From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Theodore Tso <tytso@mit.edu>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Dave Chinner <david@fromorbit.com>,
Andy Lutomirski <luto@amacapital.net>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.10 01/18] fs,userns: Change inode_capable to capable_wrt_inode_uidgid
Date: Thu, 12 Jun 2014 16:22:05 -0700 [thread overview]
Message-ID: <20140612232213.071311632@linuxfoundation.org> (raw)
In-Reply-To: <20140612232212.960235342@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@amacapital.net>
commit 23adbe12ef7d3d4195e80800ab36b37bee28cd03 upstream.
The kernel has no concept of capabilities with respect to inodes; inodes
exist independently of namespaces. For example, inode_capable(inode,
CAP_LINUX_IMMUTABLE) would be nonsense.
This patch changes inode_capable to check for uid and gid mappings and
renames it to capable_wrt_inode_uidgid, which should make it more
obvious what it does.
Fixes CVE-2014-4014.
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Dave Chinner <david@fromorbit.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/attr.c | 8 ++++----
fs/inode.c | 10 +++++++---
fs/namei.c | 11 ++++++-----
include/linux/capability.h | 2 +-
kernel/capability.c | 18 +++++++-----------
5 files changed, 25 insertions(+), 24 deletions(-)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -50,14 +50,14 @@ int inode_change_ok(const struct inode *
if ((ia_valid & ATTR_UID) &&
(!uid_eq(current_fsuid(), inode->i_uid) ||
!uid_eq(attr->ia_uid, inode->i_uid)) &&
- !inode_capable(inode, CAP_CHOWN))
+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
return -EPERM;
/* Make sure caller can chgrp. */
if ((ia_valid & ATTR_GID) &&
(!uid_eq(current_fsuid(), inode->i_uid) ||
(!in_group_p(attr->ia_gid) && !gid_eq(attr->ia_gid, inode->i_gid))) &&
- !inode_capable(inode, CAP_CHOWN))
+ !capable_wrt_inode_uidgid(inode, CAP_CHOWN))
return -EPERM;
/* Make sure a caller can chmod. */
@@ -67,7 +67,7 @@ int inode_change_ok(const struct inode *
/* Also check the setgid bit! */
if (!in_group_p((ia_valid & ATTR_GID) ? attr->ia_gid :
inode->i_gid) &&
- !inode_capable(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
attr->ia_mode &= ~S_ISGID;
}
@@ -160,7 +160,7 @@ void setattr_copy(struct inode *inode, c
umode_t mode = attr->ia_mode;
if (!in_group_p(inode->i_gid) &&
- !inode_capable(inode, CAP_FSETID))
+ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
mode &= ~S_ISGID;
inode->i_mode = mode;
}
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1837,14 +1837,18 @@ EXPORT_SYMBOL(inode_init_owner);
* inode_owner_or_capable - check current task permissions to inode
* @inode: inode being checked
*
- * Return true if current either has CAP_FOWNER to the inode, or
- * owns the file.
+ * Return true if current either has CAP_FOWNER in a namespace with the
+ * inode owner uid mapped, or owns the file.
*/
bool inode_owner_or_capable(const struct inode *inode)
{
+ struct user_namespace *ns;
+
if (uid_eq(current_fsuid(), inode->i_uid))
return true;
- if (inode_capable(inode, CAP_FOWNER))
+
+ ns = current_user_ns();
+ if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
return true;
return false;
}
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -321,10 +321,11 @@ int generic_permission(struct inode *ino
if (S_ISDIR(inode->i_mode)) {
/* DACs are overridable for directories */
- if (inode_capable(inode, CAP_DAC_OVERRIDE))
+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0;
if (!(mask & MAY_WRITE))
- if (inode_capable(inode, CAP_DAC_READ_SEARCH))
+ if (capable_wrt_inode_uidgid(inode,
+ CAP_DAC_READ_SEARCH))
return 0;
return -EACCES;
}
@@ -334,7 +335,7 @@ int generic_permission(struct inode *ino
* at least one exec bit set.
*/
if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
- if (inode_capable(inode, CAP_DAC_OVERRIDE))
+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
return 0;
/*
@@ -342,7 +343,7 @@ int generic_permission(struct inode *ino
*/
mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
if (mask == MAY_READ)
- if (inode_capable(inode, CAP_DAC_READ_SEARCH))
+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
return 0;
return -EACCES;
@@ -2199,7 +2200,7 @@ static inline int check_sticky(struct in
return 0;
if (uid_eq(dir->i_uid, fsuid))
return 0;
- return !inode_capable(inode, CAP_FOWNER);
+ return !capable_wrt_inode_uidgid(inode, CAP_FOWNER);
}
/*
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -211,7 +211,7 @@ extern bool has_ns_capability_noaudit(st
extern bool capable(int cap);
extern bool ns_capable(struct user_namespace *ns, int cap);
extern bool nsown_capable(int cap);
-extern bool inode_capable(const struct inode *inode, int cap);
+extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
/* audit system wants to get cap info from files as well */
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -445,22 +445,18 @@ bool nsown_capable(int cap)
}
/**
- * inode_capable - Check superior capability over inode
+ * capable_wrt_inode_uidgid - Check nsown_capable and uid and gid mapped
* @inode: The inode in question
* @cap: The capability in question
*
- * Return true if the current task has the given superior capability
- * targeted at it's own user namespace and that the given inode is owned
- * by the current user namespace or a child namespace.
- *
- * Currently we check to see if an inode is owned by the current
- * user namespace by seeing if the inode's owner maps into the
- * current user namespace.
- *
+ * Return true if the current task has the given capability targeted at
+ * its own user namespace and that the given inode's uid and gid are
+ * mapped into the current user namespace.
*/
-bool inode_capable(const struct inode *inode, int cap)
+bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
{
struct user_namespace *ns = current_user_ns();
- return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid);
+ return ns_capable(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
+ kgid_has_mapping(ns, inode->i_gid);
}
next prev parent reply other threads:[~2014-06-12 23:18 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-12 23:22 [PATCH 3.10 00/18] 3.10.44-stable review Greg Kroah-Hartman
2014-06-12 23:22 ` Greg Kroah-Hartman [this message]
2014-06-12 23:22 ` [PATCH 3.10 02/18] mlx4_en: dont use napi_synchronize inside mlx4_en_netpoll Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 03/18] ARM: mvebu: fix NOR bus-width in Armada XP GP Device Tree Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 04/18] ARM: mvebu: fix NOR bus-width in Armada XP OpenBlocks AX3 " Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 05/18] netfilter: ipv4: defrag: set local_df flag on defragmented skb Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 06/18] Target/iscsi,iser: Avoid accepting transport connections during stop stage Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 07/18] iser-target: Fix multi network portal shutdown regression Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 08/18] iscsi-target: Fix wrong buffer / buffer overrun in iscsi_change_param_value() Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 09/18] target: Allow READ_CAPACITY opcode in ALUA Standby access state Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 10/18] target: Fix alua_access_state attribute OOPs for un-configured devices Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 11/18] mm: compaction: reset cached scanner pfns before reading them Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 12/18] mm: compaction: detect when scanners meet in isolate_freepages Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 13/18] mm/compaction: make isolate_freepages start at pageblock boundary Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 14/18] auditsc: audit_krule mask accesses need bounds checking Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 15/18] SCSI: megaraid: Use resource_size_t for PCI resources, not long Greg Kroah-Hartman
2014-06-12 23:22 ` [PATCH 3.10 16/18] mei: me: drop harmful wait optimization Greg Kroah-Hartman
2014-06-13 5:45 ` [PATCH 3.10 00/18] 3.10.44-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140612232213.071311632@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=david@fromorbit.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge.hallyn@ubuntu.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.