Kees Cook b0cce01be5 fs: create and use seq_show_option for escaping ... commit a068acf2ee77693e0bf39d6e07139ba704f461c3 upstream. Many file systems that implement the show_options hook fail to correctly escape their output which could lead to unescaped characters (e.g. new lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This could lead to confusion, spoofed entries (resulting in things like systemd issuing false d-bus "mount" notifications), and who knows what else. This looks like it would only be the root user stepping on themselves, but it's possible weird things could happen in containers or in other situations with delegated mount privileges. Here's an example using overlay with setuid fusermount trusting the contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use of "sudo" is something more sneaky: $ BASE="ovl" $ MNT="$BASE/mnt" $ LOW="$BASE/lower" $ UP="$BASE/upper" $ WORK="$BASE/work/ 0 0 none /proc fuse.pwn user_id=1000" $ mkdir -p "$LOW" "$UP" "$WORK" $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt $ cat /proc/mounts none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0 none /proc fuse.pwn user_id=1000 0 0 $ fusermount -u /proc $ cat /proc/mounts cat: /proc/mounts: No such file or directory This fixes the problem by adding new seq_show_option and seq_show_option_n helpers, and updating the vulnerable show_option handlers to use them as needed. Some, like SELinux, need to be open coded due to unusual existing escape mechanisms. [akpm@linux-foundation.org: add lost chunk, per Kees] [keescook@chromium.org: seq_show_option should be using const parameters] Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Jan Kara <jack@suse.com> Acked-by: Paul Moore <paul@paul-moore.com> Cc: J. R. Okajima <hooanon05g@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [lizf: Backported to 3.4: - adjust context - one more place in ceph needs to be changed - drop changes to overlayfs - drop showing vers in cifs] Signed-off-by: Zefan Li <lizefan@huawei.com>		2016-04-27 18:55:18 +08:00
..
include	SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()	2014-01-29 05:10:42 -08:00
ss	SELinux: bigendian problems with filename trans rules	2014-03-11 16:10:02 -07:00
.gitignore	SELinux: add .gitignore files for dynamic classes	2009-10-24 09:42:27 +08:00
avc.c	lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data'	2012-04-03 09:49:59 -07:00
exports.c	selinux: sparse fix: include selinux.h in exports.c	2011-09-09 16:56:32 -07:00
hooks.c	fs: create and use seq_show_option for escaping	2016-04-27 18:55:18 +08:00
Kconfig	selinux: Deprecate and schedule the removal of the the compat_net functionality	2008-12-31 12:54:11 -05:00
Makefile	selinux: change to new flag variable	2010-10-21 10:12:40 +11:00
netif.c	doc: Update the email address for Paul Moore in various source files	2011-08-01 17:58:33 -07:00
netlabel.c	selinux: correct locking in selinux_netlbl_socket_connect)	2013-12-04 10:50:32 -08:00
netlink.c	selinux: sparse fix: fix warnings in netlink code	2012-01-05 18:52:51 -05:00
netnode.c	selinux: fix sel_netnode_insert() suspicious rcu dereference	2012-11-26 11:38:02 -08:00
netport.c	SELinux: Fix RCU deref check warning in sel_netport_insert()	2011-12-21 11:28:56 +11:00
nlmsgtab.c	selinux/nlmsg: add XFRM_MSG_MAPPING	2015-09-18 09:20:29 +08:00
selinuxfs.c	selinux: fix sel_write_enforce broken return value	2015-06-19 11:40:29 +08:00
xfrm.c	selinux: look for IPsec labels on both inbound and outbound packets	2014-01-08 09:42:12 -08:00