[lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)
Andy Lutomirski
luto at amacapital.net
Mon Sep 29 22:50:23 UTC 2014
On Mon, Sep 29, 2014 at 3:46 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Andy Lutomirski (luto at amacapital.net):
>> On Mon, Sep 29, 2014 at 2:46 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>> I'm not sure that "/" is well-defined. You have oldroot mounted on
>
> Whoa. Seems you're right. I would have expected it to mean precisely
> the dentry+vfsmount which I pivot-rooted to. Which have been overmounted,
> so umount(/) would umount what's been mounted over them.
>
>> top of newroot, and "/" refers to one of them (presumably oldroot on
>> newer kernels, and maybe newroot on older kernels).
>
> So it seems.
>
>>I think that you
>> want to unmount oldroot, leaving only newroot mounted. When you call
>> umount2, "." reliably refers to oldroot.
>
> Right
>
>> /me wonders whether there's a vulnerability here on new kernels if the
>> test were adjusted a bit. mnt_ns oughtn't to be NULL, right?
>
> Wouldn't it be in the older kernels though? That's where mnt_ns ends
> up being null. So from 3.8..3.11 an unpriv user (though CLONE_NEWUSER)
> can do a pivot_root causing null MNT_NS, and presumably find an interesting
> way to dereference it.
Eric?
I wonder what happens if you unmount new_root on new kernels...
>
>> >> I'm currently having trouble finding an old enough box. Can you try
>> >> the attached fancier test and see what it prints?
>> >
>> > Exact same as mine:
>> >
>> > ubuntu at kvm-p3:~$ sudo ./x
>> > pivoted
>> > in new root
>> > I am 1441
>> > root at kvm-p3:/# mount --bind /mnt /mnt
>>
>> Ah, OK, I completely misunderstood your original email.
>>
>> If I change umount2 to umount "." instead of "/" in my code, the
>> subsequent mount --bind works for me on 3.2.
>
> Same here, so I can push a fix for lxc - thanks!
>
>> FWIW, your test does awful, awful things if I don't do the MS_PRIVATE
>> thing on top.
>
> D'oh. Sorry about that.
The real problem is that recursively binding / anywhere and then
unmounting it breaks everything. Wtf?!? Time to reboot :)
>
> -serge
--
Andy Lutomirski
AMA Capital Management, LLC
More information about the lxc-devel
mailing list