oss-sec mailing list archives
Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts
From: Steven Stewart-Gallus <sstewartgallus00 () mylangara bc ca>
Date: Mon, 02 Mar 2015 05:02:56 +0000 (GMT)
Hello, I suppose it's time I gave my opinion on this matter. Personally, I am ambivalent about whether this really deserves a CVE (or if the CVE should be with the Linux kernel or with the applications that misuse this API) as I feel it is the responsibility of API users like LXC and systemd to make sure that they aren't misusing these interfaces but I would still like this feature to be implemented and I will explain why. For my own needs (with my own project at https://gitorious.org/linted/linted) I sandbox processes without raising privileges by means such as setuid applications and so can only map uids and gids to the current user. However, I still need to prevent certain processes from writing to the user's home directory and as such need to mount the /home hierarchy read only and recursively. Mostly though this is not a big problem for me because I only need to mount the user's home directory when developing (because I need to run binaries that are built inside the user's home directory). Also, there is the possibility of bind mounting special hierarchies such as /dev, /proc and /sys read only (these are not just one filesystem but need to be bound recursively) but I don't consider this a strong use case. Thank you, Steven Stewart-Gallus
Current thread:
- CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 26)
- Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 26)
- Re: Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Rich Felker (Feb 28)
- Re: Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 28)
- Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Steven Stewart-Gallus (Mar 01)
- Re: Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Rich Felker (Feb 28)
- Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 26)