Linux Kernel CAP_SYS_ADMIN User Namespace Vulnerability in clone_private_mnt() Function

A vulnerability in the Linux kernel's handling of user namespace administrative rights has been addressed. The issue arose in the clone_private_mnt() function, which failed to verify that the caller had the necessary CAP_SYS_ADMIN capability in the appropriate user namespace. This oversight could allow a mount operation to expose hidden elements that, under normal circumstances, could not be reverted. While the function checked for locked mounts that could not be undone, it neglected to ensure that the caller had the required administrative rights in the relevant user namespace. This gap in verification could lead to unintended consequences when managing namespace mounts, particularly with the introduction of a new mount API that complicates CAP_SYS_ADMIN checks across different user namespaces.

Impact

The vulnerability could potentially allow unauthorized users to manipulate mounts in a way that could disrupt system operations or compromise security, by exploiting the lack of proper administrative checks in user namespaces.

Reproduction

The vulnerability can be reproduced by calling the clone_private_mnt() function without the CAP_SYS_ADMIN capability in the user namespace of the mount being manipulated. This can be done by creating a user namespace that lacks the necessary administrative rights and then performing a mount operation that is intercepted by the clone_private_mnt() function. The missing checks can lead to exposure of mounts that should be restricted, allowing for unauthorized manipulation or access.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.