MountRule fstype misconfiguration

[spoock1024]

I found that the fstype of some mount rules is set to none. For example:

// bind, rbind, remount, move, umount
mountContent, err = newBpfMountRule("/proc**", "none", unix.MS_BIND|unix.MS_REC|unix.MS_REMOUNT|unix.MS_MOVE|AaMayUmount, 0)

referer: https://github.com/bytedance/vArmor/blob/main/internal/profile/bpf/bpf.go#L347

I analyzed the code in eBPF and found that there is only matching for *, but no matching for none.

static __noinline bool mount_fstype_check(unsigned char *rule_fstype, unsigned char *fstype) {
  DEBUG_PRINT("mount_fstype_check()");
  if (rule_fstype[0] == '*') {
    return true;
  }

  for (int i = 0; i < FILE_SYSTEM_TYPE_MAX; i++) {
    if (rule_fstype[i] == 0 && fstype[i] == 0)
      return true;

    if (rule_fstype[i] != fstype[i])
      break;
  }

  return false;
}

referer: https://github.com/bytedance/vArmor-ebpf/blob/main/pkg/bpfenforcer/bpf/mount.h#L48

I understand that when fstype is set to none, it means to ignore fstype. So according to the code, should it be set to * instead?

[Danny-Wei]

Thanks for raising the issue.

We set the fstype of these built-in rules to none to make them more precise and avoid unexpected behavior. Unfortunately, this results in the possibility of bypassing them. Attackers may call unix.Mount("/proc", "/tmp/proc", "dddd", unix.MS_BIND, "") with any fstype to bypass the check.

I believe the root cause of this issue lies in the mount access control primitives. Therefore, I plan to address it in vArmor-ebpf.