Bug 527483

Summary: /dev/pts must use the 'newinstance' mount flag to avoid security problem with containers
Product: Red Hat Enterprise Linux 6 Reporter: Daniel Berrangé <berrange>
Component: kernelAssignee: Aristeu Rozanski <arozansk>
Status: CLOSED WONTFIX QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: giuseppe.ragusa, hpa, kernel-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 501718
: 860218 (view as bug list) Environment:
Last Closed: 2013-11-06 14:38:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 846704    

Description Daniel Berrangé 2009-10-06 15:20:36 UTC 
+++ This bug was initially created as a clone of Bug #501718 +++

Description of problem:
The Linux kernel now allows multiple instances of 'devpts' filesystem to be mounted on a host, and the pty indexes of each instance are independant. This feature allows Linux containers to be given private 'devpts' instances, preventing them from accessing PTYs from the host OS.

This is only secure, however, if every single mount of 'devpts' uses the 'newinstance' flag, including that of the initial host OS.

If the host OS does not use 'newinstance' mount option, then a container can still get access to the host's PTYs, which is clearly a security problem

When using 'newinstance', the /dev/ptmx  file must also be symlinked, or bind-mounted to /dev/pts/ptmx


There is more information about the required setup in the kernel tree documentation, 'filesystems/devpts.txt'. The key point is in the last paragraph

[quote]
7. A mount of devpts without the 'newinstance' option results in binding to
   initial kernel mount.  This behavior while preserving legacy semantics,
   does not provide strict isolation in a container environment. i.e by
   mounting devpts without the 'newinstance' option, a container could
   get visibility into the 'host' or root container's devpts.
   
   To workaround this and have strict isolation, all mounts of devpts,
   including the mount in the root container, should use the newinstance
   option.
[/quote]


In Fedora 12, libvirt and the LXC toolchain will both be creating containers using 'newinstance' and want this to provide secure isolation of devpts. Thus we require that the host OS devpts is switched to use 'newinstance' and symlink of /dev/ptmx to /dev/pts/ptmx.

RPM claims the 'setup' RPM owns /etc/fstab, but that seems to be a ghost file, and AFAICT anaconda is responsible for initial creation. Thus I'm filing this bug against anaconda - feel free to reassign if this is the wrong place.

Version-Release number of selected component (if applicable):
   anaconda-11.5.0.54-1.fc11

How reproducible:
Always

Steps to Reproduce:
1. Install a new Fedora host
2. 'mount | grep devpts'
3. ls -l /dev/ptmx
  
Actual results:
# mount | grep devpts
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
# ls -l /dev/ptmx
crw-rw-rw-. 1 root tty 5, 2 2009-05-20 14:35 /dev/ptmx


Expected results:
# mount | grep devpts
devpts on /dev/pts type devpts (rw,gid=5,mode=620,newinstance)
# ls -l /dev/ptmx
lrwxrwxrwx. 1 root root 8 2009-05-20 14:36 ptmx -> pts/ptmx


Additional info:

--- Additional comment from berrange on 2009-05-20 09:47:59 EDT ---

Just to clarify, I do not want this for F11. It is too risky to make such a change for F11 at this stage.  Fedora 12 is my desired target for resolution.

--- Additional comment from katzj on 2009-05-20 11:34:24 EDT ---

If we want it mounted that way by default, then we should really change the defaults in the kernel.  Not require changes in anaconda, livecd-creator, appliance-creator, ...
Comment 2 RHEL Program Management 2009-10-06 17:11:31 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 RHEL Program Management 2010-07-15 14:44:24 UTC 
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release. It has
been denied for the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 4 RHEL Program Management 2011-10-07 14:54:57 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 5 Daniel Berrangé 2012-09-25 09:44:12 UTC 
Latest proposal for upstream kernel is to kill off the 'newinstance' flag and make all /dev/pts instances private by default.

https://lkml.org/lkml/2012/9/22/142
Comment 6 Daniel Berrangé 2012-09-26 10:36:30 UTC 
*** Bug 844421 has been marked as a duplicate of this bug. ***
Comment 7 Aristeu Rozanski 2013-01-21 19:23:29 UTC 
FWIW: ebiederman's tree:
4b2e6c9c30349d5691ee6c2aa3002a8c178b2d22

also, this might break third party scripts; people remounting devpts in
different directories (think chroot setups) but still wanting to be the same
instance.
Comment 8 Daniel Berrangé 2013-01-28 10:21:21 UTC 
FYI this change

  https://lkml.org/lkml/2013/1/25/787

would potentially offer a different solution. It would allow us to continue issuing a normal devpts in the host. If we want a secure container, then we'd enable user namespaces, which prevent the container accessing the host's devpts since it lacks the newinstance flag.
Comment 9 H. Peter Anvin 2013-02-12 05:42:14 UTC 
It isn't really a different solution.  It is just enforcing the new setup in a restricted context.  The change described here is necessary anyway.