From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <mtk.manpages@gmail.com>
Subject: [PATCH 4/7] allow killing tasks in your own or child userns
Date: Mon, 10 Jan 2011 21:13:34 +0000 [thread overview]
Message-ID: <20110110211334.GD22564@mail.hallyn.com> (raw)
In-Reply-To: <20110110211135.GA22446@mail.hallyn.com>
Changelog:
Dec 8: Fixed bug in my check_kill_permission pointed out by
Eric Biederman.
Dec 13: Apply Eric's suggestion to pass target task into kill_ok_by_cred()
for clarity
Dec 31: address comment by Eric Biederman:
don't need cred/tcred in check_kill_permission.
Jan 1: use const cred struct.
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
kernel/signal.c | 36 ++++++++++++++++++++++++++++--------
1 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/kernel/signal.c b/kernel/signal.c
index 4e3cff1..6a12eae 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -636,13 +636,39 @@ static inline bool si_fromuser(const struct siginfo *info)
}
/*
+ * called with RCU read lock from check_kill_permission()
+ */
+static inline int kill_ok_by_cred(struct task_struct *t)
+{
+ const struct cred *cred = current_cred();
+ const struct cred *tcred = __task_cred(t);
+
+ if (cred->user->user_ns != tcred->user->user_ns) {
+ /* userids are not equivalent - either you have the
+ capability to the target user ns or you don't */
+ if (ns_capable(tcred->user->user_ns, CAP_KILL))
+ return 1;
+ return 0;
+ }
+
+ /* same user namespace - usual credentials checks apply */
+ if ((cred->euid ^ tcred->suid) &&
+ (cred->euid ^ tcred->uid) &&
+ (cred->uid ^ tcred->suid) &&
+ (cred->uid ^ tcred->uid) &&
+ !ns_capable(tcred->user->user_ns, CAP_KILL))
+ return 0;
+
+ return 1;
+}
+
+/*
* Bad permissions for sending the signal
* - the caller must hold the RCU read lock
*/
static int check_kill_permission(int sig, struct siginfo *info,
struct task_struct *t)
{
- const struct cred *cred, *tcred;
struct pid *sid;
int error;
@@ -656,14 +682,8 @@ static int check_kill_permission(int sig, struct siginfo *info,
if (error)
return error;
- cred = current_cred();
- tcred = __task_cred(t);
if (!same_thread_group(current, t) &&
- (cred->euid ^ tcred->suid) &&
- (cred->euid ^ tcred->uid) &&
- (cred->uid ^ tcred->suid) &&
- (cred->uid ^ tcred->uid) &&
- !capable(CAP_KILL)) {
+ !kill_ok_by_cred(t)) {
switch (sig) {
case SIGCONT:
sid = task_session(t);
--
1.7.0.4
next prev parent reply other threads:[~2011-01-10 21:12 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-10 21:11 userns: targeted capabilities v3 Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 1/7] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 2/7] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 3/7] allow sethostname in a container Serge E. Hallyn
2011-01-10 21:13 ` Serge E. Hallyn [this message]
[not found] ` <20110110211334.GD22564-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-01-10 21:52 ` [PATCH 4/7] allow killing tasks in your own or child userns Bastian Blank
2011-01-10 21:52 ` Bastian Blank
[not found] ` <20110110215240.GA21351-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2011-01-10 22:51 ` Serge Hallyn
2011-01-10 22:51 ` Serge Hallyn
2011-01-10 23:23 ` Bastian Blank
[not found] ` <20110110232335.GA27029-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2011-01-11 1:31 ` Serge E. Hallyn
2011-01-11 1:31 ` Serge E. Hallyn
2011-01-14 14:50 ` Bastian Blank
[not found] ` <20110114145001.GB20945-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2011-01-15 0:31 ` Serge E. Hallyn
2011-01-15 0:31 ` Serge E. Hallyn
2011-01-15 11:30 ` Bastian Blank
2011-01-15 14:12 ` Serge E. Hallyn
[not found] ` <20110115113025.GB18682-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2011-01-15 14:12 ` Serge E. Hallyn
[not found] ` <20110115003114.GA24569-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-01-15 11:30 ` Bastian Blank
[not found] ` <20110111013152.GA23860-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-01-14 14:50 ` Bastian Blank
2011-01-10 23:23 ` Bastian Blank
2011-01-11 4:22 ` Oren Laadan
2011-01-11 4:22 ` Oren Laadan
[not found] ` <4D2BDAF4.9040908-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2011-01-11 4:32 ` Serge E. Hallyn
2011-01-11 4:32 ` Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 5/7] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-01-10 21:14 ` [PATCH 6/7] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-01-10 21:59 ` Bastian Blank
2011-01-10 22:56 ` Serge Hallyn
[not found] ` <20110110215937.GB21351-0IJIQSrh9RL9UF0aPl6fsj8Kkb2uy4ct@public.gmane.org>
2011-01-10 22:56 ` Serge Hallyn
2011-01-11 5:27 ` Serge E. Hallyn
2011-01-11 5:27 ` Serge E. Hallyn
2011-01-14 15:02 ` Bastian Blank
[not found] ` <20110111052759.GA24970-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-01-14 15:02 ` Bastian Blank
[not found] ` <20110110211406.GF22564-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-01-10 21:59 ` Bastian Blank
[not found] ` <20110110211135.GA22446-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-01-10 21:13 ` [PATCH 1/7] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 2/7] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 3/7] allow sethostname in a container Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 4/7] allow killing tasks in your own or child userns Serge E. Hallyn
2011-01-10 21:13 ` [PATCH 5/7] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-01-10 21:14 ` [PATCH 6/7] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-01-10 21:14 ` [PATCH 7/7] user namespaces: convert several capable() calls Serge E. Hallyn
2011-01-10 21:14 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110110211334.GD22564@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.