oss-sec mailing list archives
USERNS allows circumventing MNT_LOCKED
From: Eric Windisch <eric () windisch us>
Date: Fri, 17 Apr 2015 11:44:14 -0400
In October 2014, Andrey Vagin reported[1] to the Linux Containers list that it would be possible to use user namespaces to circumvent MNT_LOCKED and allow unprivileged users to access the directory structure underneath of mounts. A PoC was also produced and is public. Patches are now available and proposed to Linus[2]. This may not simply be information disclosure, but containerized environments may through chroot and mount namespaces mask directory structures as read-only or inaccessible via the use of bind-mounts. Such read-only masking may be circumvented by this vulnerability on systems where these directories are not otherwise protected by MAC (i.e. SELinux or AppArmor). Regards, Eric Windisch [1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs [2] http://www.spinics.net/lists/linux-containers/msg30786.html
Current thread:
- USERNS allows circumventing MNT_LOCKED Eric Windisch (Apr 17)
- Re: USERNS allows circumventing MNT_LOCKED - Linux kernel cve-assign (Apr 17)