From patchwork Sat Jan 2 07:52:13 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 7940501 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 6FC9BBEEE5 for ; Sat, 2 Jan 2016 08:00:41 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 7BC5F20465 for ; Sat, 2 Jan 2016 08:00:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 26FDA2041C for ; Sat, 2 Jan 2016 08:00:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751427AbcABIAJ (ORCPT ); Sat, 2 Jan 2016 03:00:09 -0500 Received: from thejh.net ([37.221.195.125]:54675 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751344AbcABIAJ (ORCPT ); Sat, 2 Jan 2016 03:00:09 -0500 X-Greylist: delayed 455 seconds by postgrey-1.27 at vger.kernel.org; Sat, 02 Jan 2016 03:00:08 EST Received: from pc.thejh.net (pc.vpn [192.168.44.2]) by thejh.net (Postfix) with ESMTPSA id 09D5317FD39; Sat, 2 Jan 2016 08:52:31 +0100 (CET) From: Jann Horn To: Alexander Viro , linux-fsdevel@vger.kernel.org Subject: [PATCH] fs: allow unprivileged chroot() Date: Sat, 2 Jan 2016 08:52:13 +0100 Message-Id: <1451721133-11722-1-git-send-email-jann@thejh.net> X-Mailer: git-send-email 2.1.4 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Allow unprivileged processes to chroot() themselves, under the following conditions: - The caller must have set NO_NEW_PRIVS to prevent him from invoking setuid/setgid/setcap executables in the chroot that could be tricked into opening files from the chroot. - The fs_struct must not be shared to prevent the caller from chrooting another process that does not have NO_NEW_PRIVS active. - chroot() is sometimes (mis-)used for sandboxing purposes. To prevent a simple chroot breakout using e.g. the double-chroot trick (chdir("/"), chroot("/foo"), chroot("../../../../../../../../")), require the process to be un-chrooted before performing chroot() Signed-off-by: Jann Horn --- fs/open.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index b6f1e96..a07026b 100644 --- a/fs/open.c +++ b/fs/open.c @@ -481,7 +481,9 @@ retry: goto dput_and_out; error = -EPERM; - if (!ns_capable(current_user_ns(), CAP_SYS_CHROOT)) + if ((current->fs->users != 1 || !task_no_new_privs(current) + || current_chrooted()) + && !ns_capable(current_user_ns(), CAP_SYS_CHROOT)) goto dput_and_out; error = security_path_chroot(&path); if (error)