From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 3.14 35/52] userns: Document what the invariant required for safe unprivileged mappings.
Date: Tue, 6 Jan 2015 18:07:03 -0800 [thread overview]
Message-ID: <20150107020600.813014990@linuxfoundation.org> (raw)
In-Reply-To: <20150107020555.043793795@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 0542f17bf2c1f2430d368f44c8fcf2f82ec9e53e upstream.
The rule is simple. Don't allow anything that wouldn't be allowed
without unprivileged mappings.
It was previously overlooked that establishing gid mappings would
allow dropping groups and potentially gaining permission to files and
directories that had lesser permissions for a specific group than for
all other users.
This is the rule needed to fix CVE-2014-8989 and prevent any other
security issues with new_idmap_permitted.
The reason for this rule is that the unix permission model is old and
there are programs out there somewhere that take advantage of every
little corner of it. So allowing a uid or gid mapping to be
established without privielge that would allow anything that would not
be allowed without that mapping will result in expectations from some
code somewhere being violated. Violated expectations about the
behavior of the OS is a long way to say a security issue.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/user_namespace.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -804,7 +804,9 @@ static bool new_idmap_permitted(const st
struct user_namespace *ns, int cap_setid,
struct uid_gid_map *new_map)
{
- /* Allow mapping to your own filesystem ids */
+ /* Don't allow mappings that would allow anything that wouldn't
+ * be allowed without the establishment of unprivileged mappings.
+ */
if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
u32 id = new_map->extent[0].lower_first;
if (cap_setid == CAP_SETUID) {
next prev parent reply other threads:[~2015-01-07 2:16 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-07 2:06 [PATCH 3.14 00/52] 3.14.28-stable review Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 01/52] isofs: Fix infinite looping over CE entries Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 02/52] x86/tls: Validate TLS entries to protect espfix Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 03/52] x86/tls: Disallow unusual TLS segments Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 04/52] x86_64, switch_to(): Load TLS descriptors before switching DS and ES Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 05/52] x86, kvm: Clear paravirt_enabled on KVM guests for espfix32s benefit Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 06/52] md/bitmap: always wait for writes on unplug Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 07/52] mfd: tc6393xb: Fail ohci suspend if full state restore is required Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 08/52] mmc: dw_mmc: avoid write to CDTHRCTL on older versions Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 09/52] mmc: block: add newline to sysfs display of force_ro Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 10/52] mmc: sdhci-pci-o2micro: Fix Dell E5440 issue Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 11/52] megaraid_sas: corrected return of wait_event from abort frame path Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 12/52] scsi: correct return values for .eh_abort_handler implementations Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 13/52] nfs41: fix nfs4_proc_layoutget error handling Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 14/52] dm bufio: fix memleak when using a dm_buffers inline bio Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 15/52] dm crypt: use memzero_explicit for on-stack buffer Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 16/52] dm cache: only use overwrite optimisation for promotion when in writeback mode Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 17/52] dm cache: dirty flag was mistakenly being cleared when promoting via overwrite Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 18/52] dm space map metadata: fix sm_bootstrap_get_nr_blocks() Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 19/52] dm thin: fix inability to discard blocks when in out-of-data-space mode Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 20/52] dm thin: fix missing out-of-data-space to write mode transition if blocks are released Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 21/52] arm64: Add COMPAT_HWCAP_LPAE Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 22/52] ARM: tegra: Re-add removed SoC id macro to tegra_resume() Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 24/52] x86/tls: Dont validate lm in set_thread_area() after all Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 25/52] isofs: Fix unchecked printing of ER records Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 26/52] KEYS: Fix stale key registration at error path Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 28/52] mac80211: free management frame keys when removing station Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 29/52] mnt: Fix a memory stomp in umount Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 30/52] thermal: Fix error path in thermal_init() Greg Kroah-Hartman
2015-01-07 2:06 ` [PATCH 3.14 31/52] mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 32/52] mnt: Update unprivileged remount test Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 33/52] umount: Disallow unprivileged mount force Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 34/52] groups: Consolidate the setgroups permission checks Greg Kroah-Hartman
2015-01-07 2:07 ` Greg Kroah-Hartman [this message]
2015-01-07 2:07 ` [PATCH 3.14 36/52] userns: Dont allow setgroups until a gid mapping has been setablished Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 37/52] userns: Dont allow unprivileged creation of gid mappings Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 38/52] userns: Check euid no fsuid when establishing an unprivileged uid mapping Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 39/52] userns: Only allow the creator of the userns unprivileged mappings Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 40/52] userns: Rename id_map_mutex to userns_state_mutex Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 41/52] userns: Add a knob to disable setgroups on a per user namespace basis Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 42/52] userns: Allow setting gid_maps without privilege when setgroups is disabled Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 43/52] userns: Unbreak the unprivileged remount tests Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 44/52] audit: restore AUDIT_LOGINUID unset ABI Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 45/52] crypto: af_alg - fix backlog handling Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 46/52] ncpfs: return proper error from NCP_IOC_SETROOT ioctl Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 47/52] exit: pidns: alloc_pid() leaks pid_namespace if child_reaper is exiting Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 48/52] udf: Verify symlink size before loading it Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 49/52] eCryptfs: Force RO mount when encrypted view is enabled Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 50/52] eCryptfs: Remove buggy and unnecessary write in file name decode routine Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 51/52] Btrfs: do not move em to modified list when unpinning Greg Kroah-Hartman
2015-01-07 2:07 ` [PATCH 3.14 52/52] Btrfs: fix fs corruption on transaction abort if device supports discard Greg Kroah-Hartman
2015-01-07 13:42 ` [PATCH 3.14 00/52] 3.14.28-stable review Guenter Roeck
2015-01-07 23:34 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150107020600.813014990@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).