Re: [PATCH] ksys_mount: check for permissions before resource allocation

[Ilya Matveychikov]

> On Jun 5, 2018, at 11:56 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> 
> Ilya Matveychikov <matvejchikov@xxxxxxxxx> writes:
> 
>> Just CCâed to some of maintainers.
>> 
>> $ perl scripts/get_maintainer.pl fs/0001-ksys_mount-check-for-permissions-before-resource-all.patch
>> Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> (maintainer:FILESYSTEMS (VFS and infrastructure))
>> linux-fsdevel@xxxxxxxxxxxxxxx (open list:FILESYSTEMS (VFS and infrastructure))
>> linux-kernel@xxxxxxxxxxxxxxx (open list)
>> 
>>> On Jun 5, 2018, at 6:00 AM, Ilya Matveychikov <matvejchikov@xxxxxxxxx> wrote:
>>> 
>>> Early check for mount permissions prevents possible allocation of 3
>>> pages from kmalloc() pool by unpriveledged user which can be used for
>>> spraying the kernel heap.
> 
> *Snort*
> 
> You clearly have not read may_mount.  Your modified code still
> let's unprivileged users in.  So even if all of Al's good objections
> were not applicable this change would still be buggy and wrong.
> 
> Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>


Donât get me wrong but may_mount() is:

static inline bool may_mount(void)
{
        return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN);
}

What do you mean by "You clearly have not read may_mountâ? The only thing that
can affect may_mount result (as mentioned earlier) is that taskâs NS capability
might be changed by security_sb_mount() hook.

So, do you think that isâs possible to NOT have CAP_SYS_ADMIN while entering to
ksys_mount() but getting it with the security_sb_mount() hook?

This is the only case I see that using may_mount() before security_sb_mount()
is wrong. This was the point?