forked from Minki/linux
90f8572b0f
Today proc and sysfs do not contain any executable files. Several applications today mount proc or sysfs without noexec and nosuid and then depend on there being no exectuables files on proc or sysfs. Having any executable files show on proc or sysfs would cause a user space visible regression, and most likely security problems. Therefore commit to never allowing executables on proc and sysfs by adding a new flag to mark them as filesystems without executables and enforce that flag. Test the flag where MNT_NOEXEC is tested today, so that the only user visible effect will be that exectuables will be treated as if the execute bit is cleared. The filesystems proc and sysfs do not currently incoporate any executable files so this does not result in any user visible effects. This makes it unnecessary to vet changes to proc and sysfs tightly for adding exectuable files or changes to chattr that would modify existing files, as no matter what the individual file say they will not be treated as exectuable files by the vfs. Not having to vet changes to closely is important as without this we are only one proc_create call (or another goof up in the implementation of notify_change) from having problematic executables on proc. Those mistakes are all too easy to make and would create a situation where there are security issues or the assumptions of some program having to be broken (and cause userspace regressions). Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
84 lines
1.8 KiB
C
84 lines
1.8 KiB
C
/*
|
|
* fs/sysfs/symlink.c - operations for initializing and mounting sysfs
|
|
*
|
|
* Copyright (c) 2001-3 Patrick Mochel
|
|
* Copyright (c) 2007 SUSE Linux Products GmbH
|
|
* Copyright (c) 2007 Tejun Heo <teheo@suse.de>
|
|
*
|
|
* This file is released under the GPLv2.
|
|
*
|
|
* Please see Documentation/filesystems/sysfs.txt for more information.
|
|
*/
|
|
|
|
#define DEBUG
|
|
|
|
#include <linux/fs.h>
|
|
#include <linux/magic.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/init.h>
|
|
#include <linux/user_namespace.h>
|
|
|
|
#include "sysfs.h"
|
|
|
|
static struct kernfs_root *sysfs_root;
|
|
struct kernfs_node *sysfs_root_kn;
|
|
|
|
static struct dentry *sysfs_mount(struct file_system_type *fs_type,
|
|
int flags, const char *dev_name, void *data)
|
|
{
|
|
struct dentry *root;
|
|
void *ns;
|
|
bool new_sb;
|
|
|
|
if (!(flags & MS_KERNMOUNT)) {
|
|
if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
|
|
return ERR_PTR(-EPERM);
|
|
}
|
|
|
|
ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
|
|
root = kernfs_mount_ns(fs_type, flags, sysfs_root,
|
|
SYSFS_MAGIC, &new_sb, ns);
|
|
if (IS_ERR(root) || !new_sb)
|
|
kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
|
|
else if (new_sb)
|
|
/* Userspace would break if executables appear on sysfs */
|
|
root->d_sb->s_iflags |= SB_I_NOEXEC;
|
|
|
|
return root;
|
|
}
|
|
|
|
static void sysfs_kill_sb(struct super_block *sb)
|
|
{
|
|
void *ns = (void *)kernfs_super_ns(sb);
|
|
|
|
kernfs_kill_sb(sb);
|
|
kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
|
|
}
|
|
|
|
static struct file_system_type sysfs_fs_type = {
|
|
.name = "sysfs",
|
|
.mount = sysfs_mount,
|
|
.kill_sb = sysfs_kill_sb,
|
|
.fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT,
|
|
};
|
|
|
|
int __init sysfs_init(void)
|
|
{
|
|
int err;
|
|
|
|
sysfs_root = kernfs_create_root(NULL, KERNFS_ROOT_EXTRA_OPEN_PERM_CHECK,
|
|
NULL);
|
|
if (IS_ERR(sysfs_root))
|
|
return PTR_ERR(sysfs_root);
|
|
|
|
sysfs_root_kn = sysfs_root->kn;
|
|
|
|
err = register_filesystem(&sysfs_fs_type);
|
|
if (err) {
|
|
kernfs_destroy_root(sysfs_root);
|
|
return err;
|
|
}
|
|
|
|
return 0;
|
|
}
|