From: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Michael Kerrisk
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: [PATCH] Forbid invocation of kexec_load() outside initial PID namespace
Date: Fri, 3 Aug 2012 11:53:04 +0100 [thread overview]
Message-ID: <1343991184-3619-1-git-send-email-berrange@redhat.com> (raw)
From: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
The following commit
commit cf3f89214ef6a33fad60856bc5ffd7bb2fc4709b
Author: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
Date: Wed Mar 28 14:42:51 2012 -0700
pidns: add reboot_pid_ns() to handle the reboot syscall
introduced custom handling of the reboot() syscall when invoked
from a non-initial PID namespace. The intent was that a process
in a container can be allowed to keep CAP_SYS_BOOT and execute
reboot() to shutdown/reboot just their private container, rather
than the host.
Unfortunately the kexec_load() syscall also relies on the
CAP_SYS_BOOT capability. So by allowing a container to keep
this capability to safely invoke reboot(), they mistakenly
also gain the ability to use kexec_load(). The solution is
to make kexec_load() return -EPERM if invoked from a PID
namespace that is not the initial namespace
Signed-off-by: Daniel P. Berrange <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Cc: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
Cc: Michael Kerrisk <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
kernel/kexec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 0668d58..b152bde 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -947,6 +947,11 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
if (!capable(CAP_SYS_BOOT))
return -EPERM;
+ /* Processes in containers must not be allowed to load a new
+ * kernel, even if they have CAP_SYS_BOOT */
+ if (task_active_pid_ns(current) != &init_pid_ns)
+ return -EPERM;
+
/*
* Verify we have a legal set of flags
* This leaves us room for future extensions.
--
1.7.11.2
WARNING: multiple messages have this Message-ID (diff)
From: "Daniel P. Berrange" <berrange@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: containers@lists.linux-foundation.org,
"Daniel P. Berrange" <berrange@redhat.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Daniel Lezcano <daniel.lezcano@free.fr>,
Michael Kerrisk <mtk.manpages@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Tejun Heo <tj@kernel.org>, Oleg Nesterov <oleg@redhat.com>
Subject: [PATCH] Forbid invocation of kexec_load() outside initial PID namespace
Date: Fri, 3 Aug 2012 11:53:04 +0100 [thread overview]
Message-ID: <1343991184-3619-1-git-send-email-berrange@redhat.com> (raw)
From: "Daniel P. Berrange" <berrange@redhat.com>
The following commit
commit cf3f89214ef6a33fad60856bc5ffd7bb2fc4709b
Author: Daniel Lezcano <daniel.lezcano@free.fr>
Date: Wed Mar 28 14:42:51 2012 -0700
pidns: add reboot_pid_ns() to handle the reboot syscall
introduced custom handling of the reboot() syscall when invoked
from a non-initial PID namespace. The intent was that a process
in a container can be allowed to keep CAP_SYS_BOOT and execute
reboot() to shutdown/reboot just their private container, rather
than the host.
Unfortunately the kexec_load() syscall also relies on the
CAP_SYS_BOOT capability. So by allowing a container to keep
this capability to safely invoke reboot(), they mistakenly
also gain the ability to use kexec_load(). The solution is
to make kexec_load() return -EPERM if invoked from a PID
namespace that is not the initial namespace
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Daniel Lezcano <daniel.lezcano@free.fr>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
---
kernel/kexec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 0668d58..b152bde 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -947,6 +947,11 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
if (!capable(CAP_SYS_BOOT))
return -EPERM;
+ /* Processes in containers must not be allowed to load a new
+ * kernel, even if they have CAP_SYS_BOOT */
+ if (task_active_pid_ns(current) != &init_pid_ns)
+ return -EPERM;
+
/*
* Verify we have a legal set of flags
* This leaves us room for future extensions.
--
1.7.11.2
next reply other threads:[~2012-08-03 10:53 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-03 10:53 Daniel P. Berrange [this message]
2012-08-03 10:53 ` [PATCH] Forbid invocation of kexec_load() outside initial PID namespace Daniel P. Berrange
[not found] ` <1343991184-3619-1-git-send-email-berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-08-03 11:25 ` richard -rw- weinberger
2012-08-03 11:25 ` richard -rw- weinberger
2012-08-03 12:45 ` Eric W. Biederman
2012-08-03 12:45 ` Eric W. Biederman
[not found] ` <cfa2e2c9-db52-40cd-979b-7a6084427190-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2012-08-03 12:52 ` Daniel P. Berrange
2012-08-03 12:52 ` Daniel P. Berrange
[not found] ` <20120803125210.GD12870-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-08-03 13:07 ` Eric W. Biederman
2012-08-03 13:07 ` Eric W. Biederman
[not found] ` <bef31b2b-429b-4b2b-981b-b230f9c6bfad-2ueSQiBKiTY7tOexoI0I+QC/G2K4zDHf@public.gmane.org>
2012-08-04 23:15 ` Serge Hallyn
2012-08-04 23:15 ` Serge Hallyn
2012-08-06 19:20 ` Serge E. Hallyn
2012-08-06 19:20 ` Serge E. Hallyn
2012-08-06 19:00 ` Serge E. Hallyn
2012-08-06 19:00 ` Serge E. Hallyn
[not found] ` <20120806190014.GA15267-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-08-06 19:16 ` Eric W. Biederman
2012-08-06 19:16 ` Eric W. Biederman
[not found] ` <87r4rjn84y.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-08-06 19:24 ` Serge E. Hallyn
2012-08-06 19:24 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1343991184-3619-1-git-send-email-berrange@redhat.com \
--to=berrange-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.