[PATCH] posix-timers: Require privilege to enable timer ID restore mode

[Ashutosh Desai]

PR_TIMER_CREATE_RESTORE_IDS_ON switches timer_create() into a mode
where the caller supplies explicit timer IDs, intended exclusively for
CRIU checkpoint/restore. The UAPI comment is explicit: "Don't use for
normal operations as the result might be undefined."

Despite that, the prctl handler has no capability check. Any unprivileged
process can enable the mode. Every comparable CRIU prctl in the kernel
gates on checkpoint_restore_ns_capable() - PR_SET_MM_MAP, PR_SET_MM_EXE_FILE,
etc. This one should too.

Add the check to the ON case only. OFF and GET are left unrestricted so a
process can always query or clear the flag without privilege.

Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Anna-Maria Behnsen <anna-maria@xxxxxxxxxxxxx>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@xxxxxxxxx>
---
 kernel/time/posix-timers.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index 413e2389f..b8582416b 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -9,6 +9,7 @@
  *
  * These are all the functions necessary to implement POSIX clocks & timers
  */
+#include <linux/capability.h>
 #include <linux/compat.h>
 #include <linux/compiler.h>
 #include <linux/init.h>
@@ -380,6 +381,8 @@ long posixtimer_create_prctl(unsigned long ctrl)
 		current->signal->timer_create_restore_ids = 0;
 		return 0;
 	case PR_TIMER_CREATE_RESTORE_IDS_ON:
+		if (!checkpoint_restore_ns_capable(current_user_ns()))
+			return -EPERM;
 		current->signal->timer_create_restore_ids = 1;
 		return 0;
 	case PR_TIMER_CREATE_RESTORE_IDS_GET:
-- 
2.34.1