USERNS allows circumventing MNT_LOCKED

[Eric Windisch <eric () windisch us>]

In October 2014, Andrey Vagin reported[1] to the Linux Containers list that
it would be possible to use user namespaces to circumvent MNT_LOCKED and
allow unprivileged users to access the directory structure underneath of
mounts. A PoC was also produced and is public.

Patches are now available and proposed to Linus[2].

This may not simply be information disclosure, but containerized
environments may through chroot and mount namespaces mask directory
structures as read-only or inaccessible via the use of bind-mounts. Such
read-only masking may be circumvented by this vulnerability on systems
where these directories are not otherwise protected by MAC (i.e. SELinux or
AppArmor).

Regards,
Eric Windisch

[1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs
[2] http://www.spinics.net/lists/linux-containers/msg30786.html