Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2960476imu;
        Mon, 19 Nov 2018 08:39:22 -0800 (PST)
X-Google-Smtp-Source: AJdET5dq95WGT9AqHVwRjrweB0vPNkN+UJaYWYeycRWd8aZvZRGWu32yvEOhFKICJeDSsU8LroYT
X-Received: by 2002:a17:902:9047:: with SMTP id w7mr20201548plz.270.1542645562124;
        Mon, 19 Nov 2018 08:39:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542645562; cv=none;
        d=google.com; s=arc-20160816;
        b=qf1XcTdXtcCLA0UPMNE5JL6xyuqB2xxBBaImVmdS70Iz5Ibnwg+8fXA9Ha81iYiL4N
         IfAQiKHssp0hXKC1oevlahZwau0yIRjiMBiWaTpxuhUDJaTyW5mFSQ2jQJ3htH/IhSMb
         MBQwYI7Q1mu17m16LqAKHEZf8+MpLFjtGx854kbg39VKXt/xQ2Yw0wlNOmdOGxfpPQRx
         nHbKPf9aiHrA5IwmjDekJ6OcTQAbNDAe59U26a7xI8OBXcotlTEy4VuxZHpqDeY7gr2/
         Bc41Pj3US0UEVWy3YEnKv5uNo+W1m6CEEklpRwk+YKv48TxdOThSF3ScuzoxQL6fKKzV
         kSWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=/5wx+AumLWUc6qZ89ogq4P2Vh84EDdVO49ZYCCeFHmY=;
        b=B9JUuINwKlymfJ0eAW9nhIp2Ord2EfXyM1JlUlJn5TT/o8nDZlIFeB1NYUGGlobeLe
         zJLihZWppE0w40rmlg3eLMgqm4IhQTcw1ZSR/Wigzvkiu3FDueUSGGb5ttqho3tR/l7R
         ETo3pIacFmfT8Zm4LUFrE+gD3/yjxhcertkwxpvtcK1LQETMnC2IswzNz97Cprj8qda0
         yjxfCnVnHqHsjY3dfV2axXNOpSd15A7H653yGjB/MDeCfzDPbV1LhNVWV+HtoxEnS1Rf
         /SpCw+NXYkf5IiJy0SRlj5DbuWNTETYf87fpqCYk1BjDMj3ZUs+8e4QgvvvVTpNZ0PwR
         IGoQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=QmYKOH9i;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u3-v6si6297028pls.137.2018.11.19.08.39.07;
        Mon, 19 Nov 2018 08:39:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=QmYKOH9i;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732470AbeKTDCd (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Mon, 19 Nov 2018 22:02:33 -0500
Received: from mail.kernel.org ([198.145.29.99]:34874 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732476AbeKTDCc (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Nov 2018 22:02:32 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D054821104;
        Mon, 19 Nov 2018 16:38:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1542645503;
        bh=I5cFxRQIipu7RaxgwizV27fD7aYPf4nR138n6cnlq9c=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=QmYKOH9iJuUtuFeWkI8vKO6NOutG0kMWFbvzEXGsdbBJyAgfMwSgqudYuC+Cd98D8
         RdcqfPtNwJByKC//9ik840zRjMvSoQcUtFCtpzaPAJnbNthmb+9jSJCcAVG6dBMP9z
         T993jSiM2aONwHmVmr1bZDSGh68tMkugVyU99mAc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Timothy Baldwin <timbaldwin@fastmail.co.uk>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 4.19 149/205] mount: Prevent MNT_DETACH from disconnecting locked mounts
Date:   Mon, 19 Nov 2018 17:27:36 +0100
Message-Id: <20181119162638.527699019@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181119162616.586062722@linuxfoundation.org>
References: <20181119162616.586062722@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 upstream.

Timothy Baldwin <timbaldwin@fastmail.co.uk> wrote:
> As per mount_namespaces(7) unprivileged users should not be able to look under mount points:
>
>   Mounts that come as a single unit from more privileged mount are locked
>   together and may not be separated in a less privileged mount namespace.
>
> However they can:
>
> 1. Create a mount namespace.
> 2. In the mount namespace open a file descriptor to the parent of a mount point.
> 3. Destroy the mount namespace.
> 4. Use the file descriptor to look under the mount point.
>
> I have reproduced this with Linux 4.16.18 and Linux 4.18-rc8.
>
> The setup:
>
> $ sudo sysctl kernel.unprivileged_userns_clone=1
> kernel.unprivileged_userns_clone = 1
> $ mkdir -p A/B/Secret
> $ sudo mount -t tmpfs hide A/B
>
>
> "Secret" is indeed hidden as expected:
>
> $ ls -lR A
> A:
> total 0
> drwxrwxrwt 2 root root 40 Feb 12 21:08 B
>
> A/B:
> total 0
>
>
> The attack revealing "Secret":
>
> $ unshare -Umr sh -c "exec unshare -m ls -lR /proc/self/fd/4/ 4<A"
> /proc/self/fd/4/:
> total 0
> drwxr-xr-x 3 root root 60 Feb 12 21:08 B
>
> /proc/self/fd/4/B:
> total 0
> drwxr-xr-x 2 root root 40 Feb 12 21:08 Secret
>
> /proc/self/fd/4/B/Secret:
> total 0

I tracked this down to put_mnt_ns running passing UMOUNT_SYNC and
disconnecting all of the mounts in a mount namespace.  Fix this by
factoring drop_mounts out of drop_collected_mounts and passing
0 instead of UMOUNT_SYNC.

There are two possible behavior differences that result from this.
- No longer setting UMOUNT_SYNC will no longer set MNT_SYNC_UMOUNT on
  the vfsmounts being unmounted.  This effects the lazy rcu walk by
  kicking the walk out of rcu mode and forcing it to be a non-lazy
  walk.
- No longer disconnecting locked mounts will keep some mounts around
  longer as they stay because the are locked to other mounts.

There are only two users of drop_collected mounts: audit_tree.c and
put_mnt_ns.

In audit_tree.c the mounts are private and there are no rcu lazy walks
only calls to iterate_mounts. So the changes should have no effect
except for a small timing effect as the connected mounts are disconnected.

In put_mnt_ns there may be references from process outside the mount
namespace to the mounts.  So the mounts remaining connected will
be the bug fix that is needed.  That rcu walks are allowed to continue
appears not to be a problem especially as the rcu walk change was about
an implementation detail not about semantics.

Cc: stable@vger.kernel.org
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Tested-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1794,7 +1794,7 @@ void drop_collected_mounts(struct vfsmou
 {
 	namespace_lock();
 	lock_mount_hash();
-	umount_tree(real_mount(mnt), UMOUNT_SYNC);
+	umount_tree(real_mount(mnt), 0);
 	unlock_mount_hash();
 	namespace_unlock();
 }