proc: Restrict mounting the proc filesystem
authorEric W. Biederman <ebiederm@xmission.com>
Tue, 26 Mar 2013 02:57:10 +0000 (19:57 -0700)
committerEric W. Biederman <ebiederm@xmission.com>
Mon, 26 Aug 2013 18:36:58 +0000 (11:36 -0700)
Don't allow mounting the proc filesystem unless the caller has
CAP_SYS_ADMIN rights over the pid namespace.  The principle here is if
you create or have capabilities over it you can mount it, otherwise
you get to live with what other people have mounted.

Andy pointed out that this is needed to prevent users in a user
namespace from remounting proc and specifying different hidepid and gid
options on already existing proc mounts.

Cc: stable@vger.kernel.org
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
fs/proc/root.c

index 229e366598daecd4e905e8f51f13efaf0a44e773..38bd5d423fcd2d1cbc022baa8a9a242a133e8852 100644 (file)
@@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
                ns = task_active_pid_ns(current);
                options = data;
 
-               if (!current_user_ns()->may_mount_proc)
+               if (!current_user_ns()->may_mount_proc ||
+                   !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
                        return ERR_PTR(-EPERM);
        }