Commit 73f03c2b authored Dec 22, 2017 by Seth Forshee Committed by Miklos Szeredi Mar 20, 2018

fuse: Restrict allow_other to the superblock's namespace or a descendant

Unprivileged users are normally restricted from mounting with the
allow_other option by system policy, but this could be bypassed for a mount
done with user namespace root permissions. In such cases allow_other should
not allow users outside the userns to access the mount as doing so would
give the unprivileged user the ability to manipulate processes it would
otherwise be unable to manipulate. Restrict allow_other to apply to users
in the same userns used at mount or a descendant of that namespace. Also
export current_in_userns() for use by fuse when built as a module.

Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Dongsu Park <dongsu@kinvolk.io>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

parent 8cb08329

fs/fuse/dir.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1030,7 +1030,7 @@ int fuse_allow_current_process(struct fuse_conn *fc)
		const struct cred *cred;

		if (fc->allow_other)
		return 1;
		return current_in_userns(fc->user_ns);

		cred = current_cred();
		if (uid_eq(cred->euid, fc->user_id) &&

kernel/user_namespace.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1235,6 +1235,7 @@ bool current_in_userns(const struct user_namespace *target_ns)
		{
		return in_userns(target_ns, current_user_ns());
		}
		EXPORT_SYMBOL(current_in_userns);

		static inline struct user_namespace to_user_ns(struct ns_common ns)
		{

Admin message