Re: selftests/capabilities: test FAIL on linux mainline and linux-next and PASS on linux-4.4.70+

From: Eric W. Biederman
Date: Thu Jun 29 2017 - 10:10:23 EST


Andy Lutomirski <luto@xxxxxxxxxx> writes:

> On Tue, Jun 27, 2017 at 9:35 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> On Tue, Jun 27, 2017 at 4:16 PM, Shuah Khan <shuahkh@xxxxxxxxxxxxxxx> wrote:
>>> On 06/27/2017 09:16 AM, Greg KH wrote:
>>>> On Tue, Jun 27, 2017 at 05:13:59PM +0200, Greg KH wrote:
>>>>> On Tue, Jun 27, 2017 at 02:10:32PM +0530, Naresh Kamboju wrote:
>>>>>> selftest capabilities test failed on linux mainline and linux-next and
>>>>>> PASS on linux-4.4.70+
>>>>>
>>>>> Odd. Any chance you can use 'git bisect' to track down the offending
>>>>> commit?
>>>>>
>>>>> Does this also fail on x86 or any other platform you have available?
>>>>> Let me go try this on my laptop...
>>>>
>>>> Ok, Linus's current tree (4.12.0-rc7+) also fails on this. I'm guessing
>>>> it's failing, it's hard to understand the output. If only we had TAP
>>>> output for this test :)
>>>
>>> As far as the output, it isn't bad. Not TAP13 will help make it better.
>>> The problem seems to with the individual messages error/info. messages
>>> themselves. This test has the quality of a developer unit test and the
>>> messages could be improved for non-developer use.
>>>
>>> I ran the test on 4.11.8-rc1+ and 4.9.35-rc1 see the same failure.
>>> It would be difficult to bisect this since it spans multiple releases.
>>> I am hoping Andy can give us some insight.
>>
>> I bisected this to:
>>
>> commit 380cf5ba6b0a0b307f4afb62b186ca801defb203
>> Author: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
>> Date: Thu Jun 23 16:41:05 2016 -0500
>>
>> fs: Treat foreign mounts as nosuid
>>
>> I assume the test needs updating, but I bet Andy knows for sure. I can
>> look into this more closely in the morning.
>
> Hi Eric-
>
> This is rather odd. The selftest
> (tools/testing/selftests/capabilities/test_execve), run as root, fails
> on current kernels. The failure is worked around by this:
>
> diff --git a/tools/testing/selftests/capabilities/test_execve.c
> b/tools/testing/selftests/capabilities/test_execve.c
> index 10a21a958aaf..6db60889b211 100644
> --- a/tools/testing/selftests/capabilities/test_execve.c
> +++ b/tools/testing/selftests/capabilities/test_execve.c
> @@ -139,8 +139,8 @@ static void chdir_to_tmpfs(void)
> if (chdir(cwd) != 0)
> err(1, "chdir to private tmpfs");
>
> - if (umount2(".", MNT_DETACH) != 0)
> - err(1, "detach private tmpfs");
> +// if (umount2(".", MNT_DETACH) != 0)
> +// err(1, "detach private tmpfs");
> }
>
> static void copy_fromat_to(int fromfd, const char *fromname, const
> char *toname)
>
> I think this is due to the line:
>
> p->mnt_ns = NULL;
>
> in umount_tree(). The test is putting us into a situation in which
> our cwd has ->mnt_ns = NULL, which is making it act as if it's nosuid.
> I can imagine this breaking some weird user code (like my test!). Is
> it a real problem, though?

That umount2(".", MNT_DETACH) creates a poor mans mount namespace in a
mount namespace.

I don't see why you would ever want to do that deliberately we have
mount namespaces.

Beyond that that is a very weird half cleaned up state. We very
deliberately limit what you can do in that state. It exists until all
of the references to the mounts are cleaned up.

I think it is very reasonable that we don't allow exec'ing a new
executable on an unmounted filesystem. That could lead to all kinds of
non-sense. I am not clever enough but I can imagine there might be an
attack on a suid executable in there somewhere. Certainly we are
violating ordinary expectations of the starting condition of an
executable. (AKA not living anywhere reachable with a path).

So even if this breaks userspace we have legitimate security reasons for
doing so in this case.

Eric