From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
To: Vasiliy Kulikov <segooon@gmail.com>
Cc: Serge Hallyn <serge@hallyn.com>,
dhowells@redhat.com, netdev@vger.kernel.org,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, ebiederm@xmission.com
Subject: Re: [PATCH 05/14] userns: clamp down users of cap_raised
Date: Thu, 28 Jul 2011 18:51:19 -0500 [thread overview]
Message-ID: <20110728235119.GA8167@sergelap> (raw)
In-Reply-To: <20110728232337.GA9186@albatros>
Quoting Vasiliy Kulikov (segooon@gmail.com):
> On Tue, Jul 26, 2011 at 18:58 +0000, Serge Hallyn wrote:
> > From: Serge E. Hallyn <serge.hallyn@canonical.com>
> >
> > A few modules are using cap_raised(current_cap(), cap) to authorize
> > actions, but the privilege should be applicable against the initial
> > user namespace. Refuse privilege if the caller is not in init_user_ns.
> >
> > Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> > Cc: Eric W. Biederman <ebiederm@xmission.com>
> > ---
> > drivers/block/drbd/drbd_nl.c | 5 +++++
> > drivers/md/dm-log-userspace-transfer.c | 3 +++
> > drivers/staging/pohmelfs/config.c | 3 +++
> > drivers/video/uvesafb.c | 3 +++
> > 4 files changed, 14 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
> > index 515bcd9..7717f8a 100644
> > --- a/drivers/block/drbd/drbd_nl.c
> > +++ b/drivers/block/drbd/drbd_nl.c
> > @@ -2297,6 +2297,11 @@ static void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms
> > return;
> > }
> >
> > + if (current_user_ns() != &init_user_ns) {
> [...]
> > if (!cap_raised(current_cap(), CAP_SYS_ADMIN)) {
> [...]
>
> Looks like it is an often pattern. Maybe move both checks to a
> function?
This pattern is used 4 times (IIRC). The reason I didn't break it out is
that it's very close to just 'capable(CAP_SYS_ADMIN)', which also checks
for CAP_SYS_ADMIN to the init_user_ns. But the above, rightly or wrongly,
does not set the PF_SUPERPRIV task flag. I don't want to advocate usage
of the above, and creating a helper for the above would both further
pollute the capability-related function namespace, and make the above
look more legitimate than I think it is.
Imo 'cap-raised(current_cap(), X)' should not be used at all. But I
didn't want to deal with that here, just make it user-ns safe.
-serge
next prev parent reply other threads:[~2011-07-28 23:51 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-26 18:58 [PATCH 0/14] user namespaces v2: continue targetting capabilities Serge Hallyn
2011-07-26 18:58 ` [PATCH 01/14] add Documentation/namespaces/user_namespace.txt Serge Hallyn
2011-07-26 20:22 ` Randy Dunlap
2011-07-26 20:29 ` David Howells
2011-07-29 17:25 ` [PATCH 01/14] add Documentation/namespaces/user_namespace.txt (v3) Serge E. Hallyn
[not found] ` <27437.1311712186-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-29 17:25 ` Serge E. Hallyn
2011-07-27 15:38 ` [PATCH 01/14] add Documentation/namespaces/user_namespace.txt Serge E. Hallyn
[not found] ` <20110727153848.GA17288-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-27 16:02 ` Randy Dunlap
2011-07-27 16:02 ` Randy Dunlap
[not found] ` <1311706717-7398-2-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-26 20:22 ` Randy Dunlap
[not found] ` <20110726132249.69533206.rdunlap-/UHa2rfvQTnk1uMJSBkQmQ@public.gmane.org>
2011-07-26 20:29 ` David Howells
2011-07-27 15:38 ` Serge E. Hallyn
2011-07-26 18:58 ` [PATCH 02/14] allow root in container to copy namespaces Serge Hallyn
2011-07-27 23:14 ` Eric W. Biederman
[not found] ` <m1hb67fh9l.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-07-28 2:13 ` Serge E. Hallyn
2011-07-29 17:27 ` [PATCH 02/14] allow root in container to copy namespaces (v3) Serge E. Hallyn
2011-07-28 2:13 ` [PATCH 02/14] allow root in container to copy namespaces Serge E. Hallyn
2011-07-29 17:27 ` [PATCH 02/14] allow root in container to copy namespaces (v3) Serge E. Hallyn
2011-08-01 22:25 ` Eric W. Biederman
[not found] ` <m1ei146a6t.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-08-02 14:08 ` Serge E. Hallyn
2011-08-02 14:08 ` Serge E. Hallyn
2011-08-02 22:03 ` Eric W. Biederman
2011-08-04 22:01 ` Serge E. Hallyn
[not found] ` <m1oc074gkb.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-08-04 22:01 ` Serge E. Hallyn
2011-08-02 22:03 ` Eric W. Biederman
[not found] ` <20110729172748.GB18935-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-08-01 22:25 ` Eric W. Biederman
[not found] ` <1311706717-7398-3-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-27 23:14 ` [PATCH 02/14] allow root in container to copy namespaces Eric W. Biederman
[not found] ` <1311706717-7398-1-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-26 18:58 ` [PATCH 01/14] add Documentation/namespaces/user_namespace.txt Serge Hallyn
2011-07-26 18:58 ` [PATCH 02/14] allow root in container to copy namespaces Serge Hallyn
2011-07-26 18:58 ` [PATCH 03/14] keyctl: check capabilities against key's user_ns Serge Hallyn
2011-07-26 18:58 ` [PATCH 04/14] user_ns: convert fs/attr.c to targeted capabilities Serge Hallyn
2011-07-26 18:58 ` [PATCH 05/14] userns: clamp down users of cap_raised Serge Hallyn
2011-07-26 18:58 ` [PATCH 06/14] user namespace: make each net (net_ns) belong to a user_ns Serge Hallyn
2011-07-26 18:58 ` [PATCH 07/14] user namespace: use net->user_ns for some capable calls under net/ Serge Hallyn
2011-07-26 18:58 ` [PATCH 08/14] af_netlink.c: make netlink_capable userns-aware Serge Hallyn
2011-07-26 18:58 ` [PATCH 09/14] user ns: convert ipv6 to targeted capabilities Serge Hallyn
2011-07-26 18:58 ` [PATCH 10/14] net/core/scm.c: target capable() calls to user_ns owning the net_ns Serge Hallyn
2011-07-26 18:58 ` [PATCH 11/14] userns: make some net-sysfs capable calls targeted Serge Hallyn
2011-07-26 18:58 ` [PATCH 12/14] user_ns: target af_key capability check Serge Hallyn
2011-07-26 18:58 ` [PATCH 13/14] userns: net: make many network capable calls targeted Serge Hallyn
2011-07-26 18:58 ` [PATCH 14/14] net: pass user_ns to cap_netlink_recv() Serge Hallyn
2011-07-26 18:58 ` [PATCH 03/14] keyctl: check capabilities against key's user_ns Serge Hallyn
2011-07-26 18:58 ` [PATCH 04/14] user_ns: convert fs/attr.c to targeted capabilities Serge Hallyn
2011-07-26 18:58 ` [PATCH 05/14] userns: clamp down users of cap_raised Serge Hallyn
2011-07-28 23:23 ` Vasiliy Kulikov
2011-07-28 23:51 ` Serge E. Hallyn
2011-07-28 23:51 ` Serge E. Hallyn [this message]
[not found] ` <1311706717-7398-6-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-28 23:23 ` Vasiliy Kulikov
2011-07-26 18:58 ` [PATCH 06/14] user namespace: make each net (net_ns) belong to a user_ns Serge Hallyn
2011-07-26 18:58 ` [PATCH 07/14] user namespace: use net->user_ns for some capable calls under net/ Serge Hallyn
2011-07-26 18:58 ` [PATCH 08/14] af_netlink.c: make netlink_capable userns-aware Serge Hallyn
2011-07-26 18:58 ` [PATCH 09/14] user ns: convert ipv6 to targeted capabilities Serge Hallyn
2011-07-26 18:58 ` [PATCH 10/14] net/core/scm.c: target capable() calls to user_ns owning the net_ns Serge Hallyn
[not found] ` <1311706717-7398-11-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-08-04 22:06 ` Serge E. Hallyn
2011-08-04 22:06 ` Serge E. Hallyn
2011-07-26 18:58 ` [PATCH 11/14] userns: make some net-sysfs capable calls targeted Serge Hallyn
2011-07-26 18:58 ` [PATCH 12/14] user_ns: target af_key capability check Serge Hallyn
2011-07-26 18:58 ` [PATCH 13/14] userns: net: make many network capable calls targeted Serge Hallyn
2011-07-26 18:58 ` [PATCH 14/14] net: pass user_ns to cap_netlink_recv() Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110728235119.GA8167@sergelap \
--to=serge.hallyn@canonical.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=segooon@gmail.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.