From: Sukadev Bhattiprolu <sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: Re: [RFC][PATCH 2/4][cr]: Define __f_setown_uid()
Date: Wed, 12 May 2010 09:59:22 -0700 [thread overview]
Message-ID: <20100512165922.GA11144@us.ibm.com> (raw)
In-Reply-To: <20100512084317.GA8842-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Serge E. Hallyn [serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org] wrote:
| Quoting Serge E. Hallyn (serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
| > Quoting Sukadev Bhattiprolu (sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org):
| >
| > [From patch 2]
| >
| > > @@ -222,9 +222,16 @@ int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
| > > if (err)
| > > return err;
| > >
| > > - f_modown(filp, pid, type, current_uid(), current_euid(), force);
| > > + f_modown(filp, pid, type, uid, euid, force);
| > > return 0;
| > > }
| > > +
| > > +int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
| > > + int force)
| > > +{
| > > + return __f_setown_uid(filp, pid, type, current_uid(), current_euid(),
| > > + force);
| > > +}
| > > EXPORT_SYMBOL(__f_setown);
| >
| > [From patch 4]
| >
| > > + /*
| > > + * TODO: Do we need to force==1 or can it be 0 ? 'force' is used to
| > > + * modify the owner, if one is already set. Can it be set when
| > > + * we restart an application ?
| > > + */
| > > + ret = __f_setown_uid(file, pid, h->f_owner_pid_type, h->f_owner_uid,
| > > + h->f_owner_euid, 1);
| > > + rcu_read_unlock();
| >
| > I think you need to modify how __f_setown() is calling
| > security_file_set_fowner(). Though I guess noone looks at the
| > current_uid(), so maybe it's not so important at this point.
| >
| > (I do wonder whether converting fowner to using a struct cred
| > is the way to go)
|
| Well you can probably skip LSM implications at this point.
|
| But I'm worried about the fact that you do no check on uid here.
| Note that now if a signal is to be sent, fown->pid will
| get signal fow->signum sent by fown->uid. So this looks like
| a way for an unprivileged task to use root privs to kill a
| task he shouldn't be able to.
Yes, the uid should not be trusted since the checkpoint image can be
tampered. Matt pointed it out too.
The process P1 that called fcntl(F_SETOWN) may have exited and hence
may not in the checkpoint-image. So during restart, some other process
will need to act for P1. Would requiring CAP_SETUID, like we do for
restoring creds be an overkill ?
next prev parent reply other threads:[~2010-05-12 16:59 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-11 22:38 [RFC][PATCH 0/4][cr]: Checkpoint/restart file-owner info Sukadev Bhattiprolu
2010-05-11 22:38 ` [RFC][PATCH 1/4][cr]: Add uid, euid params to f_modown() Sukadev Bhattiprolu
[not found] ` <1273617500-13653-2-git-send-email-sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2010-05-12 17:05 ` Jamie Lokier
2010-05-12 17:05 ` Jamie Lokier
[not found] ` <20100512170513.GD19314-yetKDKU6eevNLxjTenLetw@public.gmane.org>
2010-05-12 17:30 ` Sukadev Bhattiprolu
2010-05-12 17:30 ` Sukadev Bhattiprolu
[not found] ` <20100512173048.GC11144-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-12 20:12 ` Oren Laadan
2010-05-12 20:12 ` Oren Laadan
2010-05-11 22:38 ` [RFC][PATCH 2/4][cr]: Define __f_setown_uid() Sukadev Bhattiprolu
[not found] ` <1273617500-13653-3-git-send-email-sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2010-05-12 8:06 ` Serge E. Hallyn
[not found] ` <20100512080629.GB2636-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-12 8:43 ` Serge E. Hallyn
[not found] ` <20100512084317.GA8842-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-12 16:59 ` Sukadev Bhattiprolu [this message]
[not found] ` <20100512165922.GA11144-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-12 17:54 ` Serge E. Hallyn
2010-05-12 14:07 ` Matthew Wilcox
2010-05-12 14:07 ` Matthew Wilcox
[not found] ` <20100512140741.GF10452-6jwH94ZQLHl74goWV3ctuw@public.gmane.org>
2010-05-12 17:05 ` Sukadev Bhattiprolu
2010-05-12 17:05 ` Sukadev Bhattiprolu
[not found] ` <1273617500-13653-1-git-send-email-sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2010-05-11 22:38 ` [RFC][PATCH 1/4][cr]: Add uid, euid params to f_modown() Sukadev Bhattiprolu
2010-05-11 22:38 ` [RFC][PATCH 2/4][cr]: Define __f_setown_uid() Sukadev Bhattiprolu
2010-05-11 22:38 ` [RFC][PATCH 3/4][cr]: Checkpoint file-owner information Sukadev Bhattiprolu
2010-05-11 22:38 ` [RFC][PATCH 4/4][cr]: Restore file_owner info Sukadev Bhattiprolu
2010-05-11 22:38 ` [RFC][PATCH 3/4][cr]: Checkpoint file-owner information Sukadev Bhattiprolu
2010-05-11 22:38 ` [RFC][PATCH 4/4][cr]: Restore file_owner info Sukadev Bhattiprolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100512165922.GA11144@us.ibm.com \
--to=sukadev-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.