proc: Restrict mounting the proc filesystem
authorEric W. Biederman <ebiederm@xmission.com>
Tue, 26 Mar 2013 02:57:10 +0000 (19:57 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 27 Sep 2013 00:18:28 +0000 (17:18 -0700)
commit aee1c13dd0f6c2fc56e0e492b349ee8ac655880f upstream.

Don't allow mounting the proc filesystem unless the caller has
CAP_SYS_ADMIN rights over the pid namespace.  The principle here is if
you create or have capabilities over it you can mount it, otherwise
you get to live with what other people have mounted.

Andy pointed out that this is needed to prevent users in a user
namespace from remounting proc and specifying different hidepid and gid
options on already existing proc mounts.

Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/proc/root.c

index 41a6ea93f486ff81b6b112821339a66f0b020324..04ec276c7bab9dfcfd65a4bc5e61bb15ac413a2f 100644 (file)
@@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
                ns = task_active_pid_ns(current);
                options = data;
 
-               if (!current_user_ns()->may_mount_proc)
+               if (!current_user_ns()->may_mount_proc ||
+                   !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
                        return ERR_PTR(-EPERM);
        }