Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2996071imu;
        Mon, 19 Nov 2018 09:08:05 -0800 (PST)
X-Google-Smtp-Source: AJdET5flsdNRL2FY4O3LRh6JptVmThnZFbvzTkm1JuSzbGdJsodsEYk2cECipBj+7AEUXOZnp1s5
X-Received: by 2002:a62:19d5:: with SMTP id 204mr1773401pfz.33.1542647285598;
        Mon, 19 Nov 2018 09:08:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542647285; cv=none;
        d=google.com; s=arc-20160816;
        b=QdeV+xW7uTACanvqbszHTx54av7J3xeRsBB+qcKDePIdFQV3LFPhHVExkOF279+YPp
         DXzgLwh5rAr3jqad0q3XXGdVitNO4TzwZZoFhTYP3NR8MpUwzElr2YVxQw0EGQEd+n5v
         LWJSk4KaAuPPRbgapm9rmP67vpZ2UvEpGgejwRnFAqTHtc2lSOvr0PGo5CaBAAZhU7Sz
         1CAK6kbjtrByK149k2SsM1ta7MHh9EQFsSvn6Cnlcnyp9hzLW8/k2ICtMfKjOg82dJ1F
         B6u/H0GxtZtt/1qNIX2Nt/OESTI+EYKVsauxM6wQ5eUHTjWsGvayHuRmx5MKTHituKSi
         5ZJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=oFWO3tJ8GCuOs+xZleImJJw+FTN3JvPUX/4tend9td4=;
        b=eHaEyq8ZpOxCBorBbWxW+Tl+nqX6WiqDt1ppy1YCK5PYKI91MDe+DCz5SR+cqRIqrp
         WLZmk+GrW1oLUzvxV6100PLpOxpoU5WqGjULKf01zcF5NKGM8fH+QsZ/TX04REOklq3i
         jDzRZ+Q3GWgaGFwuaa94GfxuaxfdlsjaMPvVII0qDE8Idit3hsQMYK2BhiDniwuxN5xl
         92P9RmTmysRw0Pww/GiIKf//l9km1NjZknlXCqhgNWmeXBYJ5iBsp/WFxELj79CPMSgN
         e4MtmPNtaN7z9CDJxMafNH7UoPu7fQEbOxQXerbZ9uhq44H78xv+eCtgdMeAeqQzQuvx
         cZPg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=iNS0odfJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h4-v6si3424068plt.315.2018.11.19.09.07.49;
        Mon, 19 Nov 2018 09:08:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=iNS0odfJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2407181AbeKTDax (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Mon, 19 Nov 2018 22:30:53 -0500
Received: from mail.kernel.org ([198.145.29.99]:46052 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2405988AbeKTDav (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Nov 2018 22:30:51 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 4084F2148E;
        Mon, 19 Nov 2018 17:06:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1542647193;
        bh=dHOiFI6cfM9pZN/j8cPp1eUElRhV12LNPjdgkkqYJ9o=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=iNS0odfJf4NSUeD50B3j9htApZnwVfccdgcuDFYFxDyZ3Bhpoa9fy8hRIZcq6OAbo
         qgjuOxFyCA1CXIxCv/SWwFbbKVBnpevYoxXVkYTmsyNQnYlrMpTAK7tPcriJWGTuV1
         S+t1N7/muftCCda1H9XYg9qj8JcRNPq14530JDRc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Timothy Baldwin <timbaldwin@fastmail.co.uk>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 3.18 86/90] mount: Prevent MNT_DETACH from disconnecting locked mounts
Date:   Mon, 19 Nov 2018 17:30:08 +0100
Message-Id: <20181119162633.599031421@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181119162620.585061184@linuxfoundation.org>
References: <20181119162620.585061184@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 9c8e0a1b683525464a2abe9fb4b54404a50ed2b4 upstream.

Timothy Baldwin <timbaldwin@fastmail.co.uk> wrote:
> As per mount_namespaces(7) unprivileged users should not be able to look under mount points:
>
>   Mounts that come as a single unit from more privileged mount are locked
>   together and may not be separated in a less privileged mount namespace.
>
> However they can:
>
> 1. Create a mount namespace.
> 2. In the mount namespace open a file descriptor to the parent of a mount point.
> 3. Destroy the mount namespace.
> 4. Use the file descriptor to look under the mount point.
>
> I have reproduced this with Linux 4.16.18 and Linux 4.18-rc8.
>
> The setup:
>
> $ sudo sysctl kernel.unprivileged_userns_clone=1
> kernel.unprivileged_userns_clone = 1
> $ mkdir -p A/B/Secret
> $ sudo mount -t tmpfs hide A/B
>
>
> "Secret" is indeed hidden as expected:
>
> $ ls -lR A
> A:
> total 0
> drwxrwxrwt 2 root root 40 Feb 12 21:08 B
>
> A/B:
> total 0
>
>
> The attack revealing "Secret":
>
> $ unshare -Umr sh -c "exec unshare -m ls -lR /proc/self/fd/4/ 4<A"
> /proc/self/fd/4/:
> total 0
> drwxr-xr-x 3 root root 60 Feb 12 21:08 B
>
> /proc/self/fd/4/B:
> total 0
> drwxr-xr-x 2 root root 40 Feb 12 21:08 Secret
>
> /proc/self/fd/4/B/Secret:
> total 0

I tracked this down to put_mnt_ns running passing UMOUNT_SYNC and
disconnecting all of the mounts in a mount namespace.  Fix this by
factoring drop_mounts out of drop_collected_mounts and passing
0 instead of UMOUNT_SYNC.

There are two possible behavior differences that result from this.
- No longer setting UMOUNT_SYNC will no longer set MNT_SYNC_UMOUNT on
  the vfsmounts being unmounted.  This effects the lazy rcu walk by
  kicking the walk out of rcu mode and forcing it to be a non-lazy
  walk.
- No longer disconnecting locked mounts will keep some mounts around
  longer as they stay because the are locked to other mounts.

There are only two users of drop_collected mounts: audit_tree.c and
put_mnt_ns.

In audit_tree.c the mounts are private and there are no rcu lazy walks
only calls to iterate_mounts. So the changes should have no effect
except for a small timing effect as the connected mounts are disconnected.

In put_mnt_ns there may be references from process outside the mount
namespace to the mounts.  So the mounts remaining connected will
be the bug fix that is needed.  That rcu walks are allowed to continue
appears not to be a problem especially as the rcu walk change was about
an implementation detail not about semantics.

Cc: stable@vger.kernel.org
Fixes: 5ff9d8a65ce8 ("vfs: Lock in place mounts from more privileged users")
Reported-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Tested-by: Timothy Baldwin <timbaldwin@fastmail.co.uk>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namespace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1728,7 +1728,7 @@ void drop_collected_mounts(struct vfsmou
 {
 	namespace_lock();
 	lock_mount_hash();
-	umount_tree(real_mount(mnt), UMOUNT_SYNC);
+	umount_tree(real_mount(mnt), 0);
 	unlock_mount_hash();
 	namespace_unlock();
 }