[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Status in linux source package in Disco: Fix Released Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug was fixed in the package linux - 4.19.0-12.13
---
linux (4.19.0-12.13) disco; urgency=medium
* linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)
* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation
* Disco update: 4.19.18 upstream stable release (LP: #1813611)
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped
address
- mlxsw: spectrum: Disable lag port TX before removing it
- mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
- net: dsa: mv88x6xxx: mv88e6390 errata
- net, skbuff: do not prefer skb allocation fails early
- qmi_wwan: add MTU default to qmap network interface
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
- net: clear skb->tstamp in bridge forwarding path
- netfilter: ipset: Allow matching on destination MAC address for mac and
ipmac sets
- gpio: pl061: Move irq_chip definition inside struct pl061
- drm/amd/display: Guard against null stream_state in set_crc_source
- drm/amdkfd: fix interrupt spin lock
- ixgbe: allow IPsec Tx offload in VEPA mode
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off
hotkey
- e1000e: allow non-monotonic SYSTIM readings
- usb: typec: tcpm: Do not disconnect link for self powered devices
- selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
- of: overlay: add missing of_node_put() after add new node to changeset
- writeback: don't decrement wb->refcnt if !wb->bdi
- serial: set suppress_bind_attrs flag only if builtin
- bpf: Allow narrow loads with offset > 0
- ALSA: oxfw: add support for APOGEE duet FireWire
- x86/mce: Fix -Wmissing-prototypes warnings
- MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
- crypto: ecc - regularize scalar for scalar multiplication
- arm64: perf: set suppress_bind_attrs flag to true
- drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
- clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
- samples: bpf: fix: error handling regarding kprobe_events
- usb: gadget: udc: renesas_usb3: add a safety connection way for
forced_b_device
- fpga: altera-cvp: fix probing for multiple FPGAs on the bus
- selinux: always allow mounting submounts
- ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
- scsi: qedi: Check for session online before getting iSCSI TLV data.
- drm/amdgpu: Reorder uvd ring init before uvd resume
- rxe: IB_WR_REG_MR does not capture MR's iova field
- efi/libstub: Disable some warnings for x86{,_64}
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage
- clk: imx: make mux parent strings const
- pstore/ram: Do not treat empty buffers as valid
- media: uvcvideo: Refactor teardown of uvc on USB disconnect
- powerpc/xmon: Fix invocation inside lock region
- powerpc/pseries/cpuidle: Fix preempt warning
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
- ASoC: use dma_ops of parent device for acp_audio_dma
- media: venus: core: Set dma maximum segment size
- staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
- net: call sk_dst_reset when set SO_DONTROUTE
- scsi: target: use consistent left-aligned ASCII INQUIRY data
- scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
enough
- selftests: do not macro-expand failed assertion expressions
- arm64: kasan: Increase stack size for KASAN_EXTRA
- clk: imx6q: reset exclusive gates on init
- arm64: Fix minor issues with the dcache_by_line_op macro
- bpf: relax verifier restriction on BPF_MOV | BPF_ALU
- kconfig: fix file name and line number of warn_ignored_character()
- kconfig: fix memory leak when EOF is encountered in quotation
- mmc: atmel-mci: do not assume idle after atmci_request_end
- btrfs: volumes: Make sure there is no overlap of dev extents at mount time
- btrfs: alloc_chunk: fix more DUP stripe size handling
- btrfs: fix use-after-free due to race between replace start and cancel
- btrfs: improve error handling of btrfs_add_link
- tty/serial: do not free trasnmit buffer page under port lock
- perf intel-pt: Fix error with config term "pt=0"
- perf tests ARM: Disable breakpoint tests 32-bit
- perf svghelper: Fix unchecked usage of strncpy()
- perf parse-events: Fix unchecked usage of strncpy()
- perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
- netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
- netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
- netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
- x86/topology: Use total_cpus for max logical packages calculation
- dm crypt: use u64 instead of sector_t
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug was fixed in the package linux - 4.4.0-140.166 --- linux (4.4.0-140.166) xenial; urgency=medium * linux: 4.4.0-140.166 -proposed tracker (LP: #1802776) * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * kdump fail due to an IRQ storm (LP: #1797990) - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot - SAUCE: x86/quirks: Scan all busses for early PCI quirks * crash in ENA driver on removing an interface (LP: #1802341) - SAUCE: net: ena: fix crash during ena_remove() * xenial guest on arm64 drops to busybox under openstack bionic-rocky (LP: #1797092) - [Config] CONFIG_PCI_ECAM=y - PCI: Provide common functions for ECAM mapping - PCI: generic, thunder: Use generic ECAM API - PCI, of: Move PCI I/O space management to PCI core code - PCI: Move ecam.h to linux/include/pci-ecam.h - PCI: Add parent device field to ECAM struct pci_config_window - PCI: Add pci_unmap_iospace() to unmap I/O resources - PCI/ACPI: Support I/O resources when parsing host bridge resources - [Config] CONFIG_ACPI_MCFG=y - PCI/ACPI: Add generic MCFG table handling - PCI: Refactor pci_bus_assign_domain_nr() for CONFIG_PCI_DOMAINS_GENERIC - PCI: Factor DT-specific pci_bus_find_domain_nr() code out - ARM64: PCI: Add acpi_pci_bus_find_domain_nr() - ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT code - ARM64: PCI: Support ACPI-based PCI host controller * [GLK/CLX] Enhanced IBRS (LP: #1786139) - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation - x86/speculation: Support Enhanced IBRS on future CPUs * Update ENA driver to version 2.0.1K (LP: #1798182) - net: ena: remove ndo_poll_controller - net: ena: fix warning in rmmod caused by double iounmap - net: ena: fix rare bug when failed restart/resume is followed by driver removal - net: ena: fix NULL dereference due to untimely napi initialization - net: ena: fix auto casting to boolean - net: ena: minor performance improvement - net: ena: complete host info to match latest ENA spec - net: ena: introduce Low Latency Queues data structures according to ENA spec - net: ena: add functions for handling Low Latency Queues in ena_com - net: ena: add functions for handling Low Latency Queues in ena_netdev - net: ena: use CSUM_CHECKED device indication to report skb's checksum status - net: ena: explicit casting and initialization, and clearer error handling - net: ena: limit refill Rx threshold to 256 to avoid latency issues - net: ena: change rx copybreak default to reduce kernel memory pressure - net: ena: remove redundant parameter in ena_com_admin_init() - net: ena: update driver version to 2.0.1 - net: ena: fix indentations in ena_defs for better readability - net: ena: Fix Kconfig dependency on X86 - net: ena: enable Low Latency Queues - net: ena: fix compilation error in xtensa architecture * Xenial update: 4.4.162 upstream stable release (LP: #1801900) - ASoC: wm8804: Add ACPI support - ASoC: sigmadsp: safeload should not have lower byte limit - selftests/efivarfs: add required kernel configs - mfd: omap-usb-host: Fix dts probe of children - sound: enable interrupt after dma buffer initialization - stmmac: fix valid numbers of unicast filter entries - net: macb: disable scatter-gather for macb on sama5d3 - ARM: dts: at91: add new compatibility string for macb on sama5d3 - drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 - ext4: add corruption check in ext4_xattr_set_entry() - mm/vmstat.c: fix outdated vmstat_text - mach64: detect the dot clock divider correctly on sparc - perf script python: Fix export-to-postgresql.py occasional failure - i2c: i2c-scmi: fix for i2c_smbus_write_block_data - xhci: Don't print a warning when setting link state for disabled ports - jffs2: return -ERANGE when xattr buffer is too small - bnxt_en: Fix TX timeout during netpoll. - bonding: avoid possible dead-lock - ip6_tunnel: be careful when accessing the inner header - ip_tunnel: be careful when accessing the inner header - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() - net: ipv4: update fnhe_pmtu when first hop's MTU changes - net/ipv6: Display all addresses in output of /proc/net/if_inet6 - netlabel: check for IPV4MASK in addrinfo_get - net/usb: cancel pending work when unbinding smsc75xx - qlcnic: fix Tx descriptor corruption on 82xx devices - team: Forbid enslaving team device to itself - net: mvpp2: Extract the correct ethtype from the skb for tx csum offload - net: systemport: Fix wake-up interrupt race during
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug was fixed in the package linux - 4.15.0-42.45 --- linux (4.15.0-42.45) bionic; urgency=medium * linux: 4.15.0-42.45 -proposed tracker (LP: #1803592) * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405) - KVM: s390: reset crypto attributes for all vcpus - KVM: s390: vsie: simulate VCPU SIE entry/exit - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART - KVM: s390: refactor crypto initialization - s390: vfio-ap: base implementation of VFIO AP device driver - s390: vfio-ap: register matrix device with VFIO mdev framework - s390: vfio-ap: sysfs interfaces to configure adapters - s390: vfio-ap: sysfs interfaces to configure domains - s390: vfio-ap: sysfs interfaces to configure control domains - s390: vfio-ap: sysfs interface to view matrix mdev matrix - KVM: s390: interface to clear CRYCB masks - s390: vfio-ap: implement mediated device open callback - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl - s390: vfio-ap: zeroize the AP queues - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl - KVM: s390: Clear Crypto Control Block when using vSIE - KVM: s390: vsie: Do the CRYCB validation first - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear - KVM: s390: vsie: Allow CRYCB FORMAT-2 - KVM: s390: vsie: allow CRYCB FORMAT-1 - KVM: s390: vsie: allow CRYCB FORMAT-0 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1 - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2 - KVM: s390: device attrs to enable/disable AP interpretation - KVM: s390: CPU model support for AP virtualization - s390: doc: detailed specifications for AP virtualization - KVM: s390: fix locking for crypto setting error path - KVM: s390: Tracing APCB changes - s390: vfio-ap: setup APCB mask using KVM dedicated function - s390/zcrypt: Add ZAPQ inline function. - s390/zcrypt: Review inline assembler constraints. - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h. - s390/zcrypt: fix ap_instructions_available() returncodes - s390/zcrypt: remove VLA usage from the AP bus - s390/zcrypt: Remove deprecated ioctls. - s390/zcrypt: Remove deprecated zcrypt proc interface. - s390/zcrypt: Support up to 256 crypto adapters. - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module. * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955 - userns: also map extents in the reverse map to kernel IDs * kdump fail due to an IRQ storm (LP: #1797990) - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot - SAUCE: x86/quirks: Scan all busses for early PCI quirks -- Thadeu Lima de Souza Cascardo Thu, 15 Nov 2018 17:01:46 -0200 ** Changed in: linux (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug was fixed in the package linux - 4.18.0-12.13 --- linux (4.18.0-12.13) cosmic; urgency=medium * linux: 4.18.0-12.13 -proposed tracker (LP: #1802743) * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405) - s390/zcrypt: Add ZAPQ inline function. - s390/zcrypt: Review inline assembler constraints. - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h. - s390/zcrypt: fix ap_instructions_available() returncodes - KVM: s390: vsie: simulate VCPU SIE entry/exit - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART - KVM: s390: refactor crypto initialization - s390: vfio-ap: base implementation of VFIO AP device driver - s390: vfio-ap: register matrix device with VFIO mdev framework - s390: vfio-ap: sysfs interfaces to configure adapters - s390: vfio-ap: sysfs interfaces to configure domains - s390: vfio-ap: sysfs interfaces to configure control domains - s390: vfio-ap: sysfs interface to view matrix mdev matrix - KVM: s390: interface to clear CRYCB masks - s390: vfio-ap: implement mediated device open callback - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl - s390: vfio-ap: zeroize the AP queues - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl - KVM: s390: Clear Crypto Control Block when using vSIE - KVM: s390: vsie: Do the CRYCB validation first - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear - KVM: s390: vsie: Allow CRYCB FORMAT-2 - KVM: s390: vsie: allow CRYCB FORMAT-1 - KVM: s390: vsie: allow CRYCB FORMAT-0 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1 - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2 - KVM: s390: device attrs to enable/disable AP interpretation - KVM: s390: CPU model support for AP virtualization - s390: doc: detailed specifications for AP virtualization - KVM: s390: fix locking for crypto setting error path - KVM: s390: Tracing APCB changes - s390: vfio-ap: setup APCB mask using KVM dedicated function - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module. * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955 - userns: also map extents in the reverse map to kernel IDs * kdump fail due to an IRQ storm (LP: #1797990) - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot - SAUCE: x86/quirks: Scan all busses for early PCI quirks * crash in ENA driver on removing an interface (LP: #1802341) - SAUCE: net: ena: fix crash during ena_remove() * Ubuntu 18.04.1 - [s390x] Kernel panic while stressing network bonding (LP: #1797367) - s390/qeth: reduce hard-coded access to ccw channels - s390/qeth: sanitize strings in debug messages * Add checksum offload and TSO support for HiNIC adapters (LP: #1800664) - net-next/hinic: add checksum offload and TSO support * smartpqi updates for ubuntu 18.04.2 (LP: #1798208) - scsi: smartpqi: improve handling for sync requests - scsi: smartpqi: improve error checking for sync requests - scsi: smartpqi: add inspur advantech ids - scsi: smartpqi: fix critical ARM issue reading PQI index registers - scsi: smartpqi: bump driver version to 1.1.4-130 * [GLK/CLX] Enhanced IBRS (LP: #1786139) - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation - x86/speculation: Support Enhanced IBRS on future CPUs * Enable keyboard wakeup for S2Idle laptops (LP: #1798552) - Input: i8042 - enable keyboard wakeups by default when s2idle is used * Overlayfs in user namespace leaks directory content of inaccessible directories (LP: #1793458) // CVE-2018-6559 - SAUCE: overlayfs: ensure mounter privileges when reading directories * Update ENA driver to version 2.0.1K (LP: #1798182) - net: ena: remove ndo_poll_controller - net: ena: fix auto casting to boolean - net: ena: minor performance improvement - net: ena: complete host info to match latest ENA spec - net: ena: introduce Low Latency Queues data structures according to ENA spec - net: ena: add functions for handling Low Latency Queues in ena_com - net: ena: add functions for handling Low Latency Queues in ena_netdev - net: ena: use CSUM_CHECKED device indication to report skb's checksum status - net: ena: explicit casting and initialization, and clearer error handling - net: ena: limit refill Rx threshold to 256 to avoid latency issues - net: ena: change rx copybreak default to reduce kernel memory pressure - net: ena: remove redundant
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug was fixed in the package linux - 3.13.0-163.213 --- linux (3.13.0-163.213) trusty; urgency=medium * linux: 3.13.0-163.213 -proposed tracker (LP: #1802769) * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * dev test in ubuntu_stress_smoke_test cause kernel oops on T-3.13 (LP: #1797546) - drm: fix NULL pointer access by wrong ioctl * Packaging resync (LP: #1786013) - [Package] add support for specifying the primary makefile -- Thadeu Lima de Souza Cascardo Tue, 13 Nov 2018 13:30:30 -0200 ** Changed in: linux (Ubuntu Trusty) Status: Fix Committed => Fix Released ** Changed in: linux (Ubuntu Cosmic) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18653 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18955 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6559 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Released Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
** Tags removed: verification-needed-bionic verification-needed-cosmic verification-needed-trusty verification-needed-xenial ** Tags added: verification-done-bionic verification-done-cosmic verification-done-trusty verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed- trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial ** Tags added: verification-needed-trusty -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed- cosmic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
** Changed in: linux (Ubuntu Cosmic) Status: New => Fix Committed ** Changed in: linux (Ubuntu Disco) Status: Triaged => Fix Committed ** Changed in: linux (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
** Changed in: linux (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Triaged Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: New Status in linux source package in Cosmic: New Status in linux source package in Disco: Triaged Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
** Also affects: linux (Ubuntu Disco) Importance: High Status: Triaged ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Triaged Status in linux source package in Trusty: Fix Committed Status in linux source package in Xenial: New Status in linux source package in Bionic: New Status in linux source package in Cosmic: New Status in linux source package in Disco: Triaged Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
** Tags added: patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Triaged Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Triaged Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
