diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-14 08:35:01 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-14 08:35:01 +0200 |
commit | 0ef3a56b1c466629cd0bf482b09c7b0e5a085bb5 (patch) | |
tree | 268d48a67ffeab5f11ceb604f6a7c5205f6a47e4 | |
parent | dfe2c6dcc8ca2cdc662d7c0473e9811b72ef3370 (diff) | |
parent | a1480dcc3c706e309a88884723446f2e84fedd5b (diff) |
Merge branch 'CVE-2014-7975' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux
Pull do_umount fix from Andy Lutomirski:
"This fix really ought to be safe. Inside a mountns owned by a
non-root user namespace, the namespace root almost always has
MNT_LOCKED set (if it doesn't, then there's a bug, because rootfs
could be exposed). In that case, calling umount on "/" will return
-EINVAL with or without this patch.
Outside a userns, this patch will have no effect. may_mount, required
by umount, already checks
ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN)
so an additional capable(CAP_SYS_ADMIN) check will have no effect.
That leaves anything that calls umount on "/" in a non-root userns
while chrooted. This is the case that is currently broken (it
remounts ro, which shouldn't be allowed) and that my patch changes to
-EPERM. If anything relies on *that*, I'd be surprised"
* 'CVE-2014-7975' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux:
fs: Add a missing permission check to do_umount
-rw-r--r-- | fs/namespace.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 348562f14e93..2651328d1790 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags) * Special case for "unmounting" root ... * we just try to remount it readonly. */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; down_write(&sb->s_umount); if (!(sb->s_flags & MS_RDONLY)) retval = do_remount_sb(sb, MS_RDONLY, NULL, 0); |