From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>, James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
xemul@parallels.com, dhowells@redhat.com
Subject: Re: [PATCH 8/9] user namespaces: convert several capable() calls
Date: Thu, 17 Feb 2011 17:51:25 -0800 [thread overview]
Message-ID: <m14o82cdpe.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20110217150356.GH26395@mail.hallyn.com> (Serge E. Hallyn's message of "Thu, 17 Feb 2011 15:03:56 +0000")
"Serge E. Hallyn" <serge@hallyn.com> writes:
> CAP_IPC_OWNER and CAP_IPC_LOCK can be checked against current_user_ns(),
> because the resource comes from current's own ipc namespace.
>
> setuid/setgid are to uids in own namespace, so again checks can be
> against current_user_ns().
Some nits below. But this generally looks good if a little bit all over
the map for a single patch.
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
> Changelog:
> Jan 11: Use task_ns_capable() in place of sched_capable().
> Jan 11: Use nsown_capable() as suggested by Bastian Blank.
> Jan 11: Clarify (hopefully) some logic in futex and sched.c
> Feb 15: use ns_capable for ipc, not nsown_capable
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> ---
> ipc/shm.c | 2 +-
> ipc/util.c | 5 +++--
> kernel/futex.c | 11 ++++++++++-
> kernel/futex_compat.c | 11 ++++++++++-
> kernel/groups.c | 2 +-
> kernel/sched.c | 9 ++++++---
> kernel/uid16.c | 2 +-
> 7 files changed, 32 insertions(+), 10 deletions(-)
>
> diff --git a/ipc/shm.c b/ipc/shm.c
> index 7d3bb22..e91e2e9 100644
> --- a/ipc/shm.c
> +++ b/ipc/shm.c
> @@ -773,7 +773,7 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
>
> audit_ipc_obj(&(shp->shm_perm));
>
> - if (!capable(CAP_IPC_LOCK)) {
> + if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
> uid_t euid = current_euid();
> err = -EPERM;
> if (euid != shp->shm_perm.uid &&
> diff --git a/ipc/util.c b/ipc/util.c
> index 69a0cc1..8e7ec6a 100644
> --- a/ipc/util.c
> +++ b/ipc/util.c
> @@ -627,7 +627,7 @@ int ipcperms (struct kern_ipc_perm *ipcp, short flag)
> granted_mode >>= 3;
> /* is there some bit set in requested_mode but not in granted_mode? */
> if ((requested_mode & ~granted_mode & 0007) &&
> - !capable(CAP_IPC_OWNER))
> + !ns_capable(current->nsproxy->ipc_ns->user_ns, CAP_IPC_OWNER))
> return -1;
Serge can we please modify the code to pass the ns down from
ipcget_public to ipcperms. It is passed in and dropping the value and
going back to current to get it just feels wrong.
Strictly speaking this code is correct but it requires an audit of all
of the callers to know that, which is unfortunate.
> return security_ipc_permission(ipcp, flag);
> @@ -800,7 +800,8 @@ struct kern_ipc_perm *ipcctl_pre_down(struct ipc_ids *ids, int id, int cmd,
>
> euid = current_euid();
> if (euid == ipcp->cuid ||
> - euid == ipcp->uid || capable(CAP_SYS_ADMIN))
> + euid == ipcp->uid ||
> + ns_capable(current->nsproxy->ipc_ns->user_ns, CAP_SYS_ADMIN))
> return ipcp;
Like the other ipc call can we please pass the ipc_ns into ipcctl_pre_down.
The code as constructed appears correct but because we are passing the
namespace into the caller of this function always using current to get
the ipc_ns seems confusing and unnecessary.
> err = -EPERM;
> diff --git a/kernel/futex.c b/kernel/futex.c
> index b766d28..1e876f1 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -2421,10 +2421,19 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
> goto err_unlock;
> ret = -EPERM;
> pcred = __task_cred(p);
> + /* If victim is in different user_ns, then uids are not
> + comparable, so we must have CAP_SYS_PTRACE */
> + if (cred->user->user_ns != pcred->user->user_ns) {
> + if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> + goto err_unlock;
> + goto ok;
> + }
> + /* If victim is in same user_ns, then uids are comparable */
> if (cred->euid != pcred->euid &&
> cred->euid != pcred->uid &&
> - !capable(CAP_SYS_PTRACE))
> + !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> goto err_unlock;
> +ok:
> head = p->robust_list;
> rcu_read_unlock();
> }
> diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
> index a7934ac..5f9e689 100644
> --- a/kernel/futex_compat.c
> +++ b/kernel/futex_compat.c
> @@ -153,10 +153,19 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
> goto err_unlock;
> ret = -EPERM;
> pcred = __task_cred(p);
> + /* If victim is in different user_ns, then uids are not
> + comparable, so we must have CAP_SYS_PTRACE */
> + if (cred->user->user_ns != pcred->user->user_ns) {
> + if (!ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> + goto err_unlock;
> + goto ok;
> + }
> + /* If victim is in same user_ns, then uids are comparable */
> if (cred->euid != pcred->euid &&
> cred->euid != pcred->uid &&
> - !capable(CAP_SYS_PTRACE))
> + !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
> goto err_unlock;
> +ok:
> head = p->compat_robust_list;
> rcu_read_unlock();
> }
> diff --git a/kernel/groups.c b/kernel/groups.c
> index 253dc0f..1cc476d 100644
> --- a/kernel/groups.c
> +++ b/kernel/groups.c
> @@ -233,7 +233,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
> struct group_info *group_info;
> int retval;
>
> - if (!capable(CAP_SETGID))
> + if (!nsown_capable(CAP_SETGID))
> return -EPERM;
> if ((unsigned)gidsetsize > NGROUPS_MAX)
> return -EINVAL;
> diff --git a/kernel/sched.c b/kernel/sched.c
> index 18d38e4..dc12bc2 100644
> --- a/kernel/sched.c
> +++ b/kernel/sched.c
> @@ -4761,8 +4761,11 @@ static bool check_same_owner(struct task_struct *p)
>
> rcu_read_lock();
> pcred = __task_cred(p);
> - match = (cred->euid == pcred->euid ||
> - cred->euid == pcred->uid);
> + if (cred->user->user_ns == pcred->user->user_ns)
> + match = (cred->euid == pcred->euid ||
> + cred->euid == pcred->uid);
> + else
> + match = false;
> rcu_read_unlock();
> return match;
> }
> @@ -5088,7 +5091,7 @@ long sched_setaffinity(pid_t pid, const struct cpumask *in_mask)
> goto out_free_cpus_allowed;
> }
> retval = -EPERM;
> - if (!check_same_owner(p) && !capable(CAP_SYS_NICE))
> + if (!check_same_owner(p) && !task_ns_capable(p, CAP_SYS_NICE))
> goto out_unlock;
>
> retval = security_task_setscheduler(p);
> diff --git a/kernel/uid16.c b/kernel/uid16.c
> index 4192098..51c6e89 100644
> --- a/kernel/uid16.c
> +++ b/kernel/uid16.c
> @@ -189,7 +189,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
> struct group_info *group_info;
> int retval;
>
> - if (!capable(CAP_SETGID))
> + if (!nsown_capable(CAP_SETGID))
> return -EPERM;
> if ((unsigned)gidsetsize > NGROUPS_MAX)
> return -EINVAL;
next prev parent reply other threads:[~2011-02-18 1:51 UTC|newest]
Thread overview: 135+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-17 15:02 userns: targeted capabilities v5 Serge E. Hallyn
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110217150257.GA26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 17:16 ` David Howells
2011-02-23 17:16 ` David Howells
2011-02-23 21:21 ` Eric W. Biederman
2011-02-23 23:19 ` David Howells
[not found] ` <8559.1298503148-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 23:54 ` Eric W. Biederman
2011-02-23 23:54 ` Eric W. Biederman
[not found] ` <3139.1298481393-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 21:21 ` Eric W. Biederman
[not found] ` <m1lj16ih0n.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 23:19 ` David Howells
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-18 3:46 ` Eric W. Biederman
[not found] ` <20110217150306.GB26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:46 ` Eric W. Biederman
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 16:59 ` David Howells
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 12:01 ` David Howells
2011-02-23 13:43 ` Serge E. Hallyn
[not found] ` <29617.1298462517-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:43 ` Serge E. Hallyn
2011-02-23 16:59 ` David Howells
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
[not found] ` <20110217150316.GC26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
[not found] ` <20110217150325.GD26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 10:55 ` Daniel Lezcano
2011-02-19 10:55 ` Daniel Lezcano
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110218155921.440f1137.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:48 ` Serge E. Hallyn
2011-02-24 0:48 ` Serge E. Hallyn
[not found] ` <20110224004818.GA11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:54 ` Andrew Morton
2011-02-24 0:54 ` Andrew Morton
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-18 2:59 ` Eric W. Biederman
2011-02-18 4:36 ` Serge E. Hallyn
2011-02-24 0:49 ` [PATCH] userns: ptrace: incorporate feedback from Eric Serge E. Hallyn
2011-02-24 0:56 ` Andrew Morton
2011-02-24 3:15 ` Serge E. Hallyn
[not found] ` <20110223165651.cf248f3b.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:15 ` Serge E. Hallyn
[not found] ` <20110224004901.GB11822-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:56 ` Andrew Morton
[not found] ` <20110218043601.GB9584-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 0:49 ` Serge E. Hallyn
[not found] ` <m1aahu9hea.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-18 4:36 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110218155925.f7d30a52.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 0:43 ` Serge E. Hallyn
2011-02-24 0:43 ` Serge E. Hallyn
[not found] ` <20110217150333.GE26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 2:59 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-18 1:57 ` Eric W. Biederman
[not found] ` <20110217150342.GF26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
[not found] ` <20110217150224.GA26334-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110217150349.GG26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:57 ` Daniel Lezcano
2011-02-19 17:57 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
[not found] ` <20110217150356.GH26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:51 ` Eric W. Biederman
2011-02-19 19:07 ` Daniel Lezcano
2011-02-18 1:51 ` Eric W. Biederman [this message]
2011-02-19 19:07 ` Daniel Lezcano
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
[not found] ` <20110218155935.66e7782d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-24 3:24 ` Serge E. Hallyn
2011-02-24 3:24 ` Serge E. Hallyn
2011-02-24 5:08 ` Andrew Morton
[not found] ` <20110224032415.GA5555-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-24 5:08 ` Andrew Morton
[not found] ` <20110217150406.GI26395-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 19:22 ` Daniel Lezcano
2011-02-19 19:22 ` Daniel Lezcano
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-18 3:53 ` Eric W. Biederman
2011-02-18 4:28 ` Serge E. Hallyn
[not found] ` <20110217162146.1b8e45e0.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2011-02-18 3:53 ` Eric W. Biederman
2011-02-18 4:28 ` Serge E. Hallyn
[not found] ` <29256.1298461209-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 12:01 ` [PATCH 2/9] security: Make capabilities relative to the user namespace David Howells
2011-02-23 12:05 ` User namespaces and keys David Howells
[not found] ` <29677.1298462729-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 13:58 ` Serge E. Hallyn
2011-02-23 13:58 ` Serge E. Hallyn
2011-02-23 14:46 ` Eric W. Biederman
[not found] ` <20110223135814.GA1859-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-02-23 14:46 ` Eric W. Biederman
2011-02-23 15:06 ` David Howells
2011-02-23 15:06 ` David Howells
2011-02-23 15:45 ` Eric W. Biederman
[not found] ` <m162sasqj6.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 15:53 ` Serge E. Hallyn
2011-02-23 15:53 ` Serge E. Hallyn
[not found] ` <20110223155328.GA21266-BtbdaCaBcfOTUehee3IRJA@public.gmane.org>
2011-02-23 19:24 ` Casey Schaufler
2011-02-23 19:24 ` Casey Schaufler
[not found] ` <4D655EE4.6030707-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-23 20:55 ` Eric W. Biederman
2011-02-23 20:55 ` Eric W. Biederman
2011-02-23 21:37 ` Casey Schaufler
[not found] ` <4D657E0C.3010102-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2011-02-24 6:56 ` Eric W. Biederman
2011-02-24 6:56 ` Eric W. Biederman
[not found] ` <m1k4gqlbdm.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-02-23 21:37 ` Casey Schaufler
[not found] ` <890.1298473574-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-02-23 15:45 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m14o82cdpe.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=akpm@osdl.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge@hallyn.com \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.