New issue
Advanced search Search tips

Issue 872055 link

Starred by 0 users
Status: Started
Owner:
vapier@chromium.org
Cc:
vapier@chromium.org
jorgelo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

security autotests: reject bind mounts of /run or /var

Project Member Reported by vapier@google.com, Aug 7 
we've been moving daemons to dropping access to the full mount namespace (which is great), but people have adapted by bind mounting all of /run or /var which strongly defeats the point.

we should update the autotest to reject these explicitly and link to docs explaining the right methods.

any other mounts we should blacklist?

Comment 1 by lhchavez@chromium.org, Aug 8 

+1!

Maybe /tmp? I kinda remember there was one daemon that was communicating through that.

Maybe also /dev, but that one is significantly more complicated.

Comment 2 by vapier@google.com, Aug 8 

/tmp is good to blacklist and require exceptions to be declared if not fixed

/dev is much harder because there are some nodes not in subdirs that can't be changed. but we can investigate at least.

Comment 3 by vapier@chromium.org, Aug 8 

i'm not sure if it's documented anywhere, but it looks like the dev_t for tmpfs mounts is a unique id.  which means it's a very easy way to see if any two tmpfs mounts are in reality the same mount.  i bring this up because it's info already available in the 'mountinfo' file.  inode # might also work, but that runs into the risk of collisions.

in the kernel:
mm/shmem.c:shmem_mount():
  mount_nodev is used to do the mount with a callback to shmem_fill_super
fs/super.c:mount_nodev():
  set_anon_super is used to initialize the superblock before calling the callback
fs/super.c:set_anon_super():
  simply a call to get_anon_bdev
fs/super.c:get_anon_bdev():
  dev_t is filled using the ida API (unique id numbers) from the unnamed_dev_ida set of ids
mm/shmem.c:shmem_fill_super():
  the s_dev field is left alone

a quick test shows this behavior too:
  # cd /tmp
  # mkdir x
  # mount -t tmpfs x x; stat -c %D x
  29
  # mount -t tmpfs x x; stat -c %D x
  3d
  # mount -t tmpfs x x; stat -c %D x
  58
  # mount -t tmpfs x x; stat -c %D x
  59
  # mount -t tmpfs x x; stat -c %D x
  5a
  # mount -t tmpfs x x; stat -c %D x
  5b
  # umount x
  # mount -t tmpfs x x; stat -c %D x
  5b
  # while umount x; do :; done
  # mount -t tmpfs x x; stat -c %D x
  29

so we should be able to easily determine whether /run and /tmp are pointing at the same tmpfs as the original mount namespace.

for /var, i think the test would simply be, if /var is mounted, and it isn't a tmpfs mount, then abort.  i can't think of any other valid setting for /var.

all of these checks would only be enforced when mntns is Yes ?

Comment 4 by vapier@chromium.org, Aug 9

Owner: vapier@chromium.org
Status: Started (was: Available)
i've got a poc locally i'm trying out

Comment 5 by vapier@chromium.org, Aug 10 

i've got this which covers tmpfs mounts, but doesn't handle /var which isn't tmpfs but ext4.  so i'll need to think a little bit more about how to reliably detect & reject.
  https://chromium-review.googlesource.com/1170247

Comment 6 by lhchavez@chromium.org, Jan 7

Cc: -lhchavez@chromium.org

Sign in to add a comment