Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'userns-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux

Pull user-namespace fixes from Andy Lutomirski.

* 'userns-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux:
userns: Changing any namespace id mappings should require privileges
userns: Check uid_map's opener's fsuid, not the current fsuid
userns: Don't let unprivileged users trick privileged users into setting the id_map

+13 -9
+13 -9
kernel/user_namespace.c
··· 25 25 26 26 static struct kmem_cache *user_ns_cachep __read_mostly; 27 27 28 - static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid, 28 + static bool new_idmap_permitted(const struct file *file, 29 + struct user_namespace *ns, int cap_setid, 29 30 struct uid_gid_map *map); 30 31 31 32 static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) ··· 613 612 if (map->nr_extents != 0) 614 613 goto out; 615 614 616 - /* Require the appropriate privilege CAP_SETUID or CAP_SETGID 617 - * over the user namespace in order to set the id mapping. 615 + /* 616 + * Adjusting namespace settings requires capabilities on the target. 618 617 */ 619 - if (cap_valid(cap_setid) && !ns_capable(ns, cap_setid)) 618 + if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN)) 620 619 goto out; 621 620 622 621 /* Get a buffer */ ··· 701 700 702 701 ret = -EPERM; 703 702 /* Validate the user is allowed to use user id's mapped to. */ 704 - if (!new_idmap_permitted(ns, cap_setid, &new_map)) 703 + if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) 705 704 goto out; 706 705 707 706 /* Map the lower ids from the parent user namespace to the ··· 788 787 &ns->projid_map, &ns->parent->projid_map); 789 788 } 790 789 791 - static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid, 790 + static bool new_idmap_permitted(const struct file *file, 791 + struct user_namespace *ns, int cap_setid, 792 792 struct uid_gid_map *new_map) 793 793 { 794 794 /* Allow mapping to your own filesystem ids */ ··· 797 795 u32 id = new_map->extent[0].lower_first; 798 796 if (cap_setid == CAP_SETUID) { 799 797 kuid_t uid = make_kuid(ns->parent, id); 800 - if (uid_eq(uid, current_fsuid())) 798 + if (uid_eq(uid, file->f_cred->fsuid)) 801 799 return true; 802 800 } 803 801 else if (cap_setid == CAP_SETGID) { 804 802 kgid_t gid = make_kgid(ns->parent, id); 805 - if (gid_eq(gid, current_fsgid())) 803 + if (gid_eq(gid, file->f_cred->fsgid)) 806 804 return true; 807 805 } 808 806 } ··· 813 811 814 812 /* Allow the specified ids if we have the appropriate capability 815 813 * (CAP_SETUID or CAP_SETGID) over the parent user namespace. 814 + * And the opener of the id file also had the approprpiate capability. 816 815 */ 817 - if (ns_capable(ns->parent, cap_setid)) 816 + if (ns_capable(ns->parent, cap_setid) && 817 + file_ns_capable(file, ns->parent, cap_setid)) 818 818 return true; 819 819 820 820 return false;