Re: [PATCH] ksys_mount: check for permissions before resource allocation

From: Ilya Matveychikov
Date: Wed Jun 06 2018 - 05:32:22 EST

> On Jun 5, 2018, at 11:56 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
> Ilya Matveychikov <matvejchikov@xxxxxxxxx> writes:
>> Just CCâed to some of maintainers.
>> $ perl scripts/ fs/0001-ksys_mount-check-for-permissions-before-resource-all.patch
>> Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> (maintainer:FILESYSTEMS (VFS and infrastructure))
>> linux-fsdevel@xxxxxxxxxxxxxxx (open list:FILESYSTEMS (VFS and infrastructure))
>> linux-kernel@xxxxxxxxxxxxxxx (open list)
>>> On Jun 5, 2018, at 6:00 AM, Ilya Matveychikov <matvejchikov@xxxxxxxxx> wrote:
>>> Early check for mount permissions prevents possible allocation of 3
>>> pages from kmalloc() pool by unpriveledged user which can be used for
>>> spraying the kernel heap.
> *Snort*
> You clearly have not read may_mount. Your modified code still
> let's unprivileged users in. So even if all of Al's good objections
> were not applicable this change would still be buggy and wrong.
> Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>

Donât get me wrong but may_mount() is:

static inline bool may_mount(void)
return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN);

What do you mean by "You clearly have not read may_mountâ? The only thing that
can affect may_mount result (as mentioned earlier) is that taskâs NS capability
might be changed by security_sb_mount() hook.

So, do you think that isâs possible to NOT have CAP_SYS_ADMIN while entering to
ksys_mount() but getting it with the security_sb_mount() hook?

This is the only case I see that using may_mount() before security_sb_mount()
is wrong. This was the point?