FUSE can make our fs namespacing service sandboxing fail

[sourcejedi]

systemd version the issue has been seen with
v238

Used distribution
Fedora Workstation 28.
Please note, I used setenforce 0. Otherwise the test unit failed with a SELinux denial.

Expected behaviour you didn't see
System service starts successfully, even if nested FUSE mounts died uncleanly.

Unexpected behaviour you saw
System service fails with "NAMESPACE" error, if nested FUSE mounts have died uncleanly.

Steps to reproduce the problem

1. bindfs /mnt /mnt
2. bindfs /mnt/mnt /mnt/mnt
3. killall -9 bindfs
4. systemctl start test.service

(To cleanup, run umount -l /mnt).

Test service is same as from #9844.

This reproducer is not quite so urgent as #9844. You need root to setup the mounts this way, unless you have user_allow_other in fuse.conf. But I think it is still undesirable.

Maybe there are other case(s), where unprivileged users are allowed to create nested FUSE mounts, in the main namespace, but I haven't found one yet.

# /etc/systemd/system/test.service
[Service]

DynamicUser=yes
User=test-service
StateDirectory=test-service

ProtectSystem=strict

Type=oneshot
ExecStart=/bin/touch /var/lib/test-service

[sourcejedi]

Hmm, I'm not sure, but can't the FUSE process return any error it likes?

http://man7.org/linux/man-pages/man4/fuse.4.html

https://www.scylladb.com/2016/02/16/fault-injection-filesystem-software-testing/

If so, I think unprivileged users can maliciously mount FUSE filesystems to trigger the same problem as in #9844, by having them return an error which is not EPERM or EACCESS or ENOENT.

[sourcejedi]

Sorry, the allow_other stuff means unprivileged users can not inject these errors to PID 1.

Even so, I don't think we want to break DynamicUser=1 services when a privileged user has mounted somewhere a filesystem that generates errors. That could be artificial errors, or that filesystem could really be failing.

[sourcejedi]

There is one issue which can be triggered by unprivileged users though. There's a race condition (Time Of Check / Time Of Use). The user can still trigger the DoS from #9844, if they can perform the bindfs ~/mnt ~/mnt after path_is_mount_point(), but before the mount() call. https://github.com/systemd/systemd/blob/52e4d62/src/basic/mount-util.c#L542

[poettering]

Well, FUSE is nasty. Not sure what we can do about this.

[poettering]

I figure we should tweak our namespacing code to simply unmount all FUSE stuff in any namespacing environments, i.e. explicitly make FUSE unsupported and remove it from view whenever namespacing is used. FUSE is kinda a crazy idea anyway, and I am not sure it's worth trying to support that...

[sourcejedi]

Then e.g. if you have PrivateDevices=yes you mysteriously couldn't serve files from an ntfs-3g filesystem, or whatever else urgh. I think you only want to unmount FUSE where it would be touched by ReadOnlyPaths=, ReadOnlyBindPaths=, and possibly BindPaths=. I think that would cause fewer mysteries for people to troubleshoot.

Either way, your suggestion would solve the problem case where a privileged user has some horrible nested hierarchy of fault-injecting FUSE mounts.

On this issue I can agree, to not worry that race conditions would still allow a DoS. Partly since normal mitigations apply -

1. Admins need to be a bit careful about multi-user systems.
2. People should be suspicious about fusermount being installed as rwsr-xr-x, for use in exploit chains. Ho hum. (I think it's a more general concern for security. DAC can help, and I think systemd's own services effectively benefit from NoNewPrivileges=yes. Debian's defaults feel a bit questionable here :-(. ).

I think the race here will not normally be triggered e.g. by use of Gnome GUI. You generally don't want to make "hidden mounts" like this. So I don't claim this will happen very often, unless you have malicious users.

[DemiMarie]

@poettering what about automatically unmounting any FUSE filesystem that does not have allow_other=1? Any FUSE filesystem that an unprivileged user can mount will have allow_other=0.

[DemiMarie]

Does fusermount needs to be suid-root for this to be exploitable?

If so, the solution is trivial: have fusermount synchronize against systemd.