZMqvRiSkd9L7EqPg9VGtyRAAFlw V4vwi1gv7NR3uzgO2tHaaWk+tGbKAgTFWXAkvfBoup6N33zd73ObBjjjQCA55OhnpLs+ +Hj2ejF2SdMP9ohLYHJoTnc25F6yqQiFPAjydkfFcfwutogwY7bFFmq2d9BSdome4kcv zhuB5wc5IidgIPxSOy/X3+f98csNoNFD+ESKVRUxjbeNCEK3uDjJW427DMeOZDCTWSRx y3K4ToQiVz2PjIP9jD1YisZI+1BOWPZk3cPMLfqpBjY70x8gFq3av7DMLJ+KytuvAYHd wQug== X-Gm-Message-State: ALoCoQlxDE4OEIjx2EESQ29v3vpLWWmc3AIXnBnMe7Agvo8DRSIaVgkVTlQn1CNCx8Y5/zotCq57 X-Received: by 10.50.8.2 with SMTP id n2mr30846278iga.50.1449070958328; Wed, 02 Dec 2015 07:42:38 -0800 (PST) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id c21sm1369043ioc.24.2015.12.02.07.42.37 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 02 Dec 2015 07:42:37 -0800 (PST) From: Seth Forshee To: "Eric W. Biederman" , Miklos Szeredi Subject: [PATCH 18/19] fuse: Restrict allow_other to the superblock's namespace or a descendant Date: Wed, 2 Dec 2015 09:40:18 -0600 Message-Id: <1449070821-73820-19-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com> References: <1449070821-73820-1-git-send-email-seth.forshee@canonical.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20151202_074257_284118_17FD4845 X-CRM114-Status: GOOD ( 12.64 ) X-Spam-Score: -2.6 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.6 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4001:c05:0:0:0:22e listed in] [list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Serge Hallyn , Seth Forshee , dm-devel@redhat.com, linux-security-module@vger.kernel.org, Richard Weinberger , linux-bcache@vger.kernel.org, linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org, fuse-devel@lists.sourceforge.net, Austin S Hemmelgarn , linux-mtd@lists.infradead.org, Alexander Viro , selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Unprivileged users are normally restricted from mounting with the allow_other option by system policy, but this could be bypassed for a mount done with user namespace root permissions. In such cases allow_other should not allow users outside the userns to access the mount as doing so would give the unprivileged user the ability to manipulate processes it would otherwise be unable to manipulate. Restrict allow_other to apply to users in the same userns used at mount or a descendant of that namespace. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- fs/fuse/dir.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index f67f4dd86b36..5b8edb1203b8 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -1018,8 +1018,14 @@ int fuse_allow_current_process(struct fuse_conn *fc) { const struct cred *cred; - if (fc->flags & FUSE_ALLOW_OTHER) - return 1; + if (fc->flags & FUSE_ALLOW_OTHER) { + struct user_namespace *ns; + for (ns = current_user_ns(); ns; ns = ns->parent) { + if (ns == fc->user_ns) + return 1; + } + return 0; + } cred = current_cred(); if (uid_eq(cred->euid, fc->user_id) &&