[ 32/42] userns: Dont let unprivileged users trick privileged users into setting the id_map

From: Greg Kroah-Hartman
Date: Tue Apr 23 2013 - 18:12:44 EST

Next message: Greg Kroah-Hartman: "[ 33/42] userns: Check uid_maps openers fsuid, not the current fsuid"
Previous message: Greg Kroah-Hartman: "[ 34/42] userns: Changing any namespace id mappings should require privileges"
In reply to: Greg Kroah-Hartman: "[ 34/42] userns: Changing any namespace id mappings should require privileges"
Next in thread: Greg Kroah-Hartman: "[ 33/42] userns: Check uid_maps openers fsuid, not the current fsuid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.8-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>

commit 6708075f104c3c9b04b23336bb0366ca30c3931b upstream.

When we require privilege for setting /proc/<pid>/uid_map or
/proc/<pid>/gid_map no longer allow an unprivileged user to
open the file and pass it to a privileged program to write
to the file.

Instead when privilege is required require both the opener and the
writer to have the necessary capabilities.

I have tested this code and verified that setting /proc/<pid>/uid_map
fails when an unprivileged user opens the file and a privielged user
attempts to set the mapping, that unprivileged users can still map
their own id, and that a privileged users can still setup an arbitrary
mapping.

Reported-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
kernel/user_namespace.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -25,7 +25,8 @@

static struct kmem_cache *user_ns_cachep __read_mostly;

-static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
+static bool new_idmap_permitted(const struct file *file,
+ struct user_namespace *ns, int cap_setid,
struct uid_gid_map *map);

static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
@@ -666,7 +667,7 @@ static ssize_t map_write(struct file *fi

ret = -EPERM;
/* Validate the user is allowed to use user id's mapped to. */
- if (!new_idmap_permitted(ns, cap_setid, &new_map))
+ if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
goto out;

/* Map the lower ids from the parent user namespace to the
@@ -753,7 +754,8 @@ ssize_t proc_projid_map_write(struct fil
&ns->projid_map, &ns->parent->projid_map);
}

-static bool new_idmap_permitted(struct user_namespace *ns, int cap_setid,
+static bool new_idmap_permitted(const struct file *file,
+ struct user_namespace *ns, int cap_setid,
struct uid_gid_map *new_map)
{
/* Allow mapping to your own filesystem ids */
@@ -777,8 +779,10 @@ static bool new_idmap_permitted(struct u

/* Allow the specified ids if we have the appropriate capability
* (CAP_SETUID or CAP_SETGID) over the parent user namespace.
+ * And the opener of the id file also had the approprpiate capability.
*/
- if (ns_capable(ns->parent, cap_setid))
+ if (ns_capable(ns->parent, cap_setid) &&
+ file_ns_capable(file, ns->parent, cap_setid))
return true;

return false;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "[ 33/42] userns: Check uid_maps openers fsuid, not the current fsuid"
Previous message: Greg Kroah-Hartman: "[ 34/42] userns: Changing any namespace id mappings should require privileges"
In reply to: Greg Kroah-Hartman: "[ 34/42] userns: Changing any namespace id mappings should require privileges"
Next in thread: Greg Kroah-Hartman: "[ 33/42] userns: Check uid_maps openers fsuid, not the current fsuid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]