Re: [RFC] FUSE permission modell (Was: fuse review bits)

[Mike Waychison]

Eric Van Hensbergen wrote:
> Somewhat related question for Viro/the group:
> 
> Why is CLONE_NEWNS considered a priveledged operation?  Would placing
> limits on the number of private namespaces a user can own solve any
> resource concerns or is there something more nefarious I'm missing?
> -
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Likely because its a chroot vulnerability.

It allows a process to obtain a reference to the root vfsmount that
doesn't have chroot checks performed on it.

Consider the following pseudo example:

main():
chdir("/");
fd = open(".", O_RDONLY);
clone(cloned_func, cloned_stack, CLONE_NEWNS, NULL);

cloned_func:
fchdir(fd);
chdir("..");

if main is run within a chroot where it's "/" is on the same vfsmount as
 it's "..", then the application can step out of the chroot using clone(2).

Note: using chdir in a vfsmount outside of your namespace works, however
you won't be able to walk off that vfsmount (to its parent or children).

Mike Waychison
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/