Use safe_getenv() for LIBMOUNT_FORCE_MOUNT2 to ignore the variable
in SUID context, consistent with LIBMOUNT_FSTAB and other sensitive
environment variables.
Additionally, refuse multi-step mount(2) sequences (bind+remount and
propagation) for restricted (non-root) users in the legacy mount path.
The two-step approach has a window between syscalls where security
flags (nosuid, noexec, ...) are not yet applied. The new mount API
handles this atomically.
CVE-2026-53614
Reported-by: Xinyao Hu <ctf_0x01@foxmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
*/
#include "mountP.h"
+#include "env.h"
#include "fileutils.h" /* statx() fallback */
#include "strutils.h"
#include "mangle.h"
static int force_classic_mount(struct libmnt_context *cxt)
{
- const char *env = getenv("LIBMOUNT_FORCE_MOUNT2");
+ const char *env = safe_getenv("LIBMOUNT_FORCE_MOUNT2");
if (env) {
if (strcmp(env, "always") == 0)
/* add extra mount(2) calls for each propagation flag */
if (flags & MS_PROPAGATION) {
+ if (mnt_context_is_restricted(cxt))
+ goto eperm;
rc = prepare_propagation(cxt, hs);
if (rc)
return rc;
if ((flags & MS_BIND)
&& (flags & MNT_BIND_SETTABLE)
&& !(flags & MS_REMOUNT)) {
+ if (mnt_context_is_restricted(cxt))
+ goto eperm;
rc = prepare_bindremount(cxt, hs);
if (rc)
return rc;
}
return rc;
+eperm:
+ DBG_OBJ(HOOK, hs, ul_debug(
+ "multi-step mount(2) refused for non-root user"));
+ return -EPERM;
}
const struct libmnt_hookset hookset_mount_legacy =
projects / thirdparty / util-linux.git / commitdiff
