All we need for mount is the process with UID=0 (and usual fandango on the
core, indeed). In theory, chroot jails should be unbreakable even if the
process inside got root. Notice that we didn't assume any devices
available inside the jail. BTW, there's nothing special about procfs - any
will go.
Origin: fs/namei.c::reserved_lookup
static struct dentry * reserved_lookup(struct dentry * parent,
struct qstr * name)
{
struct dentry *result = NULL;
if (name->name[0] == '.') {
switch (name->len) {
default:
break;
case 2:
if (name->name[1] != '.')
break;
if (parent != current->fs->root)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
parent = parent->d_covers->d_parent;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/* fallthrough */
case 1:
result = parent;
}
}
return dget(result);
}
The problem being: check for crossing the current->fs->root doesn't
cover the following situation:
current->fs->root == parent->d_covers != parent
It is possible if something was mounted over the root of chroot jail.
Notice that root of chroot jail may be _not_ a root of filesystem, so
normal checks in sys_mount can't prevent that situation.
Proposed fix:
- if (parent != current->fs->root)
+ if (parent->d_covers != current->fs->root->d_covers)
(->d_covers is idempotent, so this will cover all cases).
Al
-- "You're one of those condescending Unix computer users!" "Here's a nickel, kid. Get yourself a better computer" - Dilbert.
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/