| From aee1c13dd0f6c2fc56e0e492b349ee8ac655880f Mon Sep 17 00:00:00 2001 |
| From: "Eric W. Biederman" <ebiederm@xmission.com> |
| Date: Mon, 25 Mar 2013 19:57:10 -0700 |
| Subject: proc: Restrict mounting the proc filesystem |
| |
| From: "Eric W. Biederman" <ebiederm@xmission.com> |
| |
| commit aee1c13dd0f6c2fc56e0e492b349ee8ac655880f upstream. |
| |
| Don't allow mounting the proc filesystem unless the caller has |
| CAP_SYS_ADMIN rights over the pid namespace. The principle here is if |
| you create or have capabilities over it you can mount it, otherwise |
| you get to live with what other people have mounted. |
| |
| Andy pointed out that this is needed to prevent users in a user |
| namespace from remounting proc and specifying different hidepid and gid |
| options on already existing proc mounts. |
| |
| Reported-by: Andy Lutomirski <luto@amacapital.net> |
| Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/proc/root.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/fs/proc/root.c |
| +++ b/fs/proc/root.c |
| @@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct |
| ns = task_active_pid_ns(current); |
| options = data; |
| |
| - if (!current_user_ns()->may_mount_proc) |
| + if (!current_user_ns()->may_mount_proc || |
| + !ns_capable(ns->user_ns, CAP_SYS_ADMIN)) |
| return ERR_PTR(-EPERM); |
| } |
| |