From e2869e0a5aa58cfadc1b2b58d3c21ec7e8c19306 Mon Sep 17 00:00:00 2001
From: Andreas Hrubak <ad132454@uucp.hu>
Date: Sat, 27 Jul 2024 18:47:06 +0200
Subject: [PATCH] utilize bindmount-v2 from linux-helpers collection to set
 AT_SYMLINK_NOFOLLOW flag which is critical to prevent interception of /bin/sh
 to leak to the peer mount-namespaces in cases when /bin/sh is a symlink
 outside of /bin

---
 root-tools/noshellinject | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/root-tools/noshellinject b/root-tools/noshellinject
index 9936562..3f44d74 100755
--- a/root-tools/noshellinject
+++ b/root-tools/noshellinject
@@ -32,6 +32,23 @@ propagtype()
 	findmnt --noheadings --output PROPAGATION "$1"
 }
 
+bind_mount_symlink()
+{
+	local src=$1
+	local target=$2
+	
+	if type bindmount-v2 >/dev/null 2>&1
+	then
+		bindmount-v2 "$src" "$target"
+	elif [ ! -L "$src" ]
+	then
+		mount --bind "$src" "$target"
+	else
+		echo "$0: $src is a symlink, which may unexpectedly leak out to the parent namespace if bind-mounted. stop." >&2
+		return 1
+	fi
+}
+
 if [ "$1" = --inner ]
 then
 	mkdir -p "$real_shells_dir"
@@ -51,13 +68,13 @@ then
 	nsenter -t $PPID -m umount -l "$real_shells_dir"
 	
 	# bind-mount this dir over itself to be able to make private mounts under it
-	mount --bind /bin /bin
+	bind_mount_symlink /bin /bin
 	mount --make-private /bin
 	
 	# over-mount shells to be able to intercept "sh -c commandLine" type calls
 	for shell in "${shellnames[@]}"
 	do
-		mount --bind /usr/tool/notashell /bin/$shell
+		bind_mount_symlink /usr/tool/notashell /bin/$shell
 	done
 	
 	# after sub-mounts are mounted, clean up the parent mount from the parent namespace
-- 
2.11.4.GIT