From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
linux-security-module@vger.kernel.org
Subject: Re: [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps.
Date: Fri, 14 Dec 2012 03:28:20 +0000 [thread overview]
Message-ID: <20121214032820.GA5115@mail.hallyn.com> (raw)
In-Reply-To: <87zk1hshk7.fsf_-_@xmission.com>
Quoting Eric W. Biederman (ebiederm@xmission.com):
>
> Andy Lutomirski pointed out that the current behavior of allowing the
> owner of a user namespace to have all caps when that owner is not in a
> parent user namespace is wrong.
To make sure I understand right, the issue is when a uid is mapped
into multiple namespaces, i.e. uid 1000 in ns1 may own ns2, but uid
1000 in ns3 does not?
> This is a bug introduced by the kuid conversion which made it possible
> for the owner of a user namespace to live in a child user namespace. I
> goofed and totally missed this implication.
>
> Serge and can you please take a look and see if my corrected cap_capable
> reads correctly to you.
>
> Andy or anyone else that wants to give me a second eyeball and double
> check me on this I would appreciate it.
>
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
> ---
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 6dbae46..4639f44 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -70,37 +70,44 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
> *
> * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable()
> * and has_capability() functions. That is, it has the reverse semantics:
> * cap_has_capability() returns 0 when a task has a capability, but the
> * kernel's capable() and has_capability() returns 1 for this case.
> */
> int cap_capable(const struct cred *cred, struct user_namespace *targ_ns,
> int cap, int audit)
> {
> for (;;) {
> - /* The owner of the user namespace has all caps. */
> - if (targ_ns != &init_user_ns && uid_eq(targ_ns->owner, cred->euid))
> - return 0;
> + struct user_namespace *parent_ns;
>
> /* Do we have the necessary capabilities? */
> if (targ_ns == cred->user_ns)
> return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
>
> /* Have we tried all of the parent namespaces? */
> if (targ_ns == &init_user_ns)
> return -EPERM;
>
> + parent_ns = targ_ns->parent;
> +
> + /*
> + * The owner of the user namespace in the parent user
> + * namespace has all caps.
> + */
> + if ((parent_ns == cred->user_ns) && uid_eq(targ_ns->owner, cred->euid))
> + return 0;
> +
> /*
> - *If you have a capability in a parent user ns, then you have
> + * If you have a capability in a parent user ns, then you have
> * it over all children user namespaces as well.
> */
> - targ_ns = targ_ns->parent;
> + targ_ns = parent_ns;
> }
>
> /* We never get here */
> }
>
> /**
> * cap_settime - Determine whether the current process may set the system clock
> * @ts: The time to set
> * @tz: The timezone to set
> *
next prev parent reply other threads:[~2012-12-14 3:23 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-11 21:17 [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Eric W. Biederman
2012-12-13 19:24 ` Andy Lutomirski
2012-12-13 22:01 ` Eric W. Biederman
2012-12-13 22:39 ` [RFC][PATCH] Fix cap_capable to only allow owners in the parent user namespace to have caps Eric W. Biederman
2012-12-13 22:43 ` Linus Torvalds
2012-12-13 22:55 ` Eric W. Biederman
2012-12-13 23:21 ` Andy Lutomirski
2012-12-14 2:33 ` Eric W. Biederman
2012-12-14 2:36 ` Andy Lutomirski
2012-12-14 3:20 ` [PATCH] " Eric W. Biederman
2012-12-14 3:28 ` Serge E. Hallyn [this message]
2012-12-14 3:32 ` [RFC][PATCH] " Eric W. Biederman
2012-12-14 15:26 ` Serge E. Hallyn
2012-12-14 15:47 ` Eric W. Biederman
2012-12-14 16:15 ` Serge E. Hallyn
2012-12-14 18:12 ` Eric W. Biederman
2012-12-14 18:43 ` Linus Torvalds
2012-12-14 18:47 ` Andy Lutomirski
2012-12-14 20:50 ` Serge E. Hallyn
2012-12-14 21:43 ` Eric W. Biederman
2012-12-14 20:29 ` Serge E. Hallyn
2012-12-14 22:32 ` Eric W. Biederman
2012-12-15 0:14 ` Serge E. Hallyn
2012-12-13 23:02 ` [GIT PULL] user namespace and namespace infrastructure changes for 3.8 Andy Lutomirski
2012-12-14 4:11 ` Eric W. Biederman
2012-12-14 5:34 ` Andy Lutomirski
2012-12-14 17:48 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121214032820.GA5115@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).