RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 860218 - /dev/pts must use the 'newinstance' mount flag to avoid security problem with containers
Summary: /dev/pts must use the 'newinstance' mount flag to avoid security problem with...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: kernel
Version: 7.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Aristeu Rozanski
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-25 09:45 UTC by Daniel Berrangé
Modified: 2013-11-01 13:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 527483
Environment:
Last Closed: 2013-11-01 13:39:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Daniel Berrangé 2012-09-25 09:45:40 UTC 
+++ This bug was initially created as a clone of Bug #527483 +++

+++ This bug was initially created as a clone of Bug #501718 +++

Description of problem:
The Linux kernel now allows multiple instances of 'devpts' filesystem to be mounted on a host, and the pty indexes of each instance are independant. This feature allows Linux containers to be given private 'devpts' instances, preventing them from accessing PTYs from the host OS.

This is only secure, however, if every single mount of 'devpts' uses the 'newinstance' flag, including that of the initial host OS.

If the host OS does not use 'newinstance' mount option, then a container can still get access to the host's PTYs, which is clearly a security problem

When using 'newinstance', the /dev/ptmx  file must also be symlinked, or bind-mounted to /dev/pts/ptmx


There is more information about the required setup in the kernel tree documentation, 'filesystems/devpts.txt'. The key point is in the last paragraph

[quote]
7. A mount of devpts without the 'newinstance' option results in binding to
   initial kernel mount.  This behavior while preserving legacy semantics,
   does not provide strict isolation in a container environment. i.e by
   mounting devpts without the 'newinstance' option, a container could
   get visibility into the 'host' or root container's devpts.
   
   To workaround this and have strict isolation, all mounts of devpts,
   including the mount in the root container, should use the newinstance
   option.
[/quote]


In Fedora 12, libvirt and the LXC toolchain will both be creating containers using 'newinstance' and want this to provide secure isolation of devpts. Thus we require that the host OS devpts is switched to use 'newinstance' and symlink of /dev/ptmx to /dev/pts/ptmx.

RPM claims the 'setup' RPM owns /etc/fstab, but that seems to be a ghost file, and AFAICT anaconda is responsible for initial creation. Thus I'm filing this bug against anaconda - feel free to reassign if this is the wrong place.

Version-Release number of selected component (if applicable):
   anaconda-11.5.0.54-1.fc11

How reproducible:
Always

Steps to Reproduce:
1. Install a new Fedora host
2. 'mount | grep devpts'
3. ls -l /dev/ptmx
  
Actual results:
# mount | grep devpts
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
# ls -l /dev/ptmx
crw-rw-rw-. 1 root tty 5, 2 2009-05-20 14:35 /dev/ptmx


Expected results:
# mount | grep devpts
devpts on /dev/pts type devpts (rw,gid=5,mode=620,newinstance)
# ls -l /dev/ptmx
lrwxrwxrwx. 1 root root 8 2009-05-20 14:36 ptmx -> pts/ptmx


Additional info:

--- Additional comment from berrange on 2009-05-20 09:47:59 EDT ---

Just to clarify, I do not want this for F11. It is too risky to make such a change for F11 at this stage.  Fedora 12 is my desired target for resolution.

--- Additional comment from katzj on 2009-05-20 11:34:24 EDT ---

If we want it mounted that way by default, then we should really change the defaults in the kernel.  Not require changes in anaconda, livecd-creator, appliance-creator, ...

--- Additional comment from berrange on 2012-09-25 10:44:12 BST ---

Latest proposal for upstream kernel is to kill off the 'newinstance' flag and make all /dev/pts instances private by default.

https://lkml.org/lkml/2012/9/22/142
Comment 1 Daniel Berrangé 2013-11-01 08:54:18 UTC 
FYI, while it might be nice to do this, I no longer consider this an important fix for containers. With sVirt SELinux rules, the user will be blocked from accessing the original devpts instance, and likewise user namespaces would also block it. So it is only a security risk if neither user namespaces nor selinux were used, and this scenario is insecure for many other reasons too. So feel free to WONTFIX this bug unless the quoted kernel change is in fact already upstream.
Comment 2 Aristeu Rozanski 2013-11-01 13:39:44 UTC 
It seems upstream didn't reach an agreement on this and I believe diverge from
upstream on this will cause problems. Closing with WONTFIX.
Thanks Daniel
Note You need to log in before you can comment on or make changes to this bug.