From patchwork Sat Oct 21 13:43:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Belouin X-Patchwork-Id: 10021423 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 744B1603B5 for ; Sat, 21 Oct 2017 14:01:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5B3D8285A4 for ; Sat, 21 Oct 2017 14:01:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4E6D428BCD; Sat, 21 Oct 2017 14:01:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 42939285A4 for ; Sat, 21 Oct 2017 14:01:51 +0000 (UTC) Received: (qmail 14168 invoked by uid 550); 21 Oct 2017 14:01:49 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Delivered-To: moderator for kernel-hardening@lists.openwall.com Received: (qmail 26190 invoked from network); 21 Oct 2017 13:43:01 -0000 From: Nicolas Belouin To: David Howells , "Theodore Ts'o" , Andreas Dilger , Alexander Viro , Serge Hallyn , Paul Moore , Stephen Smalley , Eric Paris , James Morris , linux-cachefs@redhat.com, linux-kernel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-api@vger.kernel.org, kernel-hardening@lists.openwall.com Cc: Nicolas Belouin Date: Sat, 21 Oct 2017 15:43:03 +0200 Message-Id: <20171021134303.20685-2-nicolas@belouin.fr> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20171021134303.20685-1-nicolas@belouin.fr> References: <20171021134303.20685-1-nicolas@belouin.fr> X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Subject: [kernel-hardening] [RFC PATCH 2/2] fs: add the possibility to use CAP_SYS_MOUNT to (u)mount a fs X-Virus-Scanned: ClamAV using ClamSMTP Fulfill the purpose of CAP_SYS_MOUNT by adding it as a sufficient capability to mount and unmount filesystems. Signed-off-by: Nicolas Belouin --- fs/cachefiles/daemon.c | 2 +- fs/ext4/ioctl.c | 2 +- fs/namespace.c | 3 ++- fs/super.c | 14 +++++++++----- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c index 1ee54ffd3a24..fc53bdeacc8a 100644 --- a/fs/cachefiles/daemon.c +++ b/fs/cachefiles/daemon.c @@ -91,7 +91,7 @@ static int cachefiles_daemon_open(struct inode *inode, struct file *file) _enter(""); /* only the superuser may do this */ - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_MOUNT)) return -EPERM; /* the cachefiles device may only be open once at a time */ diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index afb66d4ab5cf..19d838e558e2 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -458,7 +458,7 @@ static int ext4_shutdown(struct super_block *sb, unsigned long arg) struct ext4_sb_info *sbi = EXT4_SB(sb); __u32 flags; - if (!capable(CAP_SYS_ADMIN)) + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_MOUNT)) return -EPERM; if (get_user(flags, (__u32 __user *)arg)) diff --git a/fs/namespace.c b/fs/namespace.c index 3b601f115b6c..1eaa6a9f1631 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1661,7 +1661,8 @@ void __detach_mounts(struct dentry *dentry) */ static inline bool may_mount(void) { - return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN); + return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN) || + ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_MOUNT); } static inline bool may_mandlock(void) diff --git a/fs/super.c b/fs/super.c index 166c4ee0d0ed..1d84d8b87216 100644 --- a/fs/super.c +++ b/fs/super.c @@ -474,7 +474,7 @@ struct super_block *sget_userns(struct file_system_type *type, if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !(type->fs_flags & FS_USERNS_MOUNT) && - !capable(CAP_SYS_ADMIN)) + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_MOUNT)) return ERR_PTR(-EPERM); retry: spin_lock(&sb_lock); @@ -551,7 +551,9 @@ struct super_block *sget(struct file_system_type *type, user_ns = &init_user_ns; /* Ensure the requestor has permissions over the target filesystem */ - if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN)) + if (!(flags & (SB_KERNMOUNT | SB_SUBMOUNT)) && + !ns_capable(user_ns, CAP_SYS_ADMIN) && + !ns_capable(user_ns, CAP_SYS_MOUNT)) return ERR_PTR(-EPERM); return sget_userns(type, test, set, flags, user_ns, data); @@ -1020,10 +1022,12 @@ struct dentry *mount_ns(struct file_system_type *fs_type, { struct super_block *sb; - /* Don't allow mounting unless the caller has CAP_SYS_ADMIN - * over the namespace. + /* Don't allow mounting unless the caller has CAP_SYS_ADMIN (deprecated) + * or CAP_SYS_MOUNT over the namespace. */ - if (!(flags & SB_KERNMOUNT) && !ns_capable(user_ns, CAP_SYS_ADMIN)) + if (!(flags & SB_KERNMOUNT) && + !ns_capable(user_ns, CAP_SYS_ADMIN) && + !ns_capable(user_ns, CAP_SYS_MOUNT)) return ERR_PTR(-EPERM); sb = sget_userns(fs_type, ns_test_super, ns_set_super, flags,