summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHelmut Grohne <helmut@subdivi.de>2024-04-04 10:57:47 +0200
committerHelmut Grohne <helmut@subdivi.de>2024-04-04 10:57:47 +0200
commit4b6414079b074ec2a914f2e6a0fdb47916453f78 (patch)
tree41cb3097771aabb574ebe2f7e6abcdac452c86fd
parent185e8e3745d6e484b0b319f79dac5caf57a6a673 (diff)
downloadpython-linuxnamespaces-4b6414079b074ec2a914f2e6a0fdb47916453f78.tar.gz
document security implications of populate_* functions
-rw-r--r--linuxnamespaces/__init__.py7
1 files changed, 7 insertions, 0 deletions
diff --git a/linuxnamespaces/__init__.py b/linuxnamespaces/__init__.py
index c12a13c..2b92462 100644
--- a/linuxnamespaces/__init__.py
+++ b/linuxnamespaces/__init__.py
@@ -359,6 +359,10 @@ def populate_dev(
"""Mount a tmpfs to the dev directory beneath newroot and populate it with
basic devices by bind mounting them from the dev directory beneath
origroot. Also mount a new pts instance.
+
+ Even though a CAP_SYS_ADMIN-enabled process can umount components of the
+ /dev hierarchy, they they cannot gain privileges in doing so as no
+ hierarchies are restricted via tmpfs mounts or read-only bind mounts.
"""
origdev = AtLocation(origroot) / "dev"
newdev = AtLocation(newroot) / "dev"
@@ -430,6 +434,9 @@ def populate_sys(
) -> None:
"""Create a /sys hierarchy below newroot. Bind the cgroup hierarchy. The
cgroup hierarchy will be mounted read-only if mounting the root group.
+
+ A process with CAP_SYS_ADMIN can remount the created bind mounts read-write
+ or umount hiding mounts and thus elevate their privileges.
"""
newsys = AtLocation(newroot) / "sys"
mflags = MountFlags.NOSUID | MountFlags.NOEXEC | MountFlags.NODEV