CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts

[Daniel Micay <danielmicay () gmail com>]

This has been an issue in the kernel for a long time (likely since bind
mounts were introduced), and a patch does exist to fix it but it hasn't
been applied.

Here's the bug report:

https://bugzilla.kernel.org/show_bug.cgi?id=24912

Here's the latest iteration of the patch:

https://lkml.org/lkml/2014/11/5/911

This is not only something that software developers will expect to work,
but AFAIK it has always been intended to work. I don't think there's any
disagreement that this is a bug. Leaving the directory tree writable
when it's supposed to be read-only without reporting an error is very
problematic.

The widely used workaround (among people who realize it doesn't work) is
to remount the bind mount as read-only. That can open up a race and it
also doesn't mix well with MS_REC. The remount call will only apply the
read-only flag to the top-level mount despite MS_REC.

In systemd, there are various features suffering from security flaws due
to this kernel bug. The ReadOnlyDirectories for units only applies to
the top-level mount and systemd-nspawn's --bind-ro switch doesn't make
the submounts read-only. The flaws in systemd are documented so a CVE
assignment for those issues wouldn't make sense. I think they'd be
willing to fix these if the underlying kernel bug is dealt with.

Attachment: signature.asc
Description: OpenPGP digital signature