From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
Linux API <linux-api@vger.kernel.org>,
linux-man <linux-man@vger.kernel.org>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
LSM <linux-security-module@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Richard Weinberger <richard@nod.at>,
Kenton Varda <kenton@sandstorm.io>,
stable <stable@vger.kernel.org>
Subject: [CFT][PATCH 5/7] userns: Only allow the creator of the userns unprivileged mappings
Date: Mon, 08 Dec 2014 16:10:22 -0600 [thread overview]
Message-ID: <87sigppzch.fsf_-_@x220.int.ebiederm.org> (raw)
In-Reply-To: <87h9x5re41.fsf_-_@x220.int.ebiederm.org> (Eric W. Biederman's message of "Mon, 08 Dec 2014 16:06:06 -0600")
If you did not create the user namespace and are allowed
to write to uid_map or gid_map you should already have the necessary
privilege in the parent user namespace to establish any mapping
you want so this will not affect userspace in practice.
Limiting unprivileged uid mapping establishment to the creator of the
user namespace reduces the set of credentials that must be verified
can be obtained without privielge, making code verification simpler.
Limiting unprivileged gid mapping establishment (which is temporarily
absent) to the creator of the user namespace also ensures that the
combination of uid and gid can already be obtained without privilege.
This is part of the fix for CVE-2014-8989.
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
kernel/user_namespace.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index da1eeb927b21..413f60fd5983 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -812,14 +812,16 @@ static bool new_idmap_permitted(const struct file *file,
struct user_namespace *ns, int cap_setid,
struct uid_gid_map *new_map)
{
+ const struct cred *cred = file->f_cred;
/* Don't allow mappings that would allow anything that wouldn't
* be allowed without the establishment of unprivileged mappings.
*/
- if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1)) {
+ if ((new_map->nr_extents == 1) && (new_map->extent[0].count == 1) &&
+ uid_eq(ns->owner, cred->euid)) {
u32 id = new_map->extent[0].lower_first;
if (cap_setid == CAP_SETUID) {
kuid_t uid = make_kuid(ns->parent, id);
- if (uid_eq(uid, file->f_cred->euid))
+ if (uid_eq(uid, cred->euid))
return true;
}
}
--
1.9.1
next prev parent reply other threads:[~2014-12-08 22:10 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-29 17:26 [PATCH v2] userns: Disallow setgroups unless the gid_map writer is privileged Andy Lutomirski
2014-12-02 12:09 ` Eric W. Biederman
2014-12-02 18:53 ` Andy Lutomirski
2014-12-02 19:45 ` Eric W. Biederman
2014-12-02 20:13 ` Andy Lutomirski
2014-12-02 20:25 ` [CFT][PATCH 1/3] userns: Avoid problems with negative groups Eric W. Biederman
2014-12-02 20:28 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-02 20:30 ` [CFT][PATCH 3/3] userns: Unbreak the unprivileged remount tests Eric W. Biederman
2014-12-02 21:05 ` [CFT][PATCH 2/3] userns: Add a knob to disable setgroups on a per user namespace basis Andy Lutomirski
2014-12-02 21:45 ` Eric W. Biederman
2014-12-02 22:17 ` Andy Lutomirski
2014-12-02 23:07 ` Eric W. Biederman
2014-12-02 23:17 ` Andy Lutomirski
2014-12-08 22:06 ` [CFT][PATCH 1/7] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
2014-12-08 22:07 ` [CFT][PATCH 2/7] userns: Don't allow setgroups until a gid mapping has been setablished Eric W. Biederman
2014-12-08 22:11 ` Andy Lutomirski
[not found] ` <87h9x5ok0h.fsf@x220.int.ebiederm.org>
2014-12-08 22:33 ` Andy Lutomirski
2014-12-08 22:17 ` Richard Weinberger
2014-12-08 22:25 ` Andy Lutomirski
2014-12-08 22:27 ` Richard Weinberger
[not found] ` <874mt5ojfh.fsf@x220.int.ebiederm.org>
2014-12-08 22:47 ` Andy Lutomirski
2014-12-08 22:07 ` [CFT][PATCH 3/7] userns: Don't allow unprivileged creation of gid mappings Eric W. Biederman
2014-12-08 22:08 ` [CFT][PATCH 4/7] userns: Check euid no fsuid when establishing an unprivileged uid mapping Eric W. Biederman
2014-12-08 22:12 ` Andy Lutomirski
2014-12-08 22:10 ` Eric W. Biederman [this message]
2014-12-08 22:15 ` [CFT][PATCH 5/7] userns: Only allow the creator of the userns unprivileged mappings Andy Lutomirski
2014-12-08 22:11 ` [CFT][PATCH 6/7] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-08 22:21 ` Andy Lutomirski
2014-12-08 22:44 ` Eric W. Biederman
2014-12-08 22:48 ` Andy Lutomirski
2014-12-08 23:30 ` Eric W. Biederman
2014-12-09 19:31 ` Eric W. Biederman
2014-12-09 20:36 ` [CFT][PATCH 1/8] userns: Document what the invariant required for safe unprivileged mappings Eric W. Biederman
2014-12-09 20:38 ` [CFT][PATCH 2/8] userns: Don't allow setgroups until a gid mapping has been setablished Eric W. Biederman
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 20:39 ` [CFT][PATCH 3/8] userns: Don't allow unprivileged creation of gid mappings Eric W. Biederman
2014-12-09 23:00 ` Andy Lutomirski
2014-12-09 20:39 ` [CFT][PATCH 4/8] userns: Check euid no fsuid when establishing an unprivileged uid mapping Eric W. Biederman
2014-12-09 20:41 ` [CFT][PATCH 5/8] userns: Only allow the creator of the userns unprivileged mappings Eric W. Biederman
2014-12-09 20:41 ` [CFT][PATCH 6/8] userns: Rename id_map_mutex to userns_state_mutex Eric W. Biederman
2014-12-09 22:49 ` Andy Lutomirski
2014-12-09 20:42 ` [CFT][PATCH 7/8] userns: Add a knob to disable setgroups on a per user namespace basis Eric W. Biederman
2014-12-09 22:28 ` Andy Lutomirski
[not found] ` <971ad3f6-90fd-4e3f-916c-8988af3c826d@email.android.com>
2014-12-10 0:21 ` Andy Lutomirski
[not found] ` <87wq5zf83t.fsf@x220.int.ebiederm.org>
[not found] ` <87iohh3c9c.fsf@x220.int.ebiederm.org>
2014-12-12 1:30 ` Andy Lutomirski
[not found] ` <8761dh3b7k.fsf_-_@x220.int.ebiederm.org>
[not found] ` <878uicy1r9.fsf_-_@x220.int.ebiederm.org>
2014-12-12 21:54 ` [PATCH 1/2] proc.5: Document /proc/[pid]/setgroups Eric W. Biederman
2015-02-02 15:36 ` Michael Kerrisk (man-pages)
2015-02-11 8:01 ` Michael Kerrisk (man-pages)
2015-02-11 13:51 ` Eric W. Biederman
2015-02-12 13:53 ` Michael Kerrisk (man-pages)
2015-02-21 7:57 ` Michael Kerrisk (man-pages)
2015-03-03 11:39 ` Michael Kerrisk (man-pages)
2014-12-12 21:54 ` [PATCH 2/2] user_namespaces.7: Update the documention to reflect the fixes for negative groups Eric W. Biederman
2015-02-02 15:37 ` Michael Kerrisk (man-pages)
2015-02-11 8:02 ` Michael Kerrisk (man-pages)
2015-02-11 14:01 ` Eric W. Biederman
2015-02-12 10:11 ` Michael Kerrisk (man-pages)
2015-02-02 21:31 ` Alban Crequy
2015-03-04 14:00 ` Michael Kerrisk (man-pages)
2014-12-09 20:43 ` [CFT][PATCH 8/8] userns: Allow setting gid_maps without privilege when setgroups is disabled Eric W. Biederman
2014-12-10 16:39 ` [CFT] Can I get some Tested-By's on this series? Eric W. Biederman
2014-12-10 22:48 ` Serge Hallyn
2014-12-10 22:50 ` Richard Weinberger
2014-12-10 23:19 ` Eric W. Biederman
2014-12-11 19:27 ` Richard Weinberger
2014-12-12 6:56 ` Chen, Hanxiao
2014-12-13 22:31 ` serge
[not found] ` <87lhmcy2et.fsf@x220.int.ebiederm.org>
[not found] ` <20141212220840.GF22091@castiana.ipv6.teksavvy.com>
[not found] ` <8761dgze56.fsf@x220.int.ebiederm.org>
2014-12-15 19:38 ` Serge Hallyn
2014-12-15 20:11 ` Eric W. Biederman
2014-12-15 20:49 ` Serge Hallyn
2014-12-16 2:05 ` Andy Lutomirski
2014-12-16 9:23 ` Richard Weinberger
2014-12-08 22:14 ` [CFT][PATCH 7/7] userns: Allow setting gid_maps without privilege when setgroups is disabled Eric W. Biederman
2014-12-08 22:26 ` Andy Lutomirski
2014-12-02 20:58 ` [CFT][PATCH 1/3] userns: Avoid problems with negative groups Andy Lutomirski
2014-12-02 21:26 ` Eric W. Biederman
2014-12-02 22:09 ` Andy Lutomirski
2014-12-02 22:48 ` Eric W. Biederman
2014-12-02 22:56 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sigppzch.fsf_-_@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=containers@lists.linux-foundation.org \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=kenton@sandstorm.io \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).