Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
nstree: tighten permission checks for listing
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.
Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-3-d2c2853313bd@kernel.org
Fixes: 76b6f5dfb3fd ("nstree: add listns()")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.19+
Signed-off-by: Christian Brauner <brauner@kernel.org>
+4
-25
+4
-25
kernel/nstree.c
+4
-25
kernel/nstree.c
···
515
515
static inline bool __must_check may_list_ns(const struct klistns *kls,
516
516
struct ns_common *ns)
517
517
{
518
-
if (kls->user_ns) {
519
-
if (kls->userns_capable)
520
-
return true;
521
-
} else {
522
-
struct ns_common *owner;
523
-
struct user_namespace *user_ns;
524
-
525
-
owner = ns_owner(ns);
526
-
if (owner)
527
-
user_ns = to_user_ns(owner);
528
-
else
529
-
user_ns = &init_user_ns;
530
-
if (ns_capable_noaudit(user_ns, CAP_SYS_ADMIN))
531
-
return true;
532
-
}
533
-
518
+
if (kls->user_ns && kls->userns_capable)
519
+
return true;
534
520
if (is_current_namespace(ns))
535
521
return true;
536
-
537
-
if (ns->ns_type != CLONE_NEWUSER)
538
-
return false;
539
-
540
-
if (ns_capable_noaudit(to_user_ns(ns), CAP_SYS_ADMIN))
541
-
return true;
542
-
543
-
return false;
522
+
return may_see_all_namespaces();
544
523
}
545
524
546
525
static inline void ns_put(struct ns_common *ns)
···
579
600
580
601
ret = 0;
581
602
head = &to_ns_common(kls->user_ns)->ns_owner_root.ns_list_head;
582
-
kls->userns_capable = ns_capable_noaudit(kls->user_ns, CAP_SYS_ADMIN);
603
+
kls->userns_capable = may_see_all_namespaces();
583
604
584
605
rcu_read_lock();
585
606