Linux Container Development
 help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Dan Smith <danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org
Subject: Re: [PATCH 3/4] Save and restore UNIX socket peer credentials
Date: Thu, 13 Aug 2009 18:17:43 -0500	[thread overview]
Message-ID: <20090813231743.GD13219@us.ibm.com> (raw)
In-Reply-To: <1250191750-3864-4-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>

Quoting Dan Smith (danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org):
> This saves the uid/gid of the sk_peercred structure in the checkpoint
> stream.  On restart, it uses may_setuid() and may_setgid() to determine
> if the uid/gid from the checkpoint stream may be used.
> 
> Signed-off-by: Dan Smith <danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> ---
>  include/linux/checkpoint_hdr.h |    2 ++
>  net/unix/checkpoint.c          |   29 ++++++++++++++++-------------
>  2 files changed, 18 insertions(+), 13 deletions(-)
> 
> diff --git a/include/linux/checkpoint_hdr.h b/include/linux/checkpoint_hdr.h
> index 829ff2d..6c6780c 100644
> --- a/include/linux/checkpoint_hdr.h
> +++ b/include/linux/checkpoint_hdr.h
> @@ -523,6 +523,8 @@ struct ckpt_hdr_socket_unix {
>  	struct ckpt_hdr h;
>  	__s32 this;
>  	__s32 peer;
> +	__u32 peercred_uid;
> +	__u32 peercred_gid;
>  	__u32 flags;
>  	__u32 laddr_len;
>  	__u32 raddr_len;
> diff --git a/net/unix/checkpoint.c b/net/unix/checkpoint.c
> index 841d25d..eb19e66 100644
> --- a/net/unix/checkpoint.c
> +++ b/net/unix/checkpoint.c
> @@ -3,6 +3,7 @@
>  #include <linux/fs_struct.h>
>  #include <linux/checkpoint.h>
>  #include <linux/checkpoint_hdr.h>
> +#include <linux/user.h>
>  #include <net/af_unix.h>
>  #include <net/tcp_states.h>
> 
> @@ -98,6 +99,9 @@ int sock_unix_checkpoint(struct ckpt_ctx *ctx,
>  		goto out;
>  	}
> 
> +	un->peercred_uid = socket->sk->sk_peercred.uid;
> +	un->peercred_gid = socket->sk->sk_peercred.gid;
> +
>  	ret = ckpt_write_obj(ctx, (struct ckpt_hdr *) h);
>  	if (ret < 0)
>  		goto out;
> @@ -225,19 +229,6 @@ static int sock_unix_join(struct ckpt_ctx *ctx,
>  	unix_sk(a)->peer = b;
>  	unix_sk(b)->peer = a;
> 
> -	/* TODO:
> -	 * Checkpoint the credentials, restore them here if the values match
> -	 * the restored creds or we may_setuid()
> -	 */
> -
> -	a->sk_peercred.pid = task_tgid_vnr(current);
> -	a->sk_peercred.uid = ctx->realcred->uid;
> -	a->sk_peercred.gid = ctx->realcred->gid;
> -
> -	b->sk_peercred.pid = a->sk_peercred.pid;
> -	b->sk_peercred.uid = a->sk_peercred.uid;
> -	b->sk_peercred.gid = a->sk_peercred.gid;
> -
>  	if (!UNIX_ADDR_EMPTY(un->raddr_len))
>  		addr = sock_unix_makeaddr(&un->raddr, un->raddr_len);
>  	else if (!UNIX_ADDR_EMPTY(un->laddr_len))
> @@ -303,6 +294,18 @@ static int sock_unix_restore_connected(struct ckpt_ctx *ctx,
>  		goto out;
>  	}
> 
> +	this->sk_peercred.pid = task_tgid_vnr(current);
> +
> +	if (may_setuid(ctx->realcred->user->user_ns, un->peercred_uid) &&
> +	    may_setgid(ctx->realcred->group_info, un->peercred_gid)) {
> +		this->sk_peercred.uid = un->peercred_uid;
> +		this->sk_peercred.gid = un->peercred_gid;

It's a real shame that we have this uid and gid with no indication of
which user_ns it belongs in.  But I do think that assuming
ctx->realcred->user->user_ns  is the right one is the best guess you
can make.

So the may_setuid() is right, but may_setgid() should be changed
to
	may_setgid(ctx->realcred->user->user_ns, un->peercred_gid,
			current_cred());

meaning: we want to know whether:
	1. current_cred() has cap_capable to ctx->realcred->user->user_ns
		(which it does if it created it - once that's implemented)
or
	(
	2. current_cred->user->user_ns == ctx->real_cred->user_user_ns
		and
	3. un->peercred_gid is equal to current_cred()->egid or is in
		current_cred->group_info.
	)

Then again, until we add a user_ns to peercred, that will result
in a safety problem with peercred!

/me thinks some more

> +	} else {
> +		ckpt_debug("peercred %i:%i would require setuid",
> +			   un->peercred_uid, un->peercred_gid);
> +		return -1;
> +	}
> +
>  	/* Prime the socket's buffer limit with the maximum.  These will be
>  	 * overwritten with the values in the checkpoint stream in a later
>  	 * phase.
> -- 
> 1.6.0.4
> 
> _______________________________________________
> Containers mailing list
> Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
> https://lists.linux-foundation.org/mailman/listinfo/containers

  parent reply	other threads:[~2009-08-13 23:17 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-08-13 19:29 Socket c/r additional features Dan Smith
     [not found] ` <1250191750-3864-1-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-13 19:29   ` [PATCH 1/4] Set socket flags on restore using sock_setsockopt() where possible Dan Smith
     [not found]     ` <1250191750-3864-2-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-13 19:44       ` Oren Laadan
     [not found]         ` <4A846D0E.90607-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-08-13 19:55           ` Dan Smith
2009-08-13 22:07       ` Serge E. Hallyn
2009-08-13 19:29   ` [PATCH 2/4] Expose may_setuid() in user.h Dan Smith
     [not found]     ` <1250191750-3864-3-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-13 22:28       ` Serge E. Hallyn
     [not found]         ` <20090813222837.GB13219-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-13 23:11           ` Serge E. Hallyn
2009-08-14  0:52       ` Serge E. Hallyn
2009-08-13 19:29   ` [PATCH 3/4] Save and restore UNIX socket peer credentials Dan Smith
     [not found]     ` <1250191750-3864-4-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-13 23:17       ` Serge E. Hallyn [this message]
2009-08-13 19:29   ` [PATCH 4/4] Handle unconnected DGRAM sockets with buffers in-flight Dan Smith
     [not found]     ` <1250191750-3864-5-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-13 20:33       ` Oren Laadan
     [not found]         ` <4A8478B4.2070207-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-08-13 20:39           ` Dan Smith
     [not found]             ` <87my63phwp.fsf-FLMGYpZoEPULwtHQx/6qkW3U47Q5hpJU@public.gmane.org>
2009-08-13 21:00               ` Oren Laadan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090813231743.GD13219@us.ibm.com \
    --to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
    --cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
    --cc=danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox