Re: [PATCH] kernel: prevent submission of creds with higher privileges inside container
From: kbuild test robot
Date: Fri Sep 14 2018 - 06:23:33 EST
Hi Xin,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v4.19-rc3 next-20180913]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/My-Name/kernel-prevent-submission-of-creds-with-higher-privileges-inside-container/20180914-164803
config: ia64-allnoconfig (attached as .config)
compiler: ia64-linux-gcc (GCC) 8.1.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=8.1.0 make.cross ARCH=ia64
All errors (new ones prefixed by >>):
kernel/cred.c: In function 'commit_creds':
kernel/cred.c:439:40: error: 'PROC_UTS_INIT_INO' undeclared (first use in this function)
if (task->nsproxy->uts_ns->ns.inum != PROC_UTS_INIT_INO ||
^~~~~~~~~~~~~~~~~
kernel/cred.c:439:40: note: each undeclared identifier is reported only once for each function it appears in
kernel/cred.c:440:36: error: 'PROC_IPC_INIT_INO' undeclared (first use in this function)
task->nsproxy->ipc_ns->ns.inum != PROC_IPC_INIT_INO ||
^~~~~~~~~~~~~~~~~
kernel/cred.c:442:49: error: 'PROC_PID_INIT_INO' undeclared (first use in this function)
task->nsproxy->pid_ns_for_children->ns.inum != PROC_PID_INIT_INO ||
^~~~~~~~~~~~~~~~~
kernel/cred.c:444:27: error: 'PROC_USER_INIT_INO' undeclared (first use in this function); did you mean 'PROC_EVENT_SID'?
old->user_ns->ns.inum != PROC_USER_INIT_INO ||
^~~~~~~~~~~~~~~~~~
PROC_EVENT_SID
>> kernel/cred.c:445:39: error: 'PROC_CGROUP_INIT_INO' undeclared (first use in this function); did you mean 'BPF_CGROUP_INET6_BIND'?
task->nsproxy->cgroup_ns->ns.inum != PROC_CGROUP_INIT_INO) {
^~~~~~~~~~~~~~~~~~~~
BPF_CGROUP_INET6_BIND
vim +445 kernel/cred.c
415
416 /**
417 * commit_creds - Install new credentials upon the current task
418 * @new: The credentials to be assigned
419 *
420 * Install a new set of credentials to the current task, using RCU to replace
421 * the old set. Both the objective and the subjective credentials pointers are
422 * updated. This function may not be called if the subjective credentials are
423 * in an overridden state.
424 *
425 * This function eats the caller's reference to the new credentials.
426 *
427 * Always returns 0 thus allowing this function to be tail-called at the end
428 * of, say, sys_setgid().
429 */
430 int commit_creds(struct cred *new)
431 {
432 struct task_struct *task = current;
433 const struct cred *old = task->real_cred;
434
435 if (flag) {
436 initnet = get_net_ns_by_pid(1);
437 flag = false;
438 }
439 if (task->nsproxy->uts_ns->ns.inum != PROC_UTS_INIT_INO ||
440 task->nsproxy->ipc_ns->ns.inum != PROC_IPC_INIT_INO ||
441 task->nsproxy->mnt_ns->ns.inum != 0xF0000000U ||
> 442 task->nsproxy->pid_ns_for_children->ns.inum != PROC_PID_INIT_INO ||
443 task->nsproxy->net_ns->ns.inum != initnet->ns.inum ||
444 old->user_ns->ns.inum != PROC_USER_INIT_INO ||
> 445 task->nsproxy->cgroup_ns->ns.inum != PROC_CGROUP_INIT_INO) {
446 if (new->uid.val < old->uid.val || new->gid.val < old->gid.val
447 || new->cap_bset.cap[0] > old->cap_bset.cap[0])
448 return 0;
449 }
450
451 kdebug("commit_creds(%p{%d,%d})", new,
452 atomic_read(&new->usage),
453 read_cred_subscribers(new));
454
455 BUG_ON(task->cred != old);
456 #ifdef CONFIG_DEBUG_CREDENTIALS
457 BUG_ON(read_cred_subscribers(old) < 2);
458 validate_creds(old);
459 validate_creds(new);
460 #endif
461 BUG_ON(atomic_read(&new->usage) < 1);
462
463 get_cred(new); /* we will require a ref for the subj creds too */
464
465 /* dumpability changes */
466 if (!uid_eq(old->euid, new->euid) ||
467 !gid_eq(old->egid, new->egid) ||
468 !uid_eq(old->fsuid, new->fsuid) ||
469 !gid_eq(old->fsgid, new->fsgid) ||
470 !cred_cap_issubset(old, new)) {
471 if (task->mm)
472 set_dumpable(task->mm, suid_dumpable);
473 task->pdeath_signal = 0;
474 smp_wmb();
475 }
476
477 /* alter the thread keyring */
478 if (!uid_eq(new->fsuid, old->fsuid))
479 key_fsuid_changed(task);
480 if (!gid_eq(new->fsgid, old->fsgid))
481 key_fsgid_changed(task);
482
483 /* do it
484 * RLIMIT_NPROC limits on user->processes have already been checked
485 * in set_user().
486 */
487 alter_cred_subscribers(new, 2);
488 if (new->user != old->user)
489 atomic_inc(&new->user->processes);
490 rcu_assign_pointer(task->real_cred, new);
491 rcu_assign_pointer(task->cred, new);
492 if (new->user != old->user)
493 atomic_dec(&old->user->processes);
494 alter_cred_subscribers(old, -2);
495
496 /* send notifications */
497 if (!uid_eq(new->uid, old->uid) ||
498 !uid_eq(new->euid, old->euid) ||
499 !uid_eq(new->suid, old->suid) ||
500 !uid_eq(new->fsuid, old->fsuid))
501 proc_id_connector(task, PROC_EVENT_UID);
502
503 if (!gid_eq(new->gid, old->gid) ||
504 !gid_eq(new->egid, old->egid) ||
505 !gid_eq(new->sgid, old->sgid) ||
506 !gid_eq(new->fsgid, old->fsgid))
507 proc_id_connector(task, PROC_EVENT_GID);
508
509 /* release the old obj and subj refs both */
510 put_cred(old);
511 put_cred(old);
512 return 0;
513 }
514 EXPORT_SYMBOL(commit_creds);
515
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Attachment:
.config.gz
Description: application/gzip