oss-sec mailing list archives
CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts
From: Daniel Micay <danielmicay () gmail com>
Date: Thu, 26 Feb 2015 12:55:13 -0500
This has been an issue in the kernel for a long time (likely since bind mounts were introduced), and a patch does exist to fix it but it hasn't been applied. Here's the bug report: https://bugzilla.kernel.org/show_bug.cgi?id=24912 Here's the latest iteration of the patch: https://lkml.org/lkml/2014/11/5/911 This is not only something that software developers will expect to work, but AFAIK it has always been intended to work. I don't think there's any disagreement that this is a bug. Leaving the directory tree writable when it's supposed to be read-only without reporting an error is very problematic. The widely used workaround (among people who realize it doesn't work) is to remount the bind mount as read-only. That can open up a race and it also doesn't mix well with MS_REC. The remount call will only apply the read-only flag to the top-level mount despite MS_REC. In systemd, there are various features suffering from security flaws due to this kernel bug. The ReadOnlyDirectories for units only applies to the top-level mount and systemd-nspawn's --bind-ro switch doesn't make the submounts read-only. The flaws in systemd are documented so a CVE assignment for those issues wouldn't make sense. I think they'd be willing to fix these if the underlying kernel bug is dealt with.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 26)
- Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 26)
- Re: Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Rich Felker (Feb 28)
- Re: Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 28)
- Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Steven Stewart-Gallus (Mar 01)
- Re: Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Rich Felker (Feb 28)
- Re: CVE request: Linux kernel silently ignores MS_RDONLY for bind mounts Daniel Micay (Feb 26)