Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.2
fuse
fusermount-whitelist-known-good-filesystems-for...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fusermount-whitelist-known-good-filesystems-for-mountpoints.patch of Package fuse
From 795ad5d77434f3502e63a70c8a3fda94fa347e3d Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh@google.com> Date: Sat, 14 Jul 2018 13:37:41 +0200 Subject: [PATCH] fusermount: whitelist known-good filesystems for mountpoints Before: $ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "fd=3,rootmode=40000,user_id=379777,group_id=5001") = 0 sending file descriptor: Socket operation on non-socket +++ exited with 1 +++ After: $ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd util/fusermount3: mounting over filesystem type 0x009fa0 is forbidden +++ exited with 1 +++ This patch could potentially have security impact on some systems that are configured with allow_other; see https://launchpad.net/bugs/1530566 for an example of how a similar issue in the ecryptfs mount helper was exploitable. However, the FUSE mount helper performs slightly different security checks, so that exact attack doesn't work with fusermount; I don't know of any specific attack you could perform using this, apart from faking the SELinux context of your process when someone's looking at a process listing. Potential targets for overwrite are (looking on a system with a 4.9 kernel): writable only for the current process: /proc/self/{fd,map_files} (Yes, "ls -l" claims that you don't have write access, but that's not true; "find -writable" will show you what access you really have.) writable also for other owned processes: /proc/$pid/{sched,autogroup,comm,mem,clear_refs,attr/*,oom_adj, oom_score_adj,loginuid,coredump_filter,uid_map,gid_map,projid_map, setgroups,timerslack_ns} diff --git a/util/fusermount.c b/util/fusermount.c index 2792407..c63c50e 100644 --- a/util/fusermount.c +++ b/util/fusermount.c @@ -30,6 +30,7 @@ #include <sys/utsname.h> #include <sched.h> #include <stdbool.h> +#include <sys/vfs.h> #define FUSE_COMMFD_ENV "_FUSE_COMMFD" @@ -915,6 +916,8 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd) int res; const char *mnt = *mntp; const char *origmnt = mnt; + struct statfs fs_buf; + size_t i; res = lstat(mnt, stbuf); if (res == -1) { @@ -987,8 +990,53 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd) return -1; } + /* Do not permit mounting over anything in procfs - it has a couple + * places to which we have "write access" without being supposed to be + * able to just put anything we want there. + * Luckily, without allow_other, we can't get other users to actually + * use any fake information we try to put there anyway. + * Use a whitelist to be safe. */ + if (statfs(*mntp, &fs_buf)) { + fprintf(stderr, "%s: failed to access mountpoint %s: %s\n", + progname, mnt, strerror(errno)); + return -1; + } - return 0; + /* Use the same list of permitted filesystems for the mount target as + * the ecryptfs mount helper + * (https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/utils/mount.ecryptfs_private.c#L225). */ + typeof(fs_buf.f_type) f_type_whitelist[] = { + 0x61756673 /* AUFS_SUPER_MAGIC */, + 0x9123683E /* BTRFS_SUPER_MAGIC */, + 0x00C36400 /* CEPH_SUPER_MAGIC */, + 0xFF534D42 /* CIFS_MAGIC_NUMBER */, + 0x0000F15F /* ECRYPTFS_SUPER_MAGIC */, + 0x0000EF53 /* EXT[234]_SUPER_MAGIC */, + 0xF2F52010 /* F2FS_SUPER_MAGIC */, + 0x65735546 /* FUSE_SUPER_MAGIC */, + 0x01161970 /* GFS2_MAGIC */, + 0x3153464A /* JFS_SUPER_MAGIC */, + 0x000072B6 /* JFFS2_SUPER_MAGIC */, + 0x0000564C /* NCP_SUPER_MAGIC */, + 0x00006969 /* NFS_SUPER_MAGIC */, + 0x00003434 /* NILFS_SUPER_MAGIC */, + 0x5346544E /* NTFS_SB_MAGIC */, + 0x794C7630 /* OVERLAYFS_SUPER_MAGIC */, + 0x52654973 /* REISERFS_SUPER_MAGIC */, + 0x73717368 /* SQUASHFS_MAGIC */, + 0x01021994 /* TMPFS_MAGIC */, + 0x24051905 /* UBIFS_SUPER_MAGIC */, + 0x58465342 /* XFS_SB_MAGIC */, + 0x2FC12FC1 /* ZFS_SUPER_MAGIC */, + }; + for (i = 0; i < sizeof(f_type_whitelist)/sizeof(f_type_whitelist[0]); i++) { + if (f_type_whitelist[i] == fs_buf.f_type) + return 0; + } + + fprintf(stderr, "%s: mounting over filesystem type %#010lx is forbidden\n", + progname, (unsigned long)fs_buf.f_type); + return -1; } static int try_open(const char *dev, char **devp, int silent)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor