118 строки
4.3 KiB
Diff
118 строки
4.3 KiB
Diff
|
From d4865c4cdd0bb67587ef339af817902db9cbfcd0 Mon Sep 17 00:00:00 2001
|
||
|
From: Jann Horn <jannh@google.com>
|
||
|
Date: Sat, 14 Jul 2018 13:37:41 +0200
|
||
|
Subject: [PATCH] fusermount: whitelist known-good filesystems for mountpoints
|
||
|
|
||
|
Before:
|
||
|
|
||
|
$ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd
|
||
|
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "fd=3,rootmode=40000,user_id=379777,group_id=5001") = 0
|
||
|
sending file descriptor: Socket operation on non-socket
|
||
|
+++ exited with 1 +++
|
||
|
|
||
|
After:
|
||
|
|
||
|
$ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd
|
||
|
util/fusermount3: mounting over filesystem type 0x009fa0 is forbidden
|
||
|
+++ exited with 1 +++
|
||
|
|
||
|
This patch could potentially have security
|
||
|
impact on some systems that are configured with allow_other;
|
||
|
see https://launchpad.net/bugs/1530566 for an example of how a similar
|
||
|
issue in the ecryptfs mount helper was exploitable. However, the FUSE
|
||
|
mount helper performs slightly different security checks, so that exact
|
||
|
attack doesn't work with fusermount; I don't know of any specific attack
|
||
|
you could perform using this, apart from faking the SELinux context of your
|
||
|
process when someone's looking at a process listing. Potential targets for
|
||
|
overwrite are (looking on a system with a 4.9 kernel):
|
||
|
|
||
|
writable only for the current process:
|
||
|
/proc/self/{fd,map_files}
|
||
|
(Yes, "ls -l" claims that you don't have write access, but that's not true;
|
||
|
"find -writable" will show you what access you really have.)
|
||
|
|
||
|
writable also for other owned processes:
|
||
|
/proc/$pid/{sched,autogroup,comm,mem,clear_refs,attr/*,oom_adj,
|
||
|
oom_score_adj,loginuid,coredump_filter,uid_map,gid_map,projid_map,
|
||
|
setgroups,timerslack_ns}
|
||
|
---
|
||
|
util/fusermount.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++-
|
||
|
1 file changed, 49 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/util/fusermount.c b/util/fusermount.c
|
||
|
index 27924073..c63c50ef 100644
|
||
|
--- a/util/fusermount.c
|
||
|
+++ b/util/fusermount.c
|
||
|
@@ -30,6 +30,7 @@
|
||
|
#include <sys/utsname.h>
|
||
|
#include <sched.h>
|
||
|
#include <stdbool.h>
|
||
|
+#include <sys/vfs.h>
|
||
|
|
||
|
#define FUSE_COMMFD_ENV "_FUSE_COMMFD"
|
||
|
|
||
|
@@ -915,6 +916,8 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd)
|
||
|
int res;
|
||
|
const char *mnt = *mntp;
|
||
|
const char *origmnt = mnt;
|
||
|
+ struct statfs fs_buf;
|
||
|
+ size_t i;
|
||
|
|
||
|
res = lstat(mnt, stbuf);
|
||
|
if (res == -1) {
|
||
|
@@ -987,8 +990,53 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd)
|
||
|
return -1;
|
||
|
}
|
||
|
|
||
|
+ /* Do not permit mounting over anything in procfs - it has a couple
|
||
|
+ * places to which we have "write access" without being supposed to be
|
||
|
+ * able to just put anything we want there.
|
||
|
+ * Luckily, without allow_other, we can't get other users to actually
|
||
|
+ * use any fake information we try to put there anyway.
|
||
|
+ * Use a whitelist to be safe. */
|
||
|
+ if (statfs(*mntp, &fs_buf)) {
|
||
|
+ fprintf(stderr, "%s: failed to access mountpoint %s: %s\n",
|
||
|
+ progname, mnt, strerror(errno));
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
|
||
|
- return 0;
|
||
|
+ /* Use the same list of permitted filesystems for the mount target as
|
||
|
+ * the ecryptfs mount helper
|
||
|
+ * (https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/utils/mount.ecryptfs_private.c#L225). */
|
||
|
+ typeof(fs_buf.f_type) f_type_whitelist[] = {
|
||
|
+ 0x61756673 /* AUFS_SUPER_MAGIC */,
|
||
|
+ 0x9123683E /* BTRFS_SUPER_MAGIC */,
|
||
|
+ 0x00C36400 /* CEPH_SUPER_MAGIC */,
|
||
|
+ 0xFF534D42 /* CIFS_MAGIC_NUMBER */,
|
||
|
+ 0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
|
||
|
+ 0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
|
||
|
+ 0xF2F52010 /* F2FS_SUPER_MAGIC */,
|
||
|
+ 0x65735546 /* FUSE_SUPER_MAGIC */,
|
||
|
+ 0x01161970 /* GFS2_MAGIC */,
|
||
|
+ 0x3153464A /* JFS_SUPER_MAGIC */,
|
||
|
+ 0x000072B6 /* JFFS2_SUPER_MAGIC */,
|
||
|
+ 0x0000564C /* NCP_SUPER_MAGIC */,
|
||
|
+ 0x00006969 /* NFS_SUPER_MAGIC */,
|
||
|
+ 0x00003434 /* NILFS_SUPER_MAGIC */,
|
||
|
+ 0x5346544E /* NTFS_SB_MAGIC */,
|
||
|
+ 0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
|
||
|
+ 0x52654973 /* REISERFS_SUPER_MAGIC */,
|
||
|
+ 0x73717368 /* SQUASHFS_MAGIC */,
|
||
|
+ 0x01021994 /* TMPFS_MAGIC */,
|
||
|
+ 0x24051905 /* UBIFS_SUPER_MAGIC */,
|
||
|
+ 0x58465342 /* XFS_SB_MAGIC */,
|
||
|
+ 0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
|
||
|
+ };
|
||
|
+ for (i = 0; i < sizeof(f_type_whitelist)/sizeof(f_type_whitelist[0]); i++) {
|
||
|
+ if (f_type_whitelist[i] == fs_buf.f_type)
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+
|
||
|
+ fprintf(stderr, "%s: mounting over filesystem type %#010lx is forbidden\n",
|
||
|
+ progname, (unsigned long)fs_buf.f_type);
|
||
|
+ return -1;
|
||
|
}
|
||
|
|
||
|
static int try_open(const char *dev, char **devp, int silent)
|