user controllable usermodehelper in br_stp_if.c

From: Richard Weinberger
Date: Sun Nov 29 2015 - 17:44:02 EST

Next message: Peter Crosthwaite: "Re: Adding VIRTIO to the multi_v7_defconfig"
Previous message: Arnd Bergmann: "Re: Adding VIRTIO to the multi_v7_defconfig"
Next in thread: Kees Cook: "Re: user controllable usermodehelper in br_stp_if.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

By spawning new network and user namesapces an unprivileged user
is able to execute /sbin/bridge-stp within the initial mount namespace
with global root rights.
While this cannot directly be used to break out of a container or gain
global root rights it could be used by exploit writers as valuable building block.

e.g.
$ unshare -U -r -n /bin/sh
$ brctl addbr br0
$ brctl stp br0 on # this will execute /sbin/bridge-stp

As this mechanism clearly cannot work with containers and seems to be legacy code
I suggest not calling call_usermodehelper() at all if we're not in the initial user namespace.
What do you think?

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Crosthwaite: "Re: Adding VIRTIO to the multi_v7_defconfig"
Previous message: Arnd Bergmann: "Re: Adding VIRTIO to the multi_v7_defconfig"
Next in thread: Kees Cook: "Re: user controllable usermodehelper in br_stp_if.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]