It's possible to bypass the Chromium LSM's restriction of mounting filesystems with suid,exec,dev in an unprivileged namespace |
||||||||
Issue descriptionIt is possible to bypass the mechanisms put in place to prevent https://bugs.chromium.org/p/chromium/issues/detail?id=810235 by mounting the original filesystem with the correct flags and then remounting it: chronos@localhost ~ $ /sbin/minijail0 -i -I -U -m'0 1000 1' -- /bin/bash -c 'mount -t tmpfs -o nosuid,nodev,noexec tmpfs /var/empty; mount -o bind,remount,exec /var/empty; sleep 999999' &
,
Jul 13
status update: The Android PFQ has rolled all branches. I'll land the kernel changes tomorrow.
,
Jul 13
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/0dd3baab51715bcf887dc078af2b9c7030d4117e commit 0dd3baab51715bcf887dc078af2b9c7030d4117e Author: Luis Hector Chavez <lhchavez@google.com> Date: Fri Jul 13 18:50:51 2018 CHROMIUM: LSM: Deny removing flags while bind-remounting filesystems This change tightens the restrictions when calling mount(2) with MS_BIND|MS_REMOUNT. This now requires that the provided flags are a superset of the mount flags MS_NOEXEC|MS_NOSUID|MS_NODEV. BUG= chromium:862610 TEST=Android can still boot Signed-off-by: Luis Hctor Chvez <lhchavez@chromium.org> Change-Id: I5ae45374136fa7ae515a6987dc362cd87bff1ca7 Reviewed-on: https://chromium-review.googlesource.com/1135473 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/0dd3baab51715bcf887dc078af2b9c7030d4117e/security/chromiumos/lsm.c
,
Jul 13
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cab6512aeaf718879c4016f73a500919599ba12a commit cab6512aeaf718879c4016f73a500919599ba12a Author: Luis Hector Chavez <lhchavez@google.com> Date: Fri Jul 13 18:50:42 2018 CHROMIUM: LSM: Deny removing flags while bind-remounting filesystems This change tightens the restrictions when calling mount(2) with MS_BIND|MS_REMOUNT. This now requires that the provided flags are a superset of the mount flags MS_NOEXEC|MS_NOSUID|MS_NODEV. BUG= chromium:862610 TEST=Android can still boot Signed-off-by: Luis Hctor Chvez <lhchavez@chromium.org> Change-Id: I5ae45374136fa7ae515a6987dc362cd87bff1ca7 Reviewed-on: https://chromium-review.googlesource.com/1132688 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/cab6512aeaf718879c4016f73a500919599ba12a/security/chromiumos/lsm.c
,
Jul 13
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2534e2ac765eebbb5ea46c2590d3c4ad6dc825d3 commit 2534e2ac765eebbb5ea46c2590d3c4ad6dc825d3 Author: Luis Hector Chavez <lhchavez@google.com> Date: Fri Jul 13 18:50:38 2018 CHROMIUM: LSM: Deny removing flags while bind-remounting filesystems This change tightens the restrictions when calling mount(2) with MS_BIND|MS_REMOUNT. This now requires that the provided flags are a superset of the mount flags MS_NOEXEC|MS_NOSUID|MS_NODEV. BUG= chromium:862610 TEST=Android can still boot Signed-off-by: Luis Hctor Chvez <lhchavez@chromium.org> Change-Id: I5ae45374136fa7ae515a6987dc362cd87bff1ca7 Reviewed-on: https://chromium-review.googlesource.com/1136213 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/2534e2ac765eebbb5ea46c2590d3c4ad6dc825d3/security/chromiumos/lsm.c
,
Jul 13
Only the 3.14 change is missing, but it's on the CQ.
,
Jul 14
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/2fada19786cf3599a628277eb00c2fa0563ae040 commit 2fada19786cf3599a628277eb00c2fa0563ae040 Author: Luis Hector Chavez <lhchavez@google.com> Date: Sat Jul 14 00:29:14 2018 CHROMIUM: LSM: Deny removing flags while bind-remounting filesystems This change tightens the restrictions when calling mount(2) with MS_BIND|MS_REMOUNT. This now requires that the provided flags are a superset of the mount flags MS_NOEXEC|MS_NOSUID|MS_NODEV. BUG= chromium:862610 TEST=Android can still boot Signed-off-by: Luis Hctor Chvez <lhchavez@chromium.org> Change-Id: I5ae45374136fa7ae515a6987dc362cd87bff1ca7 Reviewed-on: https://chromium-review.googlesource.com/1135474 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/2fada19786cf3599a628277eb00c2fa0563ae040/security/chromiumos/lsm.c
,
Jul 14
,
Jul 14
,
Oct 20
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by lhchavez@chromium.org
, Jul 11