From: Alexey Gladkov <legion@kernel.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux.dev>,
Andrew Morton <akpm@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>,
Kees Cook <keescook@chromium.org>,
Manfred Spraul <manfred@colorfullife.com>
Subject: Re: [PATCH v1 1/3] sysctl: Allow change system v ipc sysctls inside ipc namespace
Date: Tue, 20 Sep 2022 18:15:31 +0200 [thread overview]
Message-ID: <YynnI2ySUkpu9j6S@example.org> (raw)
In-Reply-To: <87mtav2xn4.fsf@email.froward.int.ebiederm.org>
On Mon, Sep 19, 2022 at 10:26:39AM -0500, Eric W. Biederman wrote:
> >
> > diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
> > index ef313ecfb53a..87eb1b1e42fa 100644
> > --- a/ipc/ipc_sysctl.c
> > +++ b/ipc/ipc_sysctl.c
> > @@ -192,23 +192,47 @@ static int set_is_seen(struct ctl_table_set *set)
> >
> > static int ipc_permissions(struct ctl_table_header *head, struct ctl_table *table)
> > {
> > - int mode = table->mode;
> > -
> > -#ifdef CONFIG_CHECKPOINT_RESTORE
> > struct ipc_namespace *ns = current->nsproxy->ipc_ns;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Historically that was the best we could do. But now that we have
> an ipc_set member in struct ipc_namespace you can use container_of
> to compute this value.
>
> For a permission check that is much safer.
Yes. It make sense.
> > +#ifdef CONFIG_CHECKPOINT_RESTORE
> > if (((table->data == &ns->ids[IPC_SEM_IDS].next_id) ||
> > (table->data == &ns->ids[IPC_MSG_IDS].next_id) ||
> > (table->data == &ns->ids[IPC_SHM_IDS].next_id)) &&
> > checkpoint_restore_ns_capable(ns->user_ns))
> > - mode = 0666;
> > + return 0666;
> > #endif
> > - return mode;
> > + if (ns->user_ns != &init_user_ns) {
> > + kuid_t ns_root_uid = make_kuid(ns->user_ns, 0);
> > + kgid_t ns_root_gid = make_kgid(ns->user_ns, 0);
> > +
> > + if (uid_valid(ns_root_uid) && uid_eq(current_euid(), ns_root_uid))
> > + return table->mode >> 6;
> > +
> > + if (gid_valid(ns_root_gid) && in_egroup_p(ns_root_gid))
> > + return table->mode >> 3;
>
> >From 10,000 fee this is fine. But this has to interact with
> test_perm in proc_systl.c. So can you please do what
> net_ctl_permissions does and replicate the chosen mode all through
> the mode line.
>
> Perhaps something like:
>
> kuid_t ns_root_uid;
> kgid_t ns_root_gid
>
> ipc_set_ownership(head, table, &ns_root_uid, &ns_root_gid);
>
> #ifdef CONFIG_CHECKPOINT_RESTORE
> if (...)
> mode = 0666;
> else
> #endif
> if (uid_eq(current_euid(), ns_root_uid))
> mode >>= 6;
>
> else if (uid_eq(in_group_p(ns_root_gid))
> mode >>= 3;
>
> mode &= 7;
> mode = (mode << 6) | (mode << 3) | mode;
> return mode;
>
>
> If we always pass through the same logic there is the advantage that we
> will always test it, and there is less room for bugs to slip through.
>
> I added a couple of unnecessary simplifications in there that I just
> saw as I was writing my example code.
Thanks! It looks better. I'll fix it and send a new version.
--
Rgrds, legion
next prev parent reply other threads:[~2022-09-20 16:15 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-12 16:17 [PATCH v1] sysctl: Allow change system v ipc sysctls inside ipc namespace Alexey Gladkov
2022-07-25 16:16 ` Eric W. Biederman
2022-08-16 15:42 ` Alexey Gladkov
2022-08-16 15:42 ` [PATCH v1 1/3] " Alexey Gladkov
2022-09-19 15:26 ` Eric W. Biederman
2022-09-20 16:15 ` Alexey Gladkov [this message]
2022-09-20 18:08 ` [PATCH v2 0/3] Allow to change ipc/mq " Alexey Gladkov
2022-09-20 18:08 ` [PATCH v2 1/3] sysctl: Allow change system v ipc " Alexey Gladkov
2022-09-21 9:38 ` kernel test robot
2022-09-21 10:41 ` [PATCH v3 0/3] Allow to change ipc/mq " Alexey Gladkov
2022-09-21 10:41 ` [PATCH v3 1/3] sysctl: Allow change system v ipc " Alexey Gladkov
2022-09-21 10:41 ` [PATCH v3 2/3] sysctl: Allow to change limits for posix messages queues Alexey Gladkov
2022-09-21 10:41 ` [PATCH v3 3/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2024-01-15 15:46 ` [RESEND PATCH v3 0/3] Allow to change ipc/mq sysctls inside ipc namespace Alexey Gladkov
2024-01-15 15:46 ` [RESEND PATCH v3 1/3] sysctl: Allow change system v ipc " Alexey Gladkov
2024-01-15 15:46 ` [RESEND PATCH v3 2/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2024-01-21 15:58 ` Manfred Spraul
2024-01-15 15:46 ` [RESEND PATCH v3 3/3] sysctl: Allow to change limits for posix messages queues Alexey Gladkov
2022-09-20 18:08 ` [PATCH v2 2/3] " Alexey Gladkov
2022-09-20 18:08 ` [PATCH v2 3/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2022-08-16 15:42 ` [PATCH v1 2/3] sysctl: Allow to change limits for posix messages queues Alexey Gladkov
2022-09-19 15:27 ` Eric W. Biederman
2022-08-16 15:42 ` [PATCH v1 3/3] docs: Add information about ipc sysctls limitations Alexey Gladkov
2022-09-19 15:29 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YynnI2ySUkpu9j6S@example.org \
--to=legion@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.