[RESEND,v4,0/3] proc: Relax check of mount visibility

Message ID	cover.1613550081.git.gladkov.alexey@gmail.com (mailing list archive)
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> From: Alexey Gladkov <gladkov.alexey@gmail.com> To: LKML <linux-kernel@vger.kernel.org>, "Eric W . Biederman" <ebiederm@xmission.com>, Linux FS Devel <linux-fsdevel@vger.kernel.org> Cc: Alexey Gladkov <legion@kernel.org>, Alexander Viro <viro@zeniv.linux.org.uk>, Kees Cook <keescook@chromium.org> Subject: [RESEND PATCH v4 0/3] proc: Relax check of mount visibility Date: Wed, 17 Feb 2021 09:21:40 +0100 Message-Id: <cover.1613550081.git.gladkov.alexey@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	proc: Relax check of mount visibility \| expand [RESEND,v4,0/3] proc: Relax check of mount visibility [RESEND,v4,1/3] proc: Relax check of mount visibility [RESEND,v4,2/3] proc: Show /proc/self/net only for CAP_NET_ADMIN [RESEND,v4,3/3] proc: Disable cancellation of subset=pid option

Message ID

cover.1613550081.git.gladkov.alexey@gmail.com (mailing list archive)

Headers

From: Alexey Gladkov <gladkov.alexey@gmail.com>
To: LKML <linux-kernel@vger.kernel.org>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>
Cc: Alexey Gladkov <legion@kernel.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Kees Cook <keescook@chromium.org>
Subject: [RESEND PATCH v4 0/3] proc: Relax check of mount visibility
Date: Wed, 17 Feb 2021 09:21:40 +0100
Message-Id: <cover.1613550081.git.gladkov.alexey@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

proc: Relax check of mount visibility | expand

Message

Alexey Gladkov Feb. 17, 2021, 8:21 a.m. UTC

If only the dynamic part of procfs is mounted (subset=pid), then there is no
need to check if procfs is fully visible to the user in the new user namespace.

Changelog
---------
v4:
* Set SB_I_DYNAMIC only if pidonly is set.
* Add an error message if subset=pid is canceled during remount.

v3:
* Add 'const' to struct cred *mounter_cred (fix kernel test robot warning).

v2:
* cache the mounters credentials and make access to the net directories
  contingent of the permissions of the mounter of procfs.

--

Alexey Gladkov (3):
  proc: Relax check of mount visibility
  proc: Show /proc/self/net only for CAP_NET_ADMIN
  proc: Disable cancellation of subset=pid option

 fs/namespace.c          | 27 ++++++++++++++++-----------
 fs/proc/proc_net.c      |  8 ++++++++
 fs/proc/root.c          | 29 ++++++++++++++++++++++-------
 include/linux/fs.h      |  1 +
 include/linux/proc_fs.h |  1 +
 5 files changed, 48 insertions(+), 18 deletions(-)

Comments

Eric W. Biederman Feb. 22, 2021, 3:44 p.m. UTC | #1

Alexey Gladkov <gladkov.alexey@gmail.com> writes:

> If only the dynamic part of procfs is mounted (subset=pid), then there is no
> need to check if procfs is fully visible to the user in the new user
> namespace.

A couple of things.

1) Allowing the mount should come in the last patch.  So we don't have a
bisect hazard.

2) We should document that we still require a mount of proc to match on
atime and readonly mount attributes.

3) If we can find a way to safely not require a previous mount of proc
this will be much more valuable.

Eric

Alexey Gladkov March 10, 2021, 6:22 p.m. UTC | #2

On Mon, Feb 22, 2021 at 09:44:40AM -0600, Eric W. Biederman wrote:
> Alexey Gladkov <gladkov.alexey@gmail.com> writes:
> 
> > If only the dynamic part of procfs is mounted (subset=pid), then there is no
> > need to check if procfs is fully visible to the user in the new user
> > namespace.
> 
> 
> A couple of things.
> 
> 1) Allowing the mount should come in the last patch.  So we don't have a
> bisect hazard.
> 
> 2) We should document that we still require a mount of proc to match on
> atime and readonly mount attributes.

Ok. I will try to do it in v5.

> 3) If we can find a way to safely not require a previous mount of proc
> this will be much more valuable.

True, but for now I have no idea how to do it. I would prefer to move in
small steps.