CVE-2025-68736

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> landlock: Fix handling of disconnected directories<br /> <br /> Disconnected files or directories can appear when they are visible and<br /> opened from a bind mount, but have been renamed or moved from the source<br /> of the bind mount in a way that makes them inaccessible from the mount<br /> point (i.e. out of scope).<br /> <br /> Previously, access rights tied to files or directories opened through a<br /> disconnected directory were collected by walking the related hierarchy<br /> down to the root of the filesystem, without taking into account the<br /> mount point because it couldn&amp;#39;t be found. This could lead to<br /> inconsistent access results, potential access right widening, and<br /> hard-to-debug renames, especially since such paths cannot be printed.<br /> <br /> For a sandboxed task to create a disconnected directory, it needs to<br /> have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to<br /> the underlying source of the bind mount, and read access to the related<br /> mount point. Because a sandboxed task cannot acquire more access<br /> rights than those defined by its Landlock domain, this could lead to<br /> inconsistent access rights due to missing permissions that should be<br /> inherited from the mount point hierarchy, while inheriting permissions<br /> from the filesystem hierarchy hidden by this mount point instead.<br /> <br /> Landlock now handles files and directories opened from disconnected<br /> directories by taking into account the filesystem hierarchy when the<br /> mount point is not found in the hierarchy walk, and also always taking<br /> into account the mount point from which these disconnected directories<br /> were opened. This ensures that a rename is not allowed if it would<br /> widen access rights [1].<br /> <br /> The rationale is that, even if disconnected hierarchies might not be<br /> visible or accessible to a sandboxed task, relying on the collected<br /> access rights from them improves the guarantee that access rights will<br /> not be widened during a rename because of the access right comparison<br /> between the source and the destination (see LANDLOCK_ACCESS_FS_REFER).<br /> It may look like this would grant more access on disconnected files and<br /> directories, but the security policies are always enforced for all the<br /> evaluated hierarchies. This new behavior should be less surprising to<br /> users and safer from an access control perspective.<br /> <br /> Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and<br /> fix the related comment.<br /> <br /> Because opened files have their access rights stored in the related file<br /> security properties, there is no impact for disconnected or unlinked<br /> files.