From a56d261325c83da814e08b00c97cb64336a33f90 Mon Sep 17 00:00:00 2001 From: Alexey Gladkov Date: Tue, 4 Apr 2023 11:56:04 +0200 Subject: Add sysctl to disable idmapped mounts The commmit 9caccd41 ("fs: introduce MOUNT_ATTR_IDMAP") added idmapped mounts. During the merge, Eric W. Biederman raised concerns [1] about the security of the changes, but the discussion did not continue. Also idmapped mounts creates problems in other subsystems that are still not fixed. For example, security bugs may appear in already existing eBPF programs. Or wrong i_uid/i_gid will get into audit log. The idmapped mounts is useful in a few usecases such as k8s and is unnecessary in other cases. [1] https://lore.kernel.org/all/m18s7481xc.fsf@fess.ebiederm.org/ Signed-off-by: Alexey Gladkov --- fs/namespace.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index 92ec2a390844..06aa3bfa6ab6 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -36,6 +36,7 @@ #include "internal.h" /* Maximum number of mounts in a mount namespace */ +static bool sysctl_idmapped_mount_enabled __read_mostly = false; static unsigned int sysctl_mount_max __read_mostly = 100000; static unsigned int m_hash_mask __read_mostly; @@ -3856,6 +3857,9 @@ static int can_idmap_mount(const struct mount_kattr *kattr, struct mount *mnt) if (!kattr->mnt_userns) return 0; + if (!READ_ONCE(sysctl_idmapped_mount_enabled)) + return -EINVAL; + /* * Once a mount has been idmapped we don't allow it to change its * mapping. It makes things simpler and callers can just create @@ -4541,6 +4545,13 @@ const struct proc_ns_operations mntns_operations = { #ifdef CONFIG_SYSCTL static struct ctl_table fs_namespace_sysctls[] = { + { + .procname = "enable-idmapped-mount", + .data = &sysctl_idmapped_mount_enabled, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dobool, + }, { .procname = "mount-max", .data = &sysctl_mount_max, -- 2.33.7