New issue
Advanced search Search tips

Issue 809624 link

Starred by 1 user
Status: Duplicate
Merged: issue 810235
Owner:
jorgelo@chromium.org
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: User+mount namespace allows creating a R+X mount as non-root

Project Member Reported by jorgelo@chromium.org, Feb 6 2018 
"The noexec bypass uses user mount namespaces with pid mapping to mount a tmpfs directory, which does not have the noexec flag applied, and this mount is then
accessed via the /proc/${PID}/cwd directory from outside the namespace, allowing a temporary executable mount. This mount also does not have the nosuid flag
applied, but it can only be read/written by the chronos user (or root), so this is not useful without another exploit (e.g root command execution to drop a
setuid shell)"

Comment 1 by jorgelo@chromium.org, Feb 6 2018

Summary: Security: User+mount namespace allows creating a R+X mount as non-root (was: Security: User+mount namespace allows creating a R+X mount as non-root)
Project Member

Comment 2 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Pri-2 Pri-1
Project Member

Comment 3 by sheriffbot@chromium.org, Feb 8 2018

Status: Assigned (was: Unconfirmed)

Comment 4 by jorgelo@chromium.org, Feb 16 2018

Mergedinto: 810235
Status: Duplicate (was: Assigned)
All the work happened on 810235.
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 2 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment