Re: [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPCwith no_new_privs

From: Kees Cook
Date: Wed Feb 01 2012 - 14:02:28 EST

Next message: Frederic Weisbecker: "Re: perf: prctl(PR_TASK_PERF_EVENTS_DISABLE) has no effect"
Previous message: Linus Torvalds: "Re: Memory corruption due to word sharing"
Next in thread: Andy Lutomirski: "Re: [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPCwith no_new_privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 30, 2012 at 8:17 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> They are normally disallowed because they could be used to subvert
> setuid programs. But if setuid is disabled, then they are safe.
>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> ---
> kernel/nsproxy.c | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
> index b576f7f..47cf873 100644
> --- a/kernel/nsproxy.c
> +++ b/kernel/nsproxy.c
> @@ -191,7 +191,13 @@ int unshare_nsproxy_namespaces(unsigned long unshare_flags,
> CLONE_NEWNET)))
> return 0;
>
> - if (!capable(CAP_SYS_ADMIN))
> + /* We require either no_new_privs or CAP_SYS_ADMIN for all modes */
> + if (!current->no_new_privs && !capable(CAP_SYS_ADMIN))
> + return -EPERM;
> +
> + /* NEWNS and NEWNET always require CAP_SYS_ADMIN. */
> + if ((unshare_flags & (CLONE_NEWNS | CLONE_NEWNET)) &&
> + !capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> *new_nsp = create_new_namespaces(unshare_flags, current,

While I think it's unlikely that the list handled by
unshare_nsproxy_namespaces() is going to change, I'd still prefer that
the logic of this test be reversed so that the nnp-allowed flags are
listed instead of the CAP_SYS_ADMIN-required ones so that it will
default to disallowing new flags. It's a little less readable, but
maybe something like this (untested):

unsigned long handled_mask = (CLONE_NEWNS | CLONE_NEWUTS | CLONE_NEWIPC |
CLONE_NEWNET);
unsigned long npp_mask = (CLONE_NEWUTS | CLONE_NEWIPC);

if (!(unshare_flags & handled_mask))
return 0;

if ( !(current->no_new_privs &&
!(unshare_flags & (handled_mask ^ npp_mask))) &&
!capable(CAP_SYS_ADMIN))
return -EPERM;
...

This also has the side-effect of removing the double-check of
capable() in some cases.

-Kees

--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Frederic Weisbecker: "Re: perf: prctl(PR_TASK_PERF_EVENTS_DISABLE) has no effect"
Previous message: Linus Torvalds: "Re: Memory corruption due to word sharing"
Next in thread: Andy Lutomirski: "Re: [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPCwith no_new_privs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]